C++: use qualifier flow in more models

2025-12-17 01:03:14 +01:00 · 2020-09-17 18:03:02 -07:00
parent 556ace004f
commit 3a83cc71fe
5 changed files with 38 additions and 18 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/MemberFunction.qll
@@ -21,7 +21,11 @@ class ConversionConstructorModel extends Constructor, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // taint flow from the first constructor argument to the returned object
    input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
  }
 }

@@ -32,7 +36,11 @@ class CopyConstructorModel extends CopyConstructor, DataFlowFunction {
  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    // data flow from the first constructor argument to the returned object
    input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
  }
 }

@@ -43,7 +51,11 @@ class MoveConstructorModel extends MoveConstructor, DataFlowFunction {
  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
    // data flow from the first constructor argument to the returned object
    input.isParameter(0) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
  }
 }

--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -38,7 +38,9 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
      input.isParameterDeref(getAValueTypeParameterIndex()) or
      input.isParameter(getAnIteratorParameterIndex())
    ) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    output.isReturnValue()
+    or
+    output.isQualifierObject()
  }
 }

--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -48,7 +48,7 @@ class StdStringConstructor extends Constructor, TaintFunction {
      input.isParameter(getAnIteratorParameterIndex())
    ) and
    (
-      output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+      output.isReturnValue()
      or
      output.isQualifierObject()
    )
@@ -383,7 +383,9 @@ class StdStringStreamConstructor extends Constructor, TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // taint flow from any parameter of string type to the returned object
    input.isParameterDeref(getAStringParameterIndex()) and
-    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+    output.isReturnValue()
+    or
+    output.isQualifierObject()
  }
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -15,10 +15,7 @@
 | arrayassignment.cpp:146:7:146:13 | arrayassignment.cpp:144:12:144:17 | IR only |
 | copyableclass.cpp:67:11:67:11 | copyableclass.cpp:67:13:67:18 | AST only |
 | copyableclass.cpp:67:11:67:21 | copyableclass.cpp:67:13:67:18 | IR only |
-| copyableclass_declonly.cpp:40:8:40:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
-| copyableclass_declonly.cpp:41:8:41:9 | copyableclass_declonly.cpp:35:32:35:37 | AST only |
 | copyableclass_declonly.cpp:42:8:42:9 | copyableclass_declonly.cpp:34:30:34:35 | AST only |
-| copyableclass_declonly.cpp:65:8:65:9 | copyableclass_declonly.cpp:60:56:60:61 | AST only |
 | copyableclass_declonly.cpp:67:11:67:11 | copyableclass_declonly.cpp:67:13:67:18 | AST only |
 | movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
 | movableclass.cpp:65:11:65:21 | movableclass.cpp:65:13:65:18 | IR only |
@@ -97,10 +94,6 @@
 | stringstream.cpp:67:7:67:10 | stringstream.cpp:64:36:64:41 | AST only |
 | stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |
 | stringstream.cpp:100:11:100:11 | stringstream.cpp:100:31:100:36 | AST only |
-| stringstream.cpp:103:7:103:9 | stringstream.cpp:91:19:91:24 | AST only |
-| stringstream.cpp:105:7:105:9 | stringstream.cpp:95:44:95:49 | AST only |
-| stringstream.cpp:121:7:121:9 | stringstream.cpp:113:24:113:29 | AST only |
-| stringstream.cpp:123:7:123:9 | stringstream.cpp:115:24:115:29 | AST only |
 | stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
 | swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
 | swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
@@ -134,10 +127,7 @@
 | taint.cpp:431:9:431:17 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
-| vector.cpp:20:8:20:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:24:8:24:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:28:8:28:8 | vector.cpp:16:43:16:49 | AST only |
-| vector.cpp:33:8:33:8 | vector.cpp:16:43:16:49 | AST only |
+| vector.cpp:24:8:24:11 | vector.cpp:16:43:16:49 | IR only |
 | vector.cpp:52:7:52:8 | vector.cpp:51:10:51:15 | AST only |
 | vector.cpp:53:9:53:9 | vector.cpp:51:10:51:15 | AST only |
 | vector.cpp:54:9:54:9 | vector.cpp:51:10:51:15 | AST only |
@@ -171,4 +161,3 @@
 | vector.cpp:292:7:292:18 | vector.cpp:289:17:289:30 | AST only |
 | vector.cpp:308:9:308:14 | vector.cpp:303:14:303:19 | AST only |
 | vector.cpp:311:9:311:14 | vector.cpp:303:14:303:19 | AST only |
-| vector.cpp:326:7:326:8 | vector.cpp:318:15:318:20 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -24,7 +24,10 @@
 | copyableclass.cpp:65:8:65:9 | s1 | copyableclass.cpp:60:40:60:45 | call to source |
 | copyableclass.cpp:66:8:66:9 | s2 | copyableclass.cpp:63:24:63:29 | call to source |
 | copyableclass.cpp:67:11:67:21 | (reference dereference) | copyableclass.cpp:67:13:67:18 | call to source |
+| copyableclass_declonly.cpp:40:8:40:9 | s1 | copyableclass_declonly.cpp:34:30:34:35 | call to source |
+| copyableclass_declonly.cpp:41:8:41:9 | s2 | copyableclass_declonly.cpp:35:32:35:37 | call to source |
 | copyableclass_declonly.cpp:43:8:43:9 | s4 | copyableclass_declonly.cpp:38:8:38:13 | call to source |
+| copyableclass_declonly.cpp:65:8:65:9 | s1 | copyableclass_declonly.cpp:60:56:60:61 | call to source |
 | copyableclass_declonly.cpp:66:8:66:9 | s2 | copyableclass_declonly.cpp:63:32:63:37 | call to source |
 | format.cpp:57:8:57:13 | Argument 0 indirection | format.cpp:56:36:56:49 | call to source |
 | format.cpp:62:8:62:13 | Argument 0 indirection | format.cpp:61:30:61:43 | call to source |
@@ -142,7 +145,11 @@
 | stringstream.cpp:66:7:66:10 | Argument 0 indirection | stringstream.cpp:63:18:63:23 | call to source |
 | stringstream.cpp:81:7:81:9 | Argument 0 indirection | stringstream.cpp:70:32:70:37 | source |
 | stringstream.cpp:83:11:83:13 | call to str | stringstream.cpp:70:32:70:37 | source |
+| stringstream.cpp:103:7:103:9 | Argument 0 indirection | stringstream.cpp:91:19:91:24 | call to source |
+| stringstream.cpp:105:7:105:9 | Argument 0 indirection | stringstream.cpp:95:44:95:49 | call to source |
 | stringstream.cpp:107:7:107:9 | Argument 0 indirection | stringstream.cpp:100:31:100:36 | call to source |
+| stringstream.cpp:121:7:121:9 | Argument 0 indirection | stringstream.cpp:113:24:113:29 | call to source |
+| stringstream.cpp:123:7:123:9 | Argument 0 indirection | stringstream.cpp:115:24:115:29 | call to source |
 | stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
 | stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:19 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -224,6 +231,13 @@
 | taint.cpp:465:7:465:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
+| vector.cpp:20:8:20:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:24:8:24:8 | call to operator* | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:24:8:24:11 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:28:8:28:8 | x | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | (reference dereference) | vector.cpp:16:43:16:49 | source1 |
+| vector.cpp:33:8:33:8 | x | vector.cpp:16:43:16:49 | source1 |
 | vector.cpp:70:7:70:8 | Argument 0 indirection | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:83:7:83:8 | Argument 0 indirection | vector.cpp:81:17:81:22 | call to source |
 | vector.cpp:109:7:109:8 | Argument 0 indirection | vector.cpp:106:15:106:20 | call to source |
@@ -251,3 +265,4 @@
 | vector.cpp:309:7:309:7 | Argument 0 indirection | vector.cpp:303:14:303:19 | call to source |
 | vector.cpp:312:7:312:7 | Argument 0 indirection | vector.cpp:303:14:303:19 | call to source |
 | vector.cpp:324:7:324:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |
+| vector.cpp:326:7:326:8 | Argument 0 indirection | vector.cpp:318:15:318:20 | call to source |