C++: Model std::set::emplace and emplace_hint.

2025-12-16 16:53:25 +01:00 · 2020-10-12 10:47:08 +01:00
parent 5d87117dc7
commit 4363f08b45
6 changed files with 79 additions and 8 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -49,6 +49,29 @@ class StdSetInsert extends TaintFunction {
  }
 }

+/**
+ * The standard set `emplace` and `emplace_hint` functions.
+ */
+class StdSetEmplace extends TaintFunction {
+  StdSetEmplace() {
+    this.hasQualifiedName("std", ["set", "unordered_set"], ["emplace", "emplace_hint"])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any parameter to qualifier and return value
+    // (here we assume taint flow from any constructor parameter to the constructed object)
+    // (where the return value is a pair, this should really flow just to the first part of it)
+    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+    or
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
 /**
 * The standard set `swap` functions.
 */
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2298,10 +2298,16 @@
 | set.cpp:118:7:118:9 | ref arg s21 | set.cpp:120:7:120:9 | s21 |  |
 | set.cpp:118:7:118:9 | ref arg s21 | set.cpp:121:7:121:9 | s21 |  |
 | set.cpp:118:7:118:9 | ref arg s21 | set.cpp:126:1:126:1 | s21 |  |
+| set.cpp:118:7:118:9 | s21 | set.cpp:118:11:118:17 | call to emplace | TAINT |
+| set.cpp:118:19:118:23 | abc | set.cpp:118:7:118:9 | ref arg s21 | TAINT |
+| set.cpp:118:19:118:23 | abc | set.cpp:118:11:118:17 | call to emplace | TAINT |
 | set.cpp:118:26:118:30 | first | set.cpp:118:7:118:30 | call to iterator |  |
 | set.cpp:119:7:119:9 | s21 | set.cpp:119:7:119:9 | call to set |  |
 | set.cpp:120:7:120:9 | ref arg s21 | set.cpp:121:7:121:9 | s21 |  |
 | set.cpp:120:7:120:9 | ref arg s21 | set.cpp:126:1:126:1 | s21 |  |
+| set.cpp:120:7:120:9 | s21 | set.cpp:120:11:120:17 | call to emplace | TAINT |
+| set.cpp:120:19:120:24 | call to source | set.cpp:120:7:120:9 | ref arg s21 | TAINT |
+| set.cpp:120:19:120:24 | call to source | set.cpp:120:11:120:17 | call to emplace | TAINT |
 | set.cpp:120:29:120:33 | first | set.cpp:120:7:120:33 | call to iterator |  |
 | set.cpp:121:7:121:9 | s21 | set.cpp:121:7:121:9 | call to set |  |
 | set.cpp:122:7:122:9 | ref arg s22 | set.cpp:123:7:123:9 | s22 |  |
@@ -2309,6 +2315,7 @@
 | set.cpp:122:7:122:9 | ref arg s22 | set.cpp:124:24:124:26 | s22 |  |
 | set.cpp:122:7:122:9 | ref arg s22 | set.cpp:125:7:125:9 | s22 |  |
 | set.cpp:122:7:122:9 | ref arg s22 | set.cpp:126:1:126:1 | s22 |  |
+| set.cpp:122:7:122:9 | s22 | set.cpp:122:11:122:22 | call to emplace_hint | TAINT |
 | set.cpp:122:24:122:26 | ref arg s22 | set.cpp:122:7:122:9 | s22 |  |
 | set.cpp:122:24:122:26 | ref arg s22 | set.cpp:123:7:123:9 | s22 |  |
 | set.cpp:122:24:122:26 | ref arg s22 | set.cpp:124:7:124:9 | s22 |  |
@@ -2316,15 +2323,24 @@
 | set.cpp:122:24:122:26 | ref arg s22 | set.cpp:125:7:125:9 | s22 |  |
 | set.cpp:122:24:122:26 | ref arg s22 | set.cpp:126:1:126:1 | s22 |  |
 | set.cpp:122:24:122:26 | s22 | set.cpp:122:28:122:32 | call to begin | TAINT |
+| set.cpp:122:24:122:34 | call to iterator | set.cpp:122:7:122:9 | ref arg s22 | TAINT |
+| set.cpp:122:24:122:34 | call to iterator | set.cpp:122:11:122:22 | call to emplace_hint | TAINT |
 | set.cpp:122:28:122:32 | call to begin | set.cpp:122:24:122:34 | call to iterator | TAINT |
+| set.cpp:122:37:122:41 | abc | set.cpp:122:7:122:9 | ref arg s22 | TAINT |
+| set.cpp:122:37:122:41 | abc | set.cpp:122:11:122:22 | call to emplace_hint | TAINT |
 | set.cpp:123:7:123:9 | s22 | set.cpp:123:7:123:9 | call to set |  |
 | set.cpp:124:7:124:9 | ref arg s22 | set.cpp:125:7:125:9 | s22 |  |
 | set.cpp:124:7:124:9 | ref arg s22 | set.cpp:126:1:126:1 | s22 |  |
+| set.cpp:124:7:124:9 | s22 | set.cpp:124:11:124:22 | call to emplace_hint | TAINT |
 | set.cpp:124:24:124:26 | ref arg s22 | set.cpp:124:7:124:9 | s22 |  |
 | set.cpp:124:24:124:26 | ref arg s22 | set.cpp:125:7:125:9 | s22 |  |
 | set.cpp:124:24:124:26 | ref arg s22 | set.cpp:126:1:126:1 | s22 |  |
 | set.cpp:124:24:124:26 | s22 | set.cpp:124:28:124:32 | call to begin | TAINT |
+| set.cpp:124:24:124:34 | call to iterator | set.cpp:124:7:124:9 | ref arg s22 | TAINT |
+| set.cpp:124:24:124:34 | call to iterator | set.cpp:124:11:124:22 | call to emplace_hint | TAINT |
 | set.cpp:124:28:124:32 | call to begin | set.cpp:124:24:124:34 | call to iterator | TAINT |
+| set.cpp:124:37:124:42 | call to source | set.cpp:124:7:124:9 | ref arg s22 | TAINT |
+| set.cpp:124:37:124:42 | call to source | set.cpp:124:11:124:22 | call to emplace_hint | TAINT |
 | set.cpp:125:7:125:9 | s22 | set.cpp:125:7:125:9 | call to set |  |
 | set.cpp:131:29:131:30 | call to unordered_set | set.cpp:133:7:133:8 | s1 |  |
 | set.cpp:131:29:131:30 | call to unordered_set | set.cpp:137:12:137:13 | s1 |  |
@@ -2763,10 +2779,16 @@
 | set.cpp:230:7:230:9 | ref arg s21 | set.cpp:232:7:232:9 | s21 |  |
 | set.cpp:230:7:230:9 | ref arg s21 | set.cpp:233:7:233:9 | s21 |  |
 | set.cpp:230:7:230:9 | ref arg s21 | set.cpp:238:1:238:1 | s21 |  |
+| set.cpp:230:7:230:9 | s21 | set.cpp:230:11:230:17 | call to emplace | TAINT |
+| set.cpp:230:19:230:23 | abc | set.cpp:230:7:230:9 | ref arg s21 | TAINT |
+| set.cpp:230:19:230:23 | abc | set.cpp:230:11:230:17 | call to emplace | TAINT |
 | set.cpp:230:26:230:30 | first | set.cpp:230:7:230:30 | call to iterator |  |
 | set.cpp:231:7:231:9 | s21 | set.cpp:231:7:231:9 | call to unordered_set |  |
 | set.cpp:232:7:232:9 | ref arg s21 | set.cpp:233:7:233:9 | s21 |  |
 | set.cpp:232:7:232:9 | ref arg s21 | set.cpp:238:1:238:1 | s21 |  |
+| set.cpp:232:7:232:9 | s21 | set.cpp:232:11:232:17 | call to emplace | TAINT |
+| set.cpp:232:19:232:24 | call to source | set.cpp:232:7:232:9 | ref arg s21 | TAINT |
+| set.cpp:232:19:232:24 | call to source | set.cpp:232:11:232:17 | call to emplace | TAINT |
 | set.cpp:232:29:232:33 | first | set.cpp:232:7:232:33 | call to iterator |  |
 | set.cpp:233:7:233:9 | s21 | set.cpp:233:7:233:9 | call to unordered_set |  |
 | set.cpp:234:7:234:9 | ref arg s22 | set.cpp:235:7:235:9 | s22 |  |
@@ -2774,6 +2796,7 @@
 | set.cpp:234:7:234:9 | ref arg s22 | set.cpp:236:24:236:26 | s22 |  |
 | set.cpp:234:7:234:9 | ref arg s22 | set.cpp:237:7:237:9 | s22 |  |
 | set.cpp:234:7:234:9 | ref arg s22 | set.cpp:238:1:238:1 | s22 |  |
+| set.cpp:234:7:234:9 | s22 | set.cpp:234:11:234:22 | call to emplace_hint | TAINT |
 | set.cpp:234:24:234:26 | ref arg s22 | set.cpp:234:7:234:9 | s22 |  |
 | set.cpp:234:24:234:26 | ref arg s22 | set.cpp:235:7:235:9 | s22 |  |
 | set.cpp:234:24:234:26 | ref arg s22 | set.cpp:236:7:236:9 | s22 |  |
@@ -2781,15 +2804,24 @@
 | set.cpp:234:24:234:26 | ref arg s22 | set.cpp:237:7:237:9 | s22 |  |
 | set.cpp:234:24:234:26 | ref arg s22 | set.cpp:238:1:238:1 | s22 |  |
 | set.cpp:234:24:234:26 | s22 | set.cpp:234:28:234:32 | call to begin | TAINT |
+| set.cpp:234:24:234:34 | call to iterator | set.cpp:234:7:234:9 | ref arg s22 | TAINT |
+| set.cpp:234:24:234:34 | call to iterator | set.cpp:234:11:234:22 | call to emplace_hint | TAINT |
 | set.cpp:234:28:234:32 | call to begin | set.cpp:234:24:234:34 | call to iterator | TAINT |
+| set.cpp:234:37:234:41 | abc | set.cpp:234:7:234:9 | ref arg s22 | TAINT |
+| set.cpp:234:37:234:41 | abc | set.cpp:234:11:234:22 | call to emplace_hint | TAINT |
 | set.cpp:235:7:235:9 | s22 | set.cpp:235:7:235:9 | call to unordered_set |  |
 | set.cpp:236:7:236:9 | ref arg s22 | set.cpp:237:7:237:9 | s22 |  |
 | set.cpp:236:7:236:9 | ref arg s22 | set.cpp:238:1:238:1 | s22 |  |
+| set.cpp:236:7:236:9 | s22 | set.cpp:236:11:236:22 | call to emplace_hint | TAINT |
 | set.cpp:236:24:236:26 | ref arg s22 | set.cpp:236:7:236:9 | s22 |  |
 | set.cpp:236:24:236:26 | ref arg s22 | set.cpp:237:7:237:9 | s22 |  |
 | set.cpp:236:24:236:26 | ref arg s22 | set.cpp:238:1:238:1 | s22 |  |
 | set.cpp:236:24:236:26 | s22 | set.cpp:236:28:236:32 | call to begin | TAINT |
+| set.cpp:236:24:236:34 | call to iterator | set.cpp:236:7:236:9 | ref arg s22 | TAINT |
+| set.cpp:236:24:236:34 | call to iterator | set.cpp:236:11:236:22 | call to emplace_hint | TAINT |
 | set.cpp:236:28:236:32 | call to begin | set.cpp:236:24:236:34 | call to iterator | TAINT |
+| set.cpp:236:37:236:42 | call to source | set.cpp:236:7:236:9 | ref arg s22 | TAINT |
+| set.cpp:236:37:236:42 | call to source | set.cpp:236:11:236:22 | call to emplace_hint | TAINT |
 | set.cpp:237:7:237:9 | s22 | set.cpp:237:7:237:9 | call to unordered_set |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
@@ -117,12 +117,12 @@ void test_set()
 	std::set<char *> s21, s22;
 	sink(s21.emplace("abc").first);
 	sink(s21);
-	sink(s21.emplace(source()).first); // tainted [NOT DETECTED]
-	sink(s21); // tainted [NOT DETECTED]
+	sink(s21.emplace(source()).first); // tainted
+	sink(s21); // tainted
 	sink(s22.emplace_hint(s22.begin(), "abc"));
 	sink(s22);
-	sink(s22.emplace_hint(s22.begin(), source())); // tainted [NOT DETECTED]
-	sink(s22); // tainted [NOT DETECTED]
+	sink(s22.emplace_hint(s22.begin(), source())); // tainted
+	sink(s22); // tainted
 }

 void test_unordered_set()
@@ -229,10 +229,10 @@ void test_unordered_set()
 	std::unordered_set<char *> s21, s22;
 	sink(s21.emplace("abc").first);
 	sink(s21);
-	sink(s21.emplace(source()).first); // tainted [NOT DETECTED]
-	sink(s21); // tainted [NOT DETECTED]
+	sink(s21.emplace(source()).first); // tainted
+	sink(s21); // tainted
 	sink(s22.emplace_hint(s22.begin(), "abc"));
 	sink(s22);
-	sink(s22.emplace_hint(s22.begin(), source())); // tainted [NOT DETECTED]
-	sink(s22); // tainted [NOT DETECTED]
+	sink(s22.emplace_hint(s22.begin(), source())); // tainted
+	sink(s22); // tainted
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -179,6 +179,9 @@
 | set.cpp:112:7:112:9 | call to set | set.cpp:109:13:109:18 | call to source |
 | set.cpp:114:7:114:9 | call to set | set.cpp:108:13:108:18 | call to source |
 | set.cpp:114:7:114:9 | call to set | set.cpp:109:13:109:18 | call to source |
+| set.cpp:121:7:121:9 | call to set | set.cpp:120:19:120:24 | call to source |
+| set.cpp:124:11:124:22 | call to emplace_hint | set.cpp:124:37:124:42 | call to source |
+| set.cpp:125:7:125:9 | call to set | set.cpp:124:37:124:42 | call to source |
 | set.cpp:136:10:136:15 | call to insert | set.cpp:136:29:136:34 | call to source |
 | set.cpp:140:7:140:8 | call to unordered_set | set.cpp:134:17:134:22 | call to source |
 | set.cpp:142:7:142:8 | call to unordered_set | set.cpp:136:29:136:34 | call to source |
@@ -214,6 +217,9 @@
 | set.cpp:224:7:224:9 | call to unordered_set | set.cpp:221:13:221:18 | call to source |
 | set.cpp:226:7:226:9 | call to unordered_set | set.cpp:220:13:220:18 | call to source |
 | set.cpp:226:7:226:9 | call to unordered_set | set.cpp:221:13:221:18 | call to source |
+| set.cpp:233:7:233:9 | call to unordered_set | set.cpp:232:19:232:24 | call to source |
+| set.cpp:236:11:236:22 | call to emplace_hint | set.cpp:236:37:236:42 | call to source |
+| set.cpp:237:7:237:9 | call to unordered_set | set.cpp:236:37:236:42 | call to source |
 | smart_pointer.cpp:12:10:12:10 | call to operator* | smart_pointer.cpp:11:52:11:57 | call to source |
 | smart_pointer.cpp:13:10:13:10 | p | smart_pointer.cpp:11:52:11:57 | call to source |
 | smart_pointer.cpp:24:10:24:10 | call to operator* | smart_pointer.cpp:23:52:23:57 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -134,6 +134,9 @@
 | set.cpp:112:7:112:9 | set.cpp:109:13:109:18 | AST only |
 | set.cpp:114:7:114:9 | set.cpp:108:13:108:18 | AST only |
 | set.cpp:114:7:114:9 | set.cpp:109:13:109:18 | AST only |
+| set.cpp:120:7:120:33 | set.cpp:120:19:120:24 | IR only |
+| set.cpp:121:7:121:9 | set.cpp:120:19:120:24 | AST only |
+| set.cpp:125:7:125:9 | set.cpp:124:37:124:42 | AST only |
 | set.cpp:134:7:134:31 | set.cpp:134:17:134:22 | IR only |
 | set.cpp:140:7:140:8 | set.cpp:134:17:134:22 | AST only |
 | set.cpp:142:7:142:8 | set.cpp:136:29:136:34 | AST only |
@@ -164,6 +167,9 @@
 | set.cpp:224:7:224:9 | set.cpp:221:13:221:18 | AST only |
 | set.cpp:226:7:226:9 | set.cpp:220:13:220:18 | AST only |
 | set.cpp:226:7:226:9 | set.cpp:221:13:221:18 | AST only |
+| set.cpp:232:7:232:33 | set.cpp:232:19:232:24 | IR only |
+| set.cpp:233:7:233:9 | set.cpp:232:19:232:24 | AST only |
+| set.cpp:237:7:237:9 | set.cpp:236:37:236:42 | AST only |
 | smart_pointer.cpp:12:10:12:10 | smart_pointer.cpp:11:52:11:57 | AST only |
 | smart_pointer.cpp:24:10:24:10 | smart_pointer.cpp:23:52:23:57 | AST only |
 | standalone_iterators.cpp:41:10:41:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -127,6 +127,8 @@
 | set.cpp:72:7:72:33 | call to iterator | set.cpp:67:13:67:18 | call to source |
 | set.cpp:111:11:111:15 | call to erase | set.cpp:108:13:108:18 | call to source |
 | set.cpp:111:11:111:15 | call to erase | set.cpp:109:13:109:18 | call to source |
+| set.cpp:120:7:120:33 | call to iterator | set.cpp:120:19:120:24 | call to source |
+| set.cpp:124:11:124:22 | call to emplace_hint | set.cpp:124:37:124:42 | call to source |
 | set.cpp:134:7:134:31 | call to iterator | set.cpp:134:17:134:22 | call to source |
 | set.cpp:136:10:136:15 | call to insert | set.cpp:136:29:136:34 | call to source |
 | set.cpp:146:10:146:13 | call to find | set.cpp:134:17:134:22 | call to source |
@@ -140,6 +142,8 @@
 | set.cpp:184:7:184:33 | call to iterator | set.cpp:181:13:181:18 | call to source |
 | set.cpp:223:11:223:15 | call to erase | set.cpp:220:13:220:18 | call to source |
 | set.cpp:223:11:223:15 | call to erase | set.cpp:221:13:221:18 | call to source |
+| set.cpp:232:7:232:33 | call to iterator | set.cpp:232:19:232:24 | call to source |
+| set.cpp:236:11:236:22 | call to emplace_hint | set.cpp:236:37:236:42 | call to source |
 | smart_pointer.cpp:13:10:13:10 | Argument 0 indirection | smart_pointer.cpp:11:52:11:57 | call to source |
 | smart_pointer.cpp:25:10:25:10 | Argument 0 indirection | smart_pointer.cpp:23:52:23:57 | call to source |
 | smart_pointer.cpp:52:12:52:14 | call to get | smart_pointer.cpp:51:52:51:57 | call to source |