C++: emplace and emplace_back takes its arguments by universal references, so they should also specify flow as indirections.

2026-05-03 20:58:03 +02:00 · 2021-02-04 11:16:27 +01:00
parent 8cf8b704c5
commit 47ab9ba81b
2 changed files with 4 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from any parameter except the position iterator to qualifier and return value
    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([1 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and
    (
      output.isQualifierObject() or
      output.isReturnValue()
@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from any parameter to qualifier
    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
    output.isQualifierObject()
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -491,8 +491,8 @@ void test_vector_emplace() {
 	std::vector<int> v1(10), v2(10);

 	v1.emplace_back(source());
-	sink(v1); // $ ast MISSING: ir
+	sink(v1); // $ ast,ir

 	v2.emplace(v2.begin(), source());
-	sink(v2); // $ ast MISSING: ir
+	sink(v2); // $ ast,ir
 }