C/C++: Add tentative support for speculative taint flow.

2026-04-24 00:05:14 +02:00 · 2024-10-04 11:21:48 +02:00
parent fae71756eb
commit 4e8a4a5cdd
2 changed files with 25 additions and 0 deletions
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -281,3 +281,5 @@ private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
 }

 private predicate iteratorDereference(Call c) { c.getTarget() instanceof IteratorReferenceFunction }
+
+predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -212,3 +212,26 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut, string
    nodeOut = callOutput(call, modelOut)
  )
 }
+
+import SpeculativeTaintFlow
+
+private module SpeculativeTaintFlow {
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as DataFlowDispatch
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+
+  predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+    exists(DataFlowCall call, ArgumentPosition argpos |
+      // TODO: exclude neutrals and anything that has QL modeling.
+      not exists(DataFlowDispatch::viableCallable(call)) and
+      src.(DataFlowPrivate::ArgumentNode).argumentOf(call, argpos)
+    |
+      not argpos.(DirectPosition).getIndex() = -1 and
+      sink.(PostUpdateNode)
+          .getPreUpdateNode()
+          .(DataFlowPrivate::ArgumentNode)
+          .argumentOf(call, any(DirectPosition qualpos | qualpos.getIndex() = -1))
+      or
+      sink.(DataFlowPrivate::OutNode).getCall() = call
+    )
+  }
+}