Merge pull request #4148 from geoffw0/vecextra

C++: Improvements to string and vector models.
2026-05-01 03:35:13 +02:00 · 2020-08-28 10:05:42 +02:00
parent 80cb8be405 9b3da1f6c7
commit 55d7ac88f9
8 changed files with 370 additions and 20 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -23,7 +23,7 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
   */
  int getAValueTypeParameterIndex() {
    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -33,6 +33,24 @@ class StdSequenceContainerConstructor extends Constructor, TaintFunction {
  }
 }

+/**
+ * The standard container function `data`.
+ */
+class StdSequenceContainerData extends TaintFunction {
+  StdSequenceContainerData() { this.hasQualifiedName("std", ["array", "vector"], "data") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from container itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
 /**
 * The standard container functions `push_back` and `push_front`.
 */
@@ -70,6 +88,30 @@ class StdSequenceContainerFrontBack extends TaintFunction {
  }
 }

+/**
+ * The standard container function `assign`.
+ */
+class StdSequenceContainerAssign extends TaintFunction {
+  StdSequenceContainerAssign() {
+    this.hasQualifiedName("std", ["vector", "deque", "list", "forward_list"], "assign")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to string itself (qualifier) and return value
+    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    output.isQualifierObject()
+  }
+}
+
 /**
 * The standard container `swap` functions.
 */
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -8,15 +8,33 @@ class StdBasicString extends TemplateClass {
 }

 /**
- * The `std::string` functions `c_str` and  `data`.
+ * The `std::string` function `c_str`.
 */
 class StdStringCStr extends TaintFunction {
-  StdStringCStr() { this.hasQualifiedName("std", "basic_string", ["c_str", "data"]) }
+  StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from string itself (qualifier) to return value
    input.isQualifierObject() and
-    output.isReturnValue()
+    output.isReturnValueDeref()
+  }
+}
+
+/**
+ * The `std::string` function `data`.
+ */
+class StdStringData extends TaintFunction {
+  StdStringData() { this.hasQualifiedName("std", "basic_string", "data") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string itself (qualifier) to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // `data`)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
  }
 }

@@ -53,17 +71,18 @@ class StdStringAppend extends TaintFunction {
   * Gets the index of a parameter to this function that is a string (or
   * character).
   */
-  int getAStringParameter() {
+  int getAStringParameterIndex() {
    getParameter(result).getType() instanceof PointerType or
    getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from string and parameter to string (qualifier) and return value
    (
      input.isQualifierObject() or
-      input.isParameterDeref(getAStringParameter())
+      input.isParameterDeref(getAStringParameterIndex())
    ) and
    (
      output.isQualifierObject() or
@@ -82,15 +101,16 @@ class StdStringAssign extends TaintFunction {
   * Gets the index of a parameter to this function that is a string (or
   * character).
   */
-  int getAStringParameter() {
+  int getAStringParameterIndex() {
    getParameter(result).getType() instanceof PointerType or
    getParameter(result).getType() instanceof ReferenceType or
-    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+    getParameter(result).getUnspecifiedType() =
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. `std::basic_string::CharT`
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to string itself (qualifier) and return value
-    input.isParameterDeref(getAStringParameter()) and
+    input.isParameterDeref(getAStringParameterIndex()) and
    (
      output.isQualifierObject() or
      output.isReturnValueDeref()
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -437,10 +437,12 @@
 | movableclass.cpp:65:13:65:18 | call to source | movableclass.cpp:65:13:65:20 | call to MyMovableClass | TAINT |
 | movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:8:65:9 | ref arg s3 | TAINT |
 | movableclass.cpp:65:13:65:20 | call to MyMovableClass | movableclass.cpp:65:11:65:11 | call to operator= | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:30:137:40 | call to allocator | stl.h:137:21:137:41 | noexcept(...) | TAINT |
-| stl.h:137:53:137:63 | 0 | stl.h:137:46:137:64 | (no string representation) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:30:139:40 | call to allocator | stl.h:139:21:139:41 | noexcept(...) | TAINT |
+| stl.h:139:53:139:63 | 0 | stl.h:139:46:139:64 | (no string representation) | TAINT |
 | string.cpp:24:12:24:17 | call to source | string.cpp:28:7:28:7 | a |  |
 | string.cpp:25:16:25:20 | 123 | string.cpp:25:16:25:21 | call to basic_string | TAINT |
 | string.cpp:25:16:25:21 | call to basic_string | string.cpp:29:7:29:7 | b |  |
@@ -841,6 +843,20 @@
 | string.cpp:337:9:337:9 | a | string.cpp:337:10:337:10 | call to operator[] | TAINT |
 | string.cpp:337:9:337:9 | ref arg a | string.cpp:339:7:339:7 | a |  |
 | string.cpp:337:10:337:10 | call to operator[] | string.cpp:337:2:337:12 | ... = ... |  |
+| string.cpp:346:18:346:22 | 123 | string.cpp:346:18:346:23 | call to basic_string | TAINT |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:348:2:348:4 | str |  |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:349:7:349:9 | str |  |
+| string.cpp:346:18:346:23 | call to basic_string | string.cpp:350:7:350:9 | str |  |
+| string.cpp:348:2:348:4 | ref arg str | string.cpp:349:7:349:9 | str |  |
+| string.cpp:348:2:348:4 | ref arg str | string.cpp:350:7:350:9 | str |  |
+| string.cpp:348:2:348:4 | str | string.cpp:348:6:348:9 | call to data | TAINT |
+| string.cpp:348:2:348:14 | access to array [post update] | string.cpp:348:6:348:9 | call to data [inner post update] |  |
+| string.cpp:348:2:348:34 | ... = ... | string.cpp:348:2:348:14 | access to array [post update] |  |
+| string.cpp:348:6:348:9 | call to data | string.cpp:348:2:348:14 | access to array | TAINT |
+| string.cpp:348:6:348:9 | call to data [inner post update] | string.cpp:348:2:348:4 | ref arg str | TAINT |
+| string.cpp:348:13:348:13 | 1 | string.cpp:348:2:348:14 | access to array | TAINT |
+| string.cpp:348:18:348:32 | call to source | string.cpp:348:2:348:34 | ... = ... |  |
+| string.cpp:350:7:350:9 | str | string.cpp:350:11:350:14 | call to data | TAINT |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:16:2:16:4 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:22:7:22:9 | ss1 |  |
 | stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:27:7:27:9 | ss1 |  |
@@ -1975,14 +1991,17 @@
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:75:7:75:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:74:2:74:3 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:74:2:74:3 | v6 | vector.cpp:74:5:74:8 | call to data | TAINT |
 | vector.cpp:74:2:74:13 | access to array [post update] | vector.cpp:74:5:74:8 | call to data [inner post update] |  |
 | vector.cpp:74:2:74:24 | ... = ... | vector.cpp:74:2:74:13 | access to array [post update] |  |
 | vector.cpp:74:5:74:8 | call to data | vector.cpp:74:2:74:13 | access to array | TAINT |
+| vector.cpp:74:5:74:8 | call to data [inner post update] | vector.cpp:74:2:74:3 | ref arg v6 | TAINT |
 | vector.cpp:74:12:74:12 | 2 | vector.cpp:74:2:74:13 | access to array | TAINT |
 | vector.cpp:74:17:74:22 | call to source | vector.cpp:74:2:74:24 | ... = ... |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:76:7:76:8 | v6 |  |
 | vector.cpp:75:7:75:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
 | vector.cpp:76:7:76:8 | ref arg v6 | vector.cpp:101:1:101:1 | v6 |  |
+| vector.cpp:76:7:76:8 | v6 | vector.cpp:76:10:76:13 | call to data | TAINT |
 | vector.cpp:76:10:76:13 | call to data | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:76:17:76:17 | 2 | vector.cpp:76:7:76:18 | access to array | TAINT |
 | vector.cpp:79:33:79:34 | v7 | vector.cpp:80:41:80:43 | v7c |  |
@@ -2333,3 +2352,148 @@
 | vector.cpp:212:8:212:9 | ref arg ff | vector.cpp:213:2:213:2 | ff |  |
 | vector.cpp:212:10:212:10 | call to operator[] [post update] | vector.cpp:212:8:212:9 | ref arg ff | TAINT |
 | vector.cpp:212:14:212:15 | vs | vector.cpp:212:16:212:16 | call to operator[] | TAINT |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:237:2:237:3 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:241:7:241:8 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:235:19:235:20 | call to vector | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:238:2:238:3 | v2 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:242:7:242:8 | v2 |  |
+| vector.cpp:235:23:235:24 | call to vector | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:239:2:239:3 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:243:7:243:8 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:235:27:235:28 | call to vector | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:241:7:241:8 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:237:2:237:3 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:237:17:237:17 | 0 | vector.cpp:237:2:237:3 | ref arg v1 | TAINT |
+| vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:242:7:242:8 | v2 |  |
+| vector.cpp:238:2:238:3 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:238:17:238:30 | call to source | vector.cpp:238:2:238:3 | ref arg v2 | TAINT |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:243:7:243:8 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:239:2:239:3 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:239:15:239:20 | call to source | vector.cpp:239:2:239:3 | ref arg v3 | TAINT |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:13:249:14 | v1 |  |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:241:7:241:8 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:242:7:242:8 | ref arg v2 | vector.cpp:277:1:277:1 | v2 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:250:13:250:14 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:243:7:243:8 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:249:3:249:4 | v4 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:257:8:257:9 | v4 |  |
+| vector.cpp:246:20:246:21 | call to vector | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:250:3:250:4 | v5 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:258:8:258:9 | v5 |  |
+| vector.cpp:246:24:246:25 | call to vector | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:255:3:255:4 | v6 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:261:8:261:9 | v6 |  |
+| vector.cpp:246:28:246:29 | call to vector | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:249:3:249:4 | ref arg v4 | vector.cpp:257:8:257:9 | v4 |  |
+| vector.cpp:249:3:249:4 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
+| vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:249:25:249:26 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
+| vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:258:8:258:9 | v5 |  |
+| vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
+| vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:251:8:251:9 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:251:3:251:17 | ... = ... |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:252:3:252:4 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:255:13:255:14 | i1 |  |
+| vector.cpp:251:11:251:15 | call to begin | vector.cpp:259:8:259:9 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:253:8:253:9 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:255:13:255:14 | i1 |  |
+| vector.cpp:252:3:252:4 | ref arg i1 | vector.cpp:259:8:259:9 | i1 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:253:3:253:9 | ... = ... |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:254:3:254:4 | i2 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:255:17:255:18 | i2 |  |
+| vector.cpp:253:8:253:9 | i1 | vector.cpp:260:8:260:9 | i2 |  |
+| vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:255:17:255:18 | i2 |  |
+| vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:260:8:260:9 | i2 |  |
+| vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:261:8:261:9 | v6 |  |
+| vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:257:8:257:9 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
+| vector.cpp:258:8:258:9 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
+| vector.cpp:261:8:261:9 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:269:3:269:4 | v7 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:273:8:273:9 | v7 |  |
+| vector.cpp:265:22:265:23 | call to vector | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:270:3:270:4 | v8 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:274:8:274:9 | v8 |  |
+| vector.cpp:266:24:266:25 | call to vector | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:271:3:271:4 | v9 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:275:8:275:9 | v9 |  |
+| vector.cpp:267:28:267:29 | call to vector | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:273:8:273:9 | v7 |  |
+| vector.cpp:269:3:269:4 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:269:18:269:31 | call to source | vector.cpp:269:3:269:4 | ref arg v7 | TAINT |
+| vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:274:8:274:9 | v8 |  |
+| vector.cpp:270:3:270:4 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
+| vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
+| vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:271:18:271:34 | call to source | vector.cpp:271:3:271:4 | ref arg v9 | TAINT |
+| vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
+| vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
+| vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:284:2:284:3 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:285:7:285:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:282:19:282:20 | call to vector | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:289:4:289:5 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:290:7:290:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:282:23:282:24 | call to vector | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:285:7:285:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:284:2:284:3 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:284:15:284:20 | call to source | vector.cpp:284:2:284:3 | ref arg v1 | TAINT |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:286:7:286:8 | v1 |  |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:285:7:285:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:287:7:287:8 | v1 |  |
+| vector.cpp:286:7:286:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:286:7:286:8 | v1 | vector.cpp:286:10:286:13 | call to data | TAINT |
+| vector.cpp:286:10:286:13 | ref arg call to data | vector.cpp:286:7:286:8 | ref arg v1 | TAINT |
+| vector.cpp:287:7:287:8 | ref arg v1 | vector.cpp:293:1:293:1 | v1 |  |
+| vector.cpp:287:7:287:8 | v1 | vector.cpp:287:10:287:13 | call to data | TAINT |
+| vector.cpp:287:10:287:13 | call to data | vector.cpp:287:7:287:18 | access to array | TAINT |
+| vector.cpp:287:17:287:17 | 2 | vector.cpp:287:7:287:18 | access to array | TAINT |
+| vector.cpp:289:2:289:13 | * ... [post update] | vector.cpp:289:7:289:10 | call to data [inner post update] |  |
+| vector.cpp:289:2:289:32 | ... = ... | vector.cpp:289:2:289:13 | * ... [post update] |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:290:7:290:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:289:4:289:5 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:289:4:289:5 | v2 | vector.cpp:289:7:289:10 | call to data | TAINT |
+| vector.cpp:289:7:289:10 | call to data | vector.cpp:289:2:289:13 | * ... | TAINT |
+| vector.cpp:289:7:289:10 | call to data [inner post update] | vector.cpp:289:4:289:5 | ref arg v2 | TAINT |
+| vector.cpp:289:17:289:30 | call to source | vector.cpp:289:2:289:32 | ... = ... |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:291:7:291:8 | v2 |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:290:7:290:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:292:7:292:8 | v2 |  |
+| vector.cpp:291:7:291:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:291:7:291:8 | v2 | vector.cpp:291:10:291:13 | call to data | TAINT |
+| vector.cpp:291:10:291:13 | ref arg call to data | vector.cpp:291:7:291:8 | ref arg v2 | TAINT |
+| vector.cpp:292:7:292:8 | ref arg v2 | vector.cpp:293:1:293:1 | v2 |  |
+| vector.cpp:292:7:292:8 | v2 | vector.cpp:292:10:292:13 | call to data | TAINT |
+| vector.cpp:292:10:292:13 | call to data | vector.cpp:292:7:292:18 | access to array | TAINT |
+| vector.cpp:292:17:292:17 | 2 | vector.cpp:292:7:292:18 | access to array | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -11,12 +11,14 @@ namespace std

 	struct ptrdiff_t;

-	template <class iterator_category,
+	template <class Category,
 			  class value_type,
 			  class difference_type = ptrdiff_t,
 			  class pointer_type = value_type*,
 			  class reference_type = value_type&>
 	struct iterator {
+		typedef Category iterator_category;
+
 		iterator &operator++();
 		iterator operator++(int);
 		bool operator==(iterator other) const;
@@ -142,6 +144,10 @@ namespace std {

 		vector& operator=(const vector& x);
 		vector& operator=(vector&& x) noexcept/*(allocator_traits<Allocator>::propagate_on_container_move_assignment::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+		template<class InputIterator, class IteratorCategory = typename InputIterator::iterator_category> void assign(InputIterator first, InputIterator last);
+			// use of `iterator_category` makes sure InputIterator is (probably) an iterator, and not an `int` or
+			// similar that should match a different overload (SFINAE).
+		void assign(size_type n, const T& u);

 		iterator begin() noexcept;
 		const_iterator begin() const noexcept;
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -340,3 +340,12 @@ void test_string_at()
 	sink(b); // tainted
 	sink(c); // tainted
 }
+
+void test_string_data_more()
+{
+	std::string str("123");
+
+	str.data()[1] = ns_char::source();
+	sink(str); // tainted
+	sink(str.data()); // tainted
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -99,6 +99,8 @@
 | string.cpp:339:7:339:7 | a | string.cpp:335:9:335:23 | call to source |
 | string.cpp:340:7:340:7 | b | string.cpp:336:12:336:26 | call to source |
 | string.cpp:341:7:341:7 | c | string.cpp:335:9:335:23 | call to source |
+| string.cpp:349:7:349:9 | str | string.cpp:348:18:348:32 | call to source |
+| string.cpp:350:11:350:14 | call to data | string.cpp:348:18:348:32 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -223,6 +225,8 @@
 | vector.cpp:70:7:70:8 | v5 | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:71:10:71:14 | call to front | vector.cpp:69:15:69:20 | call to source |
 | vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
+| vector.cpp:75:7:75:8 | v6 | vector.cpp:74:17:74:22 | call to source |
+| vector.cpp:76:7:76:18 | access to array | vector.cpp:74:17:74:22 | call to source |
 | vector.cpp:97:7:97:8 | v9 | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:98:10:98:11 | call to at | vector.cpp:96:13:96:18 | call to source |
 | vector.cpp:99:10:99:11 | call to at | vector.cpp:96:13:96:18 | call to source |
@@ -242,3 +246,14 @@
 | vector.cpp:171:13:171:13 | call to operator[] | vector.cpp:170:14:170:19 | call to source |
 | vector.cpp:180:13:180:13 | call to operator[] | vector.cpp:179:14:179:19 | call to source |
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
+| vector.cpp:242:7:242:8 | v2 | vector.cpp:238:17:238:30 | call to source |
+| vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
+| vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
+| vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
+| vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
+| vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:286:10:286:13 | call to data | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:287:7:287:18 | access to array | vector.cpp:284:15:284:20 | call to source |
+| vector.cpp:290:7:290:8 | v2 | vector.cpp:289:17:289:30 | call to source |
+| vector.cpp:291:10:291:13 | call to data | vector.cpp:289:17:289:30 | call to source |
+| vector.cpp:292:7:292:18 | access to array | vector.cpp:289:17:289:30 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -109,6 +109,8 @@
 | string.cpp:339:7:339:7 | string.cpp:335:9:335:23 | AST only |
 | string.cpp:340:7:340:7 | string.cpp:336:12:336:26 | AST only |
 | string.cpp:341:7:341:7 | string.cpp:335:9:335:23 | AST only |
+| string.cpp:349:7:349:9 | string.cpp:348:18:348:32 | AST only |
+| string.cpp:350:11:350:14 | string.cpp:348:18:348:32 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |
@@ -171,6 +173,8 @@
 | vector.cpp:70:7:70:8 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:71:10:71:14 | vector.cpp:69:15:69:20 | AST only |
 | vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
+| vector.cpp:75:7:75:8 | vector.cpp:74:17:74:22 | AST only |
+| vector.cpp:76:7:76:18 | vector.cpp:74:17:74:22 | AST only |
 | vector.cpp:97:7:97:8 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:98:10:98:11 | vector.cpp:96:13:96:18 | AST only |
 | vector.cpp:99:10:99:11 | vector.cpp:96:13:96:18 | AST only |
@@ -191,3 +195,14 @@
 | vector.cpp:171:13:171:13 | vector.cpp:170:14:170:19 | AST only |
 | vector.cpp:180:13:180:13 | vector.cpp:179:14:179:19 | AST only |
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
+| vector.cpp:242:7:242:8 | vector.cpp:238:17:238:30 | AST only |
+| vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
+| vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
+| vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
+| vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
+| vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:286:10:286:13 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:287:7:287:18 | vector.cpp:284:15:284:20 | AST only |
+| vector.cpp:290:7:290:8 | vector.cpp:289:17:289:30 | AST only |
+| vector.cpp:291:10:291:13 | vector.cpp:289:17:289:30 | AST only |
+| vector.cpp:292:7:292:18 | vector.cpp:289:17:289:30 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -5,9 +5,9 @@ using namespace std;

 int source();

-namespace ns_char
+namespace ns_int
 {
-	char source();
+	int source();
 }

 void sink(int);
@@ -72,8 +72,8 @@ void test_element_taint(int x) {
 	sink(v5.back()); // tainted

 	v6.data()[2] = source();
-	sink(v6); // tainted [NOT DETECTED]
-	sink(v6.data()[2]); // tainted [NOT DETECTED]
+	sink(v6); // tainted
+	sink(v6.data()[2]); // tainted

 	{
 		const std::vector<int> &v7c = v7; // (workaround because our iterators don't convert to const_iterator)
@@ -87,7 +87,7 @@ void test_element_taint(int x) {
 	{
 		const std::vector<int> &v8c = v8;
 		std::vector<int>::const_iterator it = v8c.begin();
-		v8.insert(it, 10, ns_char::source());
+		v8.insert(it, 10, ns_int::source());
 	}
 	sink(v8); // tainted [NOT DETECTED]
 	sink(v8.front()); // tainted [NOT DETECTED]
@@ -212,3 +212,82 @@ void test_nested_vectors()
 		sink(ff[0].vs[0]); // tainted [NOT DETECTED]
 	}
 }
+
+void sink(std::vector<int>::iterator &);
+
+typedef int myInt;
+typedef float myFloat;
+
+namespace ns_myFloat
+{
+	myFloat source();
+}
+
+namespace ns_ci_ptr
+{
+	const int *source();
+}
+
+void sink(std::vector<myFloat> &);
+void sink(std::vector<const int *> &);
+
+void test_vector_assign() {
+	std::vector<int> v1, v2, v3;
+
+	v1.assign(100, 0);
+	v2.assign(100, ns_int::source());
+	v3.push_back(source());
+
+	sink(v1);
+	sink(v2); // tainted
+	sink(v3); // tainted
+
+	{
+		std::vector<int> v4, v5, v6;
+		std::vector<int>::iterator i1, i2;
+	
+		v4.assign(v1.begin(), v1.end());
+		v5.assign(v3.begin(), v3.end());
+		i1 = v3.begin();
+		i1++;
+		i2 = i1;
+		i2++;
+		v6.assign(i1, i2);
+
+		sink(v4);
+		sink(v5); // tainted [NOT DETECTED]
+		sink(i1); // tainted [NOT DETECTED]
+		sink(i2); // tainted [NOT DETECTED]
+		sink(v6); // tainted [NOT DETECTED]
+	}
+
+	{
+		std::vector<myInt> v7;
+		std::vector<myFloat> v8;
+		std::vector<const int *> v9;
+
+		v7.assign(100, ns_int::source());
+		v8.assign(100, ns_myFloat::source());
+		v9.assign(100, ns_ci_ptr::source());
+
+		sink(v7); // tainted
+		sink(v8); // tainted
+		sink(v9); // tainted
+	}
+}
+
+void sink(int *);
+
+void test_data_more() {
+	std::vector<int> v1, v2;
+
+	v1.push_back(source());
+	sink(v1); // tainted
+	sink(v1.data()); // tainted
+	sink(v1.data()[2]); // tainted
+
+	*(v2.data()) = ns_int::source();
+	sink(v2); // tainted
+	sink(v2.data()); // tainted
+	sink(v2.data()[2]); // tainted
+}