mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
C++: Model bsl functions in StdMap.qll.
This commit is contained in:
Cornelius Riemenschneider
committed by
GitHub
GitHub
parent
b6b90b59eb
commit
595bb025f9
@@ -5,13 +5,20 @@
|
||||
import semmle.code.cpp.models.interfaces.Taint
|
||||
import semmle.code.cpp.models.interfaces.Iterator
|
||||
|
||||
/**
|
||||
* The `std::map` and `std::unordered_map` template classes.
|
||||
*/
|
||||
private class MapOrUnorderedMap extends Class {
|
||||
MapOrUnorderedMap() { this.hasQualifiedName(["std", "bsl"], ["map", "unordered_map"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Additional model for map constructors using iterator inputs.
|
||||
*/
|
||||
private class StdMapConstructor extends Constructor, TaintFunction {
|
||||
StdMapConstructor() {
|
||||
this.hasQualifiedName("std", "map", "map") or
|
||||
this.hasQualifiedName("std", "unordered_map", "unordered_map")
|
||||
this.hasQualifiedName(["std", "bsl"], "map", "map") or
|
||||
this.hasQualifiedName(["std", "bsl"], "unordered_map", "unordered_map")
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -37,7 +44,8 @@ private class StdMapConstructor extends Constructor, TaintFunction {
|
||||
*/
|
||||
private class StdMapInsert extends TaintFunction {
|
||||
StdMapInsert() {
|
||||
this.hasQualifiedName("std", ["map", "unordered_map"], ["insert", "insert_or_assign"])
|
||||
this.hasName(["insert", "insert_or_assign"]) and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
@@ -56,7 +64,8 @@ private class StdMapInsert extends TaintFunction {
|
||||
*/
|
||||
private class StdMapEmplace extends TaintFunction {
|
||||
StdMapEmplace() {
|
||||
this.hasQualifiedName("std", ["map", "unordered_map"], ["emplace", "emplace_hint"])
|
||||
this.hasName(["emplace", "emplace_hint"]) and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
@@ -79,7 +88,10 @@ private class StdMapEmplace extends TaintFunction {
|
||||
* The standard map `try_emplace` function.
|
||||
*/
|
||||
private class StdMapTryEmplace extends TaintFunction {
|
||||
StdMapTryEmplace() { this.hasQualifiedName("std", ["map", "unordered_map"], "try_emplace") }
|
||||
StdMapTryEmplace() {
|
||||
this.hasName("try_emplace") and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
// flow from any parameter apart from the key to qualifier and return value
|
||||
@@ -106,7 +118,10 @@ private class StdMapTryEmplace extends TaintFunction {
|
||||
* The standard map `merge` function.
|
||||
*/
|
||||
private class StdMapMerge extends TaintFunction {
|
||||
StdMapMerge() { this.hasQualifiedName("std", ["map", "unordered_map"], "merge") }
|
||||
StdMapMerge() {
|
||||
this.hasName("merge") and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
// container1.merge(container2)
|
||||
@@ -119,7 +134,10 @@ private class StdMapMerge extends TaintFunction {
|
||||
* The standard map functions `at` and `operator[]`.
|
||||
*/
|
||||
private class StdMapAt extends TaintFunction {
|
||||
StdMapAt() { this.hasQualifiedName("std", ["map", "unordered_map"], ["at", "operator[]"]) }
|
||||
StdMapAt() {
|
||||
this.hasName(["at", "operator[]"]) and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
// flow from qualifier to referenced return value
|
||||
@@ -136,7 +154,10 @@ private class StdMapAt extends TaintFunction {
|
||||
* The standard map `find` function.
|
||||
*/
|
||||
private class StdMapFind extends TaintFunction {
|
||||
StdMapFind() { this.hasQualifiedName("std", ["map", "unordered_map"], "find") }
|
||||
StdMapFind() {
|
||||
this.hasName("find") and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
input.isQualifierObject() and
|
||||
@@ -148,7 +169,10 @@ private class StdMapFind extends TaintFunction {
|
||||
* The standard map `erase` function.
|
||||
*/
|
||||
private class StdMapErase extends TaintFunction {
|
||||
StdMapErase() { this.hasQualifiedName("std", ["map", "unordered_map"], "erase") }
|
||||
StdMapErase() {
|
||||
this.hasName("erase") and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
// flow from qualifier to iterator return value
|
||||
@@ -163,8 +187,8 @@ private class StdMapErase extends TaintFunction {
|
||||
*/
|
||||
private class StdMapEqualRange extends TaintFunction {
|
||||
StdMapEqualRange() {
|
||||
this.hasQualifiedName("std", ["map", "unordered_map"],
|
||||
["lower_bound", "upper_bound", "equal_range"])
|
||||
this.hasName(["lower_bound", "upper_bound", "equal_range"]) and
|
||||
this.getDeclaringType() instanceof MapOrUnorderedMap
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
|
||||
Reference in New Issue
Block a user