C++: Change some of the taint flows to data flows.

2026-04-30 03:05:15 +02:00 · 2020-09-08 16:32:15 +01:00
parent 8a143bec3a
commit 5a3d41879a
2 changed files with 14 additions and 12 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -298,9 +298,15 @@ class StdBasicOStream extends TemplateClass {
 /**
 * The `std::ostream` function `operator<<` (defined as a member function).
 */
-class StdOStreamOut extends TaintFunction {
+class StdOStreamOut extends DataFlowFunction, TaintFunction {
  StdOStreamOut() { this.hasQualifiedName("std", "basic_ostream", "operator<<") }

+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from parameter to qualifier
    input.isParameter(0) and
@@ -310,10 +316,6 @@ class StdOStreamOut extends TaintFunction {
    input.isParameter(0) and
    output.isReturnValueDeref()
    or
-    // flow from qualifier to return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
    // reverse flow from returned reference to the qualifier
    input.isReturnValueDeref() and
    output.isQualifierObject()
@@ -323,13 +325,19 @@ class StdOStreamOut extends TaintFunction {
 /**
 * The `std::ostream` function `operator<<` (defined as a non-member function).
 */
-class StdOStreamOutNonMember extends TaintFunction {
+class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
  StdOStreamOutNonMember() {
    this.hasQualifiedName("std", "operator<<") and
    this.getUnspecifiedType().(ReferenceType).getBaseType() =
      any(StdBasicOStream s).getAnInstantiation()
  }

+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to return value
+    input.isParameter(0) and
+    output.isReturnValueDeref()
+  }
+
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from second parameter to first parameter
    input.isParameter(1) and
@@ -339,10 +347,6 @@ class StdOStreamOutNonMember extends TaintFunction {
    input.isParameter(1) and
    output.isReturnValueDeref()
    or
-    // flow from first parameter to return value
-    input.isParameter(0) and
-    output.isReturnValueDeref()
-    or
    // reverse flow from returned reference to the first parameter
    input.isReturnValueDeref() and
    output.isParameterDeref(0)
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1457,13 +1457,11 @@
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:77:7:77:9 | ss1 |  |
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:80:7:80:9 | ss1 |  |
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:82:7:82:9 | ss1 |  |
-| stringstream.cpp:75:7:75:9 | ss1 | stringstream.cpp:75:11:75:11 | call to operator<< | TAINT |
 | stringstream.cpp:75:14:75:17 | 1234 | stringstream.cpp:75:7:75:9 | ref arg ss1 | TAINT |
 | stringstream.cpp:75:14:75:17 | 1234 | stringstream.cpp:75:11:75:11 | call to operator<< | TAINT |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:78:7:78:9 | ss2 |  |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:81:7:81:9 | ss2 |  |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:83:7:83:9 | ss2 |  |
-| stringstream.cpp:76:7:76:9 | ss2 | stringstream.cpp:76:11:76:11 | call to operator<< | TAINT |
 | stringstream.cpp:76:14:76:19 | source | stringstream.cpp:76:7:76:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:76:14:76:19 | source | stringstream.cpp:76:11:76:11 | call to operator<< | TAINT |
 | stringstream.cpp:77:7:77:9 | ref arg ss1 | stringstream.cpp:80:7:80:9 | ss1 |  |