hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Model map::lower_bound, upper_bound and equal_range.

Browse Source
This commit is contained in:
Geoffrey White
2020-10-07 12:17:13 +01:00
parent ef9a7c8cdb
commit 5c1a510e4a
6 changed files with 53 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
View File

@@ -170,3 +170,20 @@ class StdMapErase extends TaintFunction {
output.isReturnValue()
}
}
/**
* The standard map `lower_bound`, `upper_bound` and `equal_range` functions.
*/
class StdMapEqualRange extends TaintFunction {
StdMapEqualRange() {
this
.hasQualifiedName("std", ["map", "unordered_map"],
["lower_bound", "upper_bound", "equal_range"])
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from qualifier to return value
input.isQualifierObject() and
output.isReturnValue()
}
}

9
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -893,28 +893,34 @@
| map.cpp:181:13:181:26 | call to make_pair | map.cpp:181:13:181:36 | call to pair | TAINT |
| map.cpp:181:13:181:36 | call to pair | map.cpp:181:2:181:4 | ref arg m14 | TAINT |
| map.cpp:181:13:181:36 | call to pair | map.cpp:181:6:181:11 | call to insert | TAINT |
| map.cpp:182:7:182:8 | m2 | map.cpp:182:10:182:20 | call to lower_bound | TAINT |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:183:7:183:8 | m2 | |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 | |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 | |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 | |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 | |
| map.cpp:182:7:182:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:183:7:183:8 | m2 | map.cpp:183:10:183:20 | call to upper_bound | TAINT |
| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:184:7:184:8 | m2 | |
| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 | |
| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 | |
| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 | |
| map.cpp:183:7:183:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:184:7:184:8 | m2 | map.cpp:184:10:184:20 | call to equal_range | TAINT |
| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:185:7:185:8 | m2 | |
| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 | |
| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 | |
| map.cpp:184:7:184:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:184:27:184:31 | first | map.cpp:184:7:184:31 | call to iterator | |
| map.cpp:185:7:185:8 | m2 | map.cpp:185:10:185:20 | call to equal_range | TAINT |
| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:186:7:186:8 | m2 | |
| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 | |
| map.cpp:185:7:185:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:185:27:185:32 | second | map.cpp:185:7:185:32 | call to iterator | |
| map.cpp:186:7:186:8 | m2 | map.cpp:186:10:186:20 | call to upper_bound | TAINT |
| map.cpp:186:7:186:8 | ref arg m2 | map.cpp:187:7:187:8 | m2 | |
| map.cpp:186:7:186:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:187:7:187:8 | m2 | map.cpp:187:10:187:20 | call to equal_range | TAINT |
| map.cpp:187:7:187:8 | ref arg m2 | map.cpp:252:1:252:1 | m2 | |
| map.cpp:187:27:187:32 | second | map.cpp:187:7:187:32 | call to iterator | |
| map.cpp:190:27:190:29 | call to map | map.cpp:191:2:191:4 | m15 | |
@@ -1571,13 +1577,16 @@
| map.cpp:333:13:333:26 | call to make_pair | map.cpp:333:13:333:36 | call to pair | TAINT |
| map.cpp:333:13:333:36 | call to pair | map.cpp:333:2:333:4 | ref arg m14 | TAINT |
| map.cpp:333:13:333:36 | call to pair | map.cpp:333:6:333:11 | call to insert | TAINT |
| map.cpp:334:7:334:8 | m2 | map.cpp:334:10:334:20 | call to equal_range | TAINT |
| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:335:7:335:8 | m2 | |
| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 | |
| map.cpp:334:7:334:8 | ref arg m2 | map.cpp:418:1:418:1 | m2 | |
| map.cpp:334:27:334:31 | first | map.cpp:334:7:334:31 | call to iterator | |
| map.cpp:335:7:335:8 | m2 | map.cpp:335:10:335:20 | call to equal_range | TAINT |
| map.cpp:335:7:335:8 | ref arg m2 | map.cpp:336:7:336:8 | m2 | |
| map.cpp:335:7:335:8 | ref arg m2 | map.cpp:418:1:418:1 | m2 | |
| map.cpp:335:27:335:32 | second | map.cpp:335:7:335:32 | call to iterator | |
| map.cpp:336:7:336:8 | m2 | map.cpp:336:10:336:20 | call to equal_range | TAINT |
| map.cpp:336:7:336:8 | ref arg m2 | map.cpp:418:1:418:1 | m2 | |
| map.cpp:336:27:336:32 | second | map.cpp:336:7:336:32 | call to iterator | |
| map.cpp:339:37:339:39 | call to unordered_map | map.cpp:340:2:340:4 | m15 | |

18
cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
View File

@@ -179,12 +179,12 @@ void test_map()
m14.insert(std::make_pair("b", source()));
m14.insert(std::make_pair("c", source()));
m14.insert(std::make_pair("d", "d"));
sink(m2.lower_bound("b")); // tainted [NOT DETECTED]
sink(m2.upper_bound("b")); // tainted [NOT DETECTED]
sink(m2.equal_range("b").first); // tainted [NOT DETECTED]
sink(m2.equal_range("b").second); // tainted [NOT DETECTED]
sink(m2.upper_bound("c"));
sink(m2.equal_range("c").second);
sink(m2.lower_bound("b")); // tainted
sink(m2.upper_bound("b")); // tainted
sink(m2.equal_range("b").first); // tainted
sink(m2.equal_range("b").second); // tainted
sink(m2.upper_bound("c")); // [FALSE POSITIVE]
sink(m2.equal_range("c").second); // [FALSE POSITIVE]
// swap
std::map<char *, char *> m15, m16, m17, m18;
@@ -331,9 +331,9 @@ void test_unordered_map()
m14.insert(std::make_pair("b", source()));
m14.insert(std::make_pair("c", source()));
m14.insert(std::make_pair("d", "d"));
sink(m2.equal_range("b").first); // tainted [NOT DETECTED]
sink(m2.equal_range("b").second); // tainted [NOT DETECTED]
sink(m2.equal_range("c").second);
sink(m2.equal_range("b").first); // tainted
sink(m2.equal_range("b").second); // tainted
sink(m2.equal_range("c").second); // [FALSE POSITIVE]
// swap
std::unordered_map<char *, char *> m15, m16, m17, m18;

3
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -74,6 +74,9 @@
| map.cpp:170:7:170:30 | ... = ... | map.cpp:170:23:170:28 | call to source |
| map.cpp:172:10:172:10 | call to operator[] | map.cpp:168:20:168:25 | call to source |
| map.cpp:174:10:174:10 | call to operator[] | map.cpp:170:23:170:28 | call to source |
| map.cpp:182:10:182:20 | call to lower_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:183:10:183:20 | call to upper_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:186:10:186:20 | call to upper_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:193:7:193:9 | call to map | map.cpp:191:49:191:54 | call to source |
| map.cpp:196:7:196:9 | call to map | map.cpp:192:49:192:54 | call to source |
| map.cpp:199:7:199:9 | call to map | map.cpp:191:49:191:54 | call to source |

6
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -49,6 +49,9 @@
| map.cpp:162:12:162:17 | map.cpp:108:39:108:44 | IR only |
| map.cpp:172:10:172:10 | map.cpp:168:20:168:25 | AST only |
| map.cpp:174:10:174:10 | map.cpp:170:23:170:28 | AST only |
| map.cpp:184:7:184:31 | map.cpp:108:39:108:44 | IR only |
| map.cpp:185:7:185:32 | map.cpp:108:39:108:44 | IR only |
| map.cpp:187:7:187:32 | map.cpp:108:39:108:44 | IR only |
| map.cpp:193:7:193:9 | map.cpp:191:49:191:54 | AST only |
| map.cpp:196:7:196:9 | map.cpp:192:49:192:54 | AST only |
| map.cpp:199:7:199:9 | map.cpp:191:49:191:54 | AST only |
@@ -94,6 +97,9 @@
| map.cpp:314:12:314:17 | map.cpp:260:39:260:44 | IR only |
| map.cpp:324:10:324:10 | map.cpp:320:20:320:25 | AST only |
| map.cpp:326:10:326:10 | map.cpp:322:23:322:28 | AST only |
| map.cpp:334:7:334:31 | map.cpp:260:39:260:44 | IR only |
| map.cpp:335:7:335:32 | map.cpp:260:39:260:44 | IR only |
| map.cpp:336:7:336:32 | map.cpp:260:39:260:44 | IR only |
| map.cpp:342:7:342:9 | map.cpp:340:49:340:54 | AST only |
| map.cpp:345:7:345:9 | map.cpp:341:49:341:54 | AST only |
| map.cpp:348:7:348:9 | map.cpp:340:49:340:54 | AST only |

9
cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
View File

@@ -85,6 +85,12 @@
| map.cpp:162:12:162:17 | second | map.cpp:108:39:108:44 | call to source |
| map.cpp:168:7:168:27 | ... = ... | map.cpp:168:20:168:25 | call to source |
| map.cpp:170:7:170:30 | ... = ... | map.cpp:170:23:170:28 | call to source |
| map.cpp:182:10:182:20 | call to lower_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:183:10:183:20 | call to upper_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:184:7:184:31 | call to iterator | map.cpp:108:39:108:44 | call to source |
| map.cpp:185:7:185:32 | call to iterator | map.cpp:108:39:108:44 | call to source |
| map.cpp:186:10:186:20 | call to upper_bound | map.cpp:108:39:108:44 | call to source |
| map.cpp:187:7:187:32 | call to iterator | map.cpp:108:39:108:44 | call to source |
| map.cpp:226:11:226:15 | call to erase | map.cpp:223:49:223:54 | call to source |
| map.cpp:226:11:226:15 | call to erase | map.cpp:224:49:224:54 | call to source |
| map.cpp:235:7:235:40 | call to iterator | map.cpp:235:26:235:31 | call to source |
@@ -107,6 +113,9 @@
| map.cpp:314:12:314:17 | second | map.cpp:260:39:260:44 | call to source |
| map.cpp:320:7:320:27 | ... = ... | map.cpp:320:20:320:25 | call to source |
| map.cpp:322:7:322:30 | ... = ... | map.cpp:322:23:322:28 | call to source |
| map.cpp:334:7:334:31 | call to iterator | map.cpp:260:39:260:44 | call to source |
| map.cpp:335:7:335:32 | call to iterator | map.cpp:260:39:260:44 | call to source |
| map.cpp:336:7:336:32 | call to iterator | map.cpp:260:39:260:44 | call to source |
| map.cpp:375:11:375:15 | call to erase | map.cpp:372:49:372:54 | call to source |
| map.cpp:375:11:375:15 | call to erase | map.cpp:373:49:373:54 | call to source |
| map.cpp:384:7:384:40 | call to iterator | map.cpp:384:26:384:31 | call to source |