C++: Model std::set::lower_bound, upper_bound, equal_range.

2025-12-16 16:53:25 +01:00 · 2020-10-12 10:10:40 +01:00
parent fc19bba0bd
commit 5d87117dc7
6 changed files with 41 additions and 6 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdSet.qll
@@ -103,3 +103,20 @@ class StdSetErase extends TaintFunction {
    output.isReturnValue()
  }
 }
+
+/**
+ * The standard set `lower_bound`, `upper_bound` and `equal_range` functions.
+ */
+class StdSetEqualRange extends TaintFunction {
+  StdSetEqualRange() {
+    this
+        .hasQualifiedName("std", ["set", "unordered_set"],
+          ["lower_bound", "upper_bound", "equal_range"])
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2114,13 +2114,17 @@
 | set.cpp:69:7:69:9 | ref arg s11 | set.cpp:71:7:71:9 | s11 |  |
 | set.cpp:69:7:69:9 | ref arg s11 | set.cpp:72:7:72:9 | s11 |  |
 | set.cpp:69:7:69:9 | ref arg s11 | set.cpp:126:1:126:1 | s11 |  |
+| set.cpp:69:7:69:9 | s11 | set.cpp:69:11:69:21 | call to lower_bound | TAINT |
 | set.cpp:70:7:70:9 | ref arg s11 | set.cpp:71:7:71:9 | s11 |  |
 | set.cpp:70:7:70:9 | ref arg s11 | set.cpp:72:7:72:9 | s11 |  |
 | set.cpp:70:7:70:9 | ref arg s11 | set.cpp:126:1:126:1 | s11 |  |
+| set.cpp:70:7:70:9 | s11 | set.cpp:70:11:70:21 | call to upper_bound | TAINT |
 | set.cpp:71:7:71:9 | ref arg s11 | set.cpp:72:7:72:9 | s11 |  |
 | set.cpp:71:7:71:9 | ref arg s11 | set.cpp:126:1:126:1 | s11 |  |
+| set.cpp:71:7:71:9 | s11 | set.cpp:71:11:71:21 | call to equal_range | TAINT |
 | set.cpp:71:28:71:32 | first | set.cpp:71:7:71:32 | call to iterator |  |
 | set.cpp:72:7:72:9 | ref arg s11 | set.cpp:126:1:126:1 | s11 |  |
+| set.cpp:72:7:72:9 | s11 | set.cpp:72:11:72:21 | call to equal_range | TAINT |
 | set.cpp:72:28:72:33 | second | set.cpp:72:7:72:33 | call to iterator |  |
 | set.cpp:75:19:75:21 | call to set | set.cpp:76:2:76:4 | s12 |  |
 | set.cpp:75:19:75:21 | call to set | set.cpp:78:7:78:9 | s12 |  |
@@ -2582,8 +2586,10 @@
 | set.cpp:182:13:182:15 | c | set.cpp:182:6:182:11 | call to insert | TAINT |
 | set.cpp:183:7:183:9 | ref arg s11 | set.cpp:184:7:184:9 | s11 |  |
 | set.cpp:183:7:183:9 | ref arg s11 | set.cpp:238:1:238:1 | s11 |  |
+| set.cpp:183:7:183:9 | s11 | set.cpp:183:11:183:21 | call to equal_range | TAINT |
 | set.cpp:183:28:183:32 | first | set.cpp:183:7:183:32 | call to iterator |  |
 | set.cpp:184:7:184:9 | ref arg s11 | set.cpp:238:1:238:1 | s11 |  |
+| set.cpp:184:7:184:9 | s11 | set.cpp:184:11:184:21 | call to equal_range | TAINT |
 | set.cpp:184:28:184:33 | second | set.cpp:184:7:184:33 | call to iterator |  |
 | set.cpp:187:29:187:31 | call to unordered_set | set.cpp:188:2:188:4 | s12 |  |
 | set.cpp:187:29:187:31 | call to unordered_set | set.cpp:190:7:190:9 | s12 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/set.cpp
@@ -66,10 +66,10 @@ void test_set()
 	s11.insert("a");
 	s11.insert(source());
 	s11.insert("c");
-	sink(s11.lower_bound("b")); // tainted [NOT DETECTED]
-	sink(s11.upper_bound("b")); // tainted [NOT DETECTED]
-	sink(s11.equal_range("b").first); // tainted [NOT DETECTED]
-	sink(s11.equal_range("b").second); // tainted [NOT DETECTED]
+	sink(s11.lower_bound("b")); // tainted
+	sink(s11.upper_bound("b")); // tainted
+	sink(s11.equal_range("b").first); // tainted
+	sink(s11.equal_range("b").second); // tainted

 	// swap
 	std::set<char *> s12, s13, s14, s15;
@@ -180,8 +180,8 @@ void test_unordered_set()
 	s11.insert("a");
 	s11.insert(source());
 	s11.insert("c");
-	sink(s11.equal_range("b").first); // tainted [NOT DETECTED]
-	sink(s11.equal_range("b").second); // tainted [NOT DETECTED]
+	sink(s11.equal_range("b").first); // tainted
+	sink(s11.equal_range("b").second); // tainted

 	// swap
 	std::unordered_set<char *> s12, s13, s14, s15;
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -158,6 +158,8 @@
 | set.cpp:50:10:50:13 | call to find | set.cpp:20:17:20:22 | call to source |
 | set.cpp:51:11:51:14 | call to find | set.cpp:20:17:20:22 | call to source |
 | set.cpp:61:8:61:8 | call to operator* | set.cpp:20:17:20:22 | call to source |
+| set.cpp:69:11:69:21 | call to lower_bound | set.cpp:67:13:67:18 | call to source |
+| set.cpp:70:11:70:21 | call to upper_bound | set.cpp:67:13:67:18 | call to source |
 | set.cpp:78:7:78:9 | call to set | set.cpp:76:13:76:18 | call to source |
 | set.cpp:81:7:81:9 | call to set | set.cpp:77:13:77:18 | call to source |
 | set.cpp:84:7:84:9 | call to set | set.cpp:76:13:76:18 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -115,6 +115,8 @@
 | set.cpp:48:10:48:13 | set.cpp:20:17:20:22 | AST only |
 | set.cpp:49:10:49:13 | set.cpp:20:17:20:22 | AST only |
 | set.cpp:61:8:61:11 | set.cpp:20:17:20:22 | IR only |
+| set.cpp:71:7:71:32 | set.cpp:67:13:67:18 | IR only |
+| set.cpp:72:7:72:33 | set.cpp:67:13:67:18 | IR only |
 | set.cpp:78:7:78:9 | set.cpp:76:13:76:18 | AST only |
 | set.cpp:81:7:81:9 | set.cpp:77:13:77:18 | AST only |
 | set.cpp:84:7:84:9 | set.cpp:76:13:76:18 | AST only |
@@ -143,6 +145,8 @@
 | set.cpp:162:10:162:13 | set.cpp:134:17:134:22 | AST only |
 | set.cpp:163:10:163:13 | set.cpp:134:17:134:22 | AST only |
 | set.cpp:175:8:175:11 | set.cpp:134:17:134:22 | IR only |
+| set.cpp:183:7:183:32 | set.cpp:181:13:181:18 | IR only |
+| set.cpp:184:7:184:33 | set.cpp:181:13:181:18 | IR only |
 | set.cpp:190:7:190:9 | set.cpp:188:13:188:18 | AST only |
 | set.cpp:193:7:193:9 | set.cpp:189:13:189:18 | AST only |
 | set.cpp:196:7:196:9 | set.cpp:188:13:188:18 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -121,6 +121,10 @@
 | set.cpp:51:11:51:14 | call to find | set.cpp:20:17:20:22 | call to source |
 | set.cpp:61:8:61:8 | call to operator* | set.cpp:20:17:20:22 | call to source |
 | set.cpp:61:8:61:11 | (reference dereference) | set.cpp:20:17:20:22 | call to source |
+| set.cpp:69:11:69:21 | call to lower_bound | set.cpp:67:13:67:18 | call to source |
+| set.cpp:70:11:70:21 | call to upper_bound | set.cpp:67:13:67:18 | call to source |
+| set.cpp:71:7:71:32 | call to iterator | set.cpp:67:13:67:18 | call to source |
+| set.cpp:72:7:72:33 | call to iterator | set.cpp:67:13:67:18 | call to source |
 | set.cpp:111:11:111:15 | call to erase | set.cpp:108:13:108:18 | call to source |
 | set.cpp:111:11:111:15 | call to erase | set.cpp:109:13:109:18 | call to source |
 | set.cpp:134:7:134:31 | call to iterator | set.cpp:134:17:134:22 | call to source |
@@ -132,6 +136,8 @@
 | set.cpp:165:11:165:14 | call to find | set.cpp:134:17:134:22 | call to source |
 | set.cpp:175:8:175:8 | call to operator* | set.cpp:134:17:134:22 | call to source |
 | set.cpp:175:8:175:11 | (reference dereference) | set.cpp:134:17:134:22 | call to source |
+| set.cpp:183:7:183:32 | call to iterator | set.cpp:181:13:181:18 | call to source |
+| set.cpp:184:7:184:33 | call to iterator | set.cpp:181:13:181:18 | call to source |
 | set.cpp:223:11:223:15 | call to erase | set.cpp:220:13:220:18 | call to source |
 | set.cpp:223:11:223:15 | call to erase | set.cpp:221:13:221:18 | call to source |
 | smart_pointer.cpp:13:10:13:10 | Argument 0 indirection | smart_pointer.cpp:11:52:11:57 | call to source |