C++: Fix map::merge.

2026-05-01 11:45:14 +02:00 · 2020-10-09 14:46:17 +01:00
parent 1f1be3bf9a
commit 61a78e28ac
5 changed files with 2 additions and 13 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll
@@ -119,9 +119,6 @@ class StdMapMerge extends TaintFunction {

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // container1.merge(container2)
-    input.isQualifierObject() and
-    output.isParameterDeref(0)
-    or
    input.isParameterDeref(0) and
    output.isQualifierObject()
  }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1033,13 +1033,11 @@
 | map.cpp:211:7:211:9 | m20 | map.cpp:211:7:211:9 | call to map |  |
 | map.cpp:212:7:212:9 | m21 | map.cpp:212:7:212:9 | call to map |  |
 | map.cpp:213:7:213:9 | m22 | map.cpp:213:7:213:9 | call to map |  |
-| map.cpp:214:2:214:4 | m19 | map.cpp:214:12:214:14 | ref arg m20 | TAINT |
 | map.cpp:214:2:214:4 | ref arg m19 | map.cpp:216:7:216:9 | m19 |  |
 | map.cpp:214:2:214:4 | ref arg m19 | map.cpp:252:1:252:1 | m19 |  |
 | map.cpp:214:12:214:14 | m20 | map.cpp:214:2:214:4 | ref arg m19 | TAINT |
 | map.cpp:214:12:214:14 | ref arg m20 | map.cpp:217:7:217:9 | m20 |  |
 | map.cpp:214:12:214:14 | ref arg m20 | map.cpp:252:1:252:1 | m20 |  |
-| map.cpp:215:2:215:4 | m21 | map.cpp:215:12:215:14 | ref arg m22 | TAINT |
 | map.cpp:215:2:215:4 | ref arg m21 | map.cpp:218:7:218:9 | m21 |  |
 | map.cpp:215:2:215:4 | ref arg m21 | map.cpp:252:1:252:1 | m21 |  |
 | map.cpp:215:12:215:14 | m22 | map.cpp:215:2:215:4 | ref arg m21 | TAINT |
@@ -1679,13 +1677,11 @@
 | map.cpp:360:7:360:9 | m20 | map.cpp:360:7:360:9 | call to unordered_map |  |
 | map.cpp:361:7:361:9 | m21 | map.cpp:361:7:361:9 | call to unordered_map |  |
 | map.cpp:362:7:362:9 | m22 | map.cpp:362:7:362:9 | call to unordered_map |  |
-| map.cpp:363:2:363:4 | m19 | map.cpp:363:12:363:14 | ref arg m20 | TAINT |
 | map.cpp:363:2:363:4 | ref arg m19 | map.cpp:365:7:365:9 | m19 |  |
 | map.cpp:363:2:363:4 | ref arg m19 | map.cpp:422:1:422:1 | m19 |  |
 | map.cpp:363:12:363:14 | m20 | map.cpp:363:2:363:4 | ref arg m19 | TAINT |
 | map.cpp:363:12:363:14 | ref arg m20 | map.cpp:366:7:366:9 | m20 |  |
 | map.cpp:363:12:363:14 | ref arg m20 | map.cpp:422:1:422:1 | m20 |  |
-| map.cpp:364:2:364:4 | m21 | map.cpp:364:12:364:14 | ref arg m22 | TAINT |
 | map.cpp:364:2:364:4 | ref arg m21 | map.cpp:367:7:367:9 | m21 |  |
 | map.cpp:364:2:364:4 | ref arg m21 | map.cpp:422:1:422:1 | m21 |  |
 | map.cpp:364:12:364:14 | m22 | map.cpp:364:2:364:4 | ref arg m21 | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
@@ -214,7 +214,7 @@ void test_map()
 	m19.merge(m20);
 	m21.merge(m22);
 	sink(m19); // tainted
-	sink(m20); // tainted
+	sink(m20);
 	sink(m21); // tainted
 	sink(m22); // tainted

@@ -363,7 +363,7 @@ void test_unordered_map()
 	m19.merge(m20);
 	m21.merge(m22);
 	sink(m19); // tainted
-	sink(m20); // tainted
+	sink(m20);
 	sink(m21); // tainted
 	sink(m22); // tainted

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -86,7 +86,6 @@
 | map.cpp:210:7:210:9 | call to map | map.cpp:206:49:206:54 | call to source |
 | map.cpp:213:7:213:9 | call to map | map.cpp:209:49:209:54 | call to source |
 | map.cpp:216:7:216:9 | call to map | map.cpp:206:49:206:54 | call to source |
-| map.cpp:217:7:217:9 | call to map | map.cpp:206:49:206:54 | call to source |
 | map.cpp:218:7:218:9 | call to map | map.cpp:209:49:209:54 | call to source |
 | map.cpp:219:7:219:9 | call to map | map.cpp:209:49:209:54 | call to source |
 | map.cpp:225:7:225:9 | call to map | map.cpp:223:49:223:54 | call to source |
@@ -137,7 +136,6 @@
 | map.cpp:359:7:359:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
 | map.cpp:362:7:362:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
 | map.cpp:365:7:365:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
-| map.cpp:366:7:366:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
 | map.cpp:367:7:367:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
 | map.cpp:368:7:368:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
 | map.cpp:374:7:374:9 | call to unordered_map | map.cpp:372:49:372:54 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -61,7 +61,6 @@
 | map.cpp:210:7:210:9 | map.cpp:206:49:206:54 | AST only |
 | map.cpp:213:7:213:9 | map.cpp:209:49:209:54 | AST only |
 | map.cpp:216:7:216:9 | map.cpp:206:49:206:54 | AST only |
-| map.cpp:217:7:217:9 | map.cpp:206:49:206:54 | AST only |
 | map.cpp:218:7:218:9 | map.cpp:209:49:209:54 | AST only |
 | map.cpp:219:7:219:9 | map.cpp:209:49:209:54 | AST only |
 | map.cpp:225:7:225:9 | map.cpp:223:49:223:54 | AST only |
@@ -109,7 +108,6 @@
 | map.cpp:359:7:359:9 | map.cpp:355:49:355:54 | AST only |
 | map.cpp:362:7:362:9 | map.cpp:358:49:358:54 | AST only |
 | map.cpp:365:7:365:9 | map.cpp:355:49:355:54 | AST only |
-| map.cpp:366:7:366:9 | map.cpp:355:49:355:54 | AST only |
 | map.cpp:367:7:367:9 | map.cpp:358:49:358:54 | AST only |
 | map.cpp:368:7:368:9 | map.cpp:358:49:358:54 | AST only |
 | map.cpp:374:7:374:9 | map.cpp:372:49:372:54 | AST only |