C++: add model for iter-returning functions

2026-04-29 10:45:15 +02:00 · 2020-10-13 15:38:46 -07:00
parent 4b6ecfb0b1
commit 6552499545
3 changed files with 41 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -801,9 +801,25 @@ module FlowVar_internal {
  }

  Expr getAnIteratorAccess(Variable collection) {
-    exists(Call c, SsaDefinition def, Variable iterator |
-      c.getQualifier() = collection.getAnAccess() and
-      c.getTarget() instanceof BeginOrEndFunction and
+    exists(
+      Call c, SsaDefinition def, Variable iterator, FunctionInput input, FunctionOutput output
+    |
+      c.getTarget().(GetIteratorFunction).getsIterator(input, output) and
+      (
+        (
+          input.isQualifierObject() or
+          input.isQualifierAddress()
+        ) and
+        c.getQualifier() = collection.getAnAccess()
+        or
+        exists(int index |
+          input.isParameter(index) or
+          input.isParameterDeref(index)
+        |
+          c.getArgument(index) = collection.getAnAccess()
+        )
+      ) and
+      output.isReturnValue() and
      def.getAnUltimateDefiningValue(iterator) = c and
      result = def.getAUse(iterator)
    )
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -278,7 +278,7 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction, Iterato
 * A `begin` or `end` member function, or a related member function, that
 * returns an iterator.
 */
-class BeginOrEndFunction extends MemberFunction, TaintFunction {
+class BeginOrEndFunction extends MemberFunction, TaintFunction, GetIteratorFunction {
  BeginOrEndFunction() {
    this
        .hasName(["begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend",
@@ -290,4 +290,21 @@ class BeginOrEndFunction extends MemberFunction, TaintFunction {
    input.isQualifierObject() and
    output.isReturnValue()
  }
+
+  override predicate getsIterator(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
+
+class InserterIteratorFunction extends GetIteratorFunction {
+  InserterIteratorFunction() {
+    this.hasName(["front_inserter", "inserter", "back_inserter"]) and
+    this.getNamespace().hasName("std")
+  }
+
+  override predicate getsIterator(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Iterator.qll
@@ -15,3 +15,7 @@ import semmle.code.cpp.models.Models
 * can be used to write to the iterator's underlying collection.
 */
 abstract class IteratorReferenceFunction extends Function { }
+
+abstract class GetIteratorFunction extends Function {
+  abstract predicate getsIterator(FunctionInput input, FunctionOutput output);
+}