C++: Support further reverse taint flows on things that return *this.

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -164,6 +164,11 @@ class StdStringAppend extends TaintFunction {
       output.isQualifierObject() or
       output.isReturnValueDeref()
     )
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // the result)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 
@@ -199,6 +204,11 @@ class StdStringAssign extends TaintFunction {
       output.isQualifierObject() or
       output.isReturnValueDeref()
     )
+    or
+    // reverse flow from returned reference to the qualifier (for writes to
+    // the result)
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
   }
 }
 

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -1295,6 +1295,7 @@
 | string.cpp:530:10:530:10 | e | string.cpp:530:12:530:12 | call to operator+= | TAINT |
 | string.cpp:530:10:530:10 | ref arg e | string.cpp:536:8:536:8 | e |  |
 | string.cpp:530:12:530:12 | call to operator+= | string.cpp:530:21:530:21 | call to operator+= | TAINT |
+| string.cpp:530:12:530:12 | ref arg call to operator+= | string.cpp:530:10:530:10 | ref arg e | TAINT |
 | string.cpp:530:15:530:18 | ee | string.cpp:530:10:530:10 | ref arg e | TAINT |
 | string.cpp:530:15:530:18 | ee | string.cpp:530:12:530:12 | call to operator+= | TAINT |
 | string.cpp:530:24:530:29 | call to source | string.cpp:530:12:530:12 | ref arg call to operator+= | TAINT |
@@ -1302,6 +1303,7 @@
 | string.cpp:531:10:531:10 | f | string.cpp:531:12:531:12 | call to operator+= | TAINT |
 | string.cpp:531:10:531:10 | ref arg f | string.cpp:537:8:537:8 | f |  |
 | string.cpp:531:12:531:12 | call to operator+= | string.cpp:531:25:531:25 | call to operator+= | TAINT |
+| string.cpp:531:12:531:12 | ref arg call to operator+= | string.cpp:531:10:531:10 | ref arg f | TAINT |
 | string.cpp:531:15:531:20 | call to source | string.cpp:531:10:531:10 | ref arg f | TAINT |
 | string.cpp:531:15:531:20 | call to source | string.cpp:531:12:531:12 | call to operator+= | TAINT |
 | string.cpp:531:28:531:31 | ff | string.cpp:531:12:531:12 | ref arg call to operator+= | TAINT |
@@ -1339,6 +1341,7 @@
 | string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:18:549:18 | ref arg d | TAINT |
 | string.cpp:549:27:549:34 | call to basic_string | string.cpp:549:20:549:25 | call to assign | TAINT |
 | string.cpp:550:9:550:9 | ref arg e | string.cpp:556:8:556:8 | e |  |
+| string.cpp:550:11:550:16 | ref arg call to assign | string.cpp:550:9:550:9 | ref arg e | TAINT |
 | string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:9:550:9 | ref arg e | TAINT |
 | string.cpp:550:18:550:21 | call to basic_string | string.cpp:550:11:550:16 | call to assign | TAINT |
 | string.cpp:550:18:550:21 | ee | string.cpp:550:18:550:21 | call to basic_string | TAINT |
@@ -1346,6 +1349,7 @@
 | string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:11:550:16 | ref arg call to assign | TAINT |
 | string.cpp:550:31:550:38 | call to basic_string | string.cpp:550:24:550:29 | call to assign | TAINT |
 | string.cpp:551:9:551:9 | ref arg f | string.cpp:557:8:557:8 | f |  |
+| string.cpp:551:11:551:16 | ref arg call to assign | string.cpp:551:9:551:9 | ref arg f | TAINT |
 | string.cpp:551:18:551:23 | call to source | string.cpp:551:18:551:25 | call to basic_string | TAINT |
 | string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:9:551:9 | ref arg f | TAINT |
 | string.cpp:551:18:551:25 | call to basic_string | string.cpp:551:11:551:16 | call to assign | TAINT |

cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp

@@ -533,7 +533,7 @@ void test_string_return_assign() {
 		sink(b);
 		sink(c); // tainted
 		sink(d); // tainted
-		sink(e); // tainted [NOT DETECTED]
+		sink(e); // tainted
 		sink(f); // tainted
 	}
 
@@ -553,7 +553,7 @@ void test_string_return_assign() {
 		sink(b);
 		sink(c); // tainted
 		sink(d); // tainted
-		sink(e); // tainted [NOT DETECTED]
+		sink(e); // tainted
 		sink(f); // [FALSE POSITIVE]
 	}
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -148,11 +148,13 @@
 | string.cpp:531:25:531:25 | call to operator+= | string.cpp:531:15:531:20 | call to source |
 | string.cpp:534:8:534:8 | c | string.cpp:529:20:529:25 | call to source |
 | string.cpp:535:8:535:8 | d | string.cpp:529:20:529:25 | call to source |
+| string.cpp:536:8:536:8 | e | string.cpp:530:24:530:29 | call to source |
 | string.cpp:537:8:537:8 | f | string.cpp:531:15:531:20 | call to source |
 | string.cpp:549:11:549:16 | call to assign | string.cpp:549:27:549:32 | call to source |
 | string.cpp:550:24:550:29 | call to assign | string.cpp:550:31:550:36 | call to source |
 | string.cpp:554:8:554:8 | c | string.cpp:549:27:549:32 | call to source |
 | string.cpp:555:8:555:8 | d | string.cpp:549:27:549:32 | call to source |
+| string.cpp:556:8:556:8 | e | string.cpp:550:31:550:36 | call to source |
 | string.cpp:557:8:557:8 | f | string.cpp:551:18:551:23 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -158,11 +158,13 @@
 | string.cpp:531:25:531:25 | string.cpp:531:15:531:20 | AST only |
 | string.cpp:534:8:534:8 | string.cpp:529:20:529:25 | AST only |
 | string.cpp:535:8:535:8 | string.cpp:529:20:529:25 | AST only |
+| string.cpp:536:8:536:8 | string.cpp:530:24:530:29 | AST only |
 | string.cpp:537:8:537:8 | string.cpp:531:15:531:20 | AST only |
 | string.cpp:549:11:549:16 | string.cpp:549:27:549:32 | AST only |
 | string.cpp:550:24:550:29 | string.cpp:550:31:550:36 | AST only |
 | string.cpp:554:8:554:8 | string.cpp:549:27:549:32 | AST only |
 | string.cpp:555:8:555:8 | string.cpp:549:27:549:32 | AST only |
+| string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
 | string.cpp:557:8:557:8 | string.cpp:551:18:551:23 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |