C++: Implement Field indirection.

2025-12-21 11:16:30 +01:00 · 2024-03-19 16:48:27 +00:00
parent 393bd7277c
commit 73e95d67b9
4 changed files with 19 additions and 3 deletions
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll
@@ -39,7 +39,7 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
  string encodeContent(ContentSet cs, string arg) {
    exists(FieldContent c |
      cs.isSingleton(c) and
-      result = "Field" and
+      result = indirectionString(c.getIndirectionIndex()) + "Field" and
      arg = c.getField().getName()
    )
  }
@@ -81,6 +81,15 @@ module Input implements InputSig<DataFlowImplSpecific::CppDataFlow> {
      )
    )
  }
  bindingset[token]
  ContentSet decodeUnknownContent(AccessPath::AccessPathTokenBase token) {
    // field content (with indirection support).
    exists(FieldContent c |
      result.isSingleton(c) and
      token = indirectionString(c.getIndirectionIndex()) + c.getField().getName()
    )
  }
 }
 private import Make<DataFlowImplSpecific::CppDataFlow, Input> as Impl
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -16,6 +16,12 @@
 | tests.cpp:136:6:136:34 | [summary param] 0 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
 | tests.cpp:136:6:136:34 | [summary param] 1 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
 | tests.cpp:136:6:136:34 | [summary] to write: Argument[1 indirection] in madArg0IndirectToArg1Indirect | PostUpdateNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
 | tests.cpp:140:5:140:32 | [summary param] 0 in madArg0FieldIndirectToReturn | ParameterNode | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
 | tests.cpp:140:5:140:32 | [summary] read: Argument[0].*Field[value] in madArg0FieldIndirectToReturn |  | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
 | tests.cpp:140:5:140:32 | [summary] to write: ReturnValue in madArg0FieldIndirectToReturn | ReturnNode | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
 | tests.cpp:143:13:143:40 | [summary param] 0 in madArg0ToReturnFieldIndirect | ParameterNode | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
 | tests.cpp:143:13:143:40 | [summary] to write: ReturnValue in madArg0ToReturnFieldIndirect | ReturnNode | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
 | tests.cpp:143:13:143:40 | [summary] to write: ReturnValue.*Field[ptr] in madArg0ToReturnFieldIndirect |  | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
 | tests.cpp:227:7:227:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
 | tests.cpp:227:7:227:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
 | tests.cpp:227:7:227:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
@@ -83,6 +83,7 @@ private class TestSummaries extends SummaryModelCsv {
        ";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.value;taint",
        ";;false;madArg0ToReturnIndirectField;;;Argument[0];*ReturnValue.value;taint",
        ";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.*ptr;taint",
        ";;false;madArg0ToReturnFieldNotIndirect;;;Argument[0];ReturnValue.*ptr;taint",
        ";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
        ";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
        ";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -185,7 +185,7 @@ void test_summaries() {
 	mc2.ptr = &e;
 	sink(madArg0FieldToReturn(mc2)); // $ MISSING: ir
 	sink(madArg0IndirectFieldToReturn(&mc2)); // $ MISSING: ir
-	sink(madArg0FieldIndirectToReturn(mc2)); // $ MISSING: ir
+	sink(madArg0FieldIndirectToReturn(mc2)); // $ ir
 	sink(madArg0ToReturnField(0).value);
 	sink(madArg0ToReturnField(source()).value); // $ MISSING: ir
@@ -195,7 +195,7 @@ void test_summaries() {
 	MyContainer rtn2 = madArg0ToReturnFieldIndirect(source());
 	int *rtn2_ptr = rtn2.ptr;
-	sink(*rtn2_ptr); // $ MISSING: ir
+	sink(*rtn2_ptr); // $ ir
 	// test source + sinks + summaries together