C++: Add a taint model for std::{shared, unique}_ptr<T>::get

2026-04-30 19:26:02 +02:00 · 2020-09-09 12:22:29 +02:00
parent 417424ab75
commit 8226515138
4 changed files with 41 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -44,3 +44,18 @@ class UniqueOrSharedDereferenceMemberOperator extends MemberFunction, TaintFunct
    output.isReturnValueDeref()
  }
 }
+
+/**
+ * The `std::shared_ptr` or `std::unique_ptr` function `get`.
+ */
+class UniqueOrSharedGet extends TaintFunction {
+  UniqueOrSharedGet() {
+    this.hasName("get") and
+    this.getDeclaringType() instanceof UniqueOrSharedPtr
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -45,4 +45,24 @@ void test_reverse_taint_unique() {
    *p = source();
    sink(p); // tainted [NOT DETECTED]
    sink(*p); // tainted [NOT DETECTED]
+}
+
+void test_shared_get() {
+    std::shared_ptr<int> p = std::make_shared<int>(source());
+    sink(p.get()); // tainted
+}
+
+void test_unique_get() {
+    std::unique_ptr<int> p = std::make_unique<int>(source());
+    sink(p.get()); // tainted
+}
+
+struct A {
+    int x, y;
+};
+
+void test_shared_field_member() {
+    std::unique_ptr<A> p = std::make_unique<A>(source(), 0);
+    sink(p->x); // tainted [NOT DETECTED]
+    sink(p->y); // not tainted
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -241,6 +241,8 @@ namespace std {

 		T& operator*() const noexcept;
 		T* operator->() const noexcept;
+
+		T* get() const noexcept;
 	};

 	template<typename T>
@@ -254,6 +256,8 @@ namespace std {

 		T& operator*() const;
 		T* operator->() const noexcept;
+
+		T* get() const noexcept;
 	};

 	template<typename T, class... Args> unique_ptr<T> make_unique(Args&&...);
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -41,6 +41,8 @@
 | smart_pointer.cpp:13:10:13:10 | p | smart_pointer.cpp:11:52:11:57 | call to source |
 | smart_pointer.cpp:24:10:24:10 | call to operator* | smart_pointer.cpp:23:52:23:57 | call to source |
 | smart_pointer.cpp:25:10:25:10 | p | smart_pointer.cpp:23:52:23:57 | call to source |
+| smart_pointer.cpp:52:12:52:14 | call to get | smart_pointer.cpp:51:52:51:57 | call to source |
+| smart_pointer.cpp:57:12:57:14 | call to get | smart_pointer.cpp:56:52:56:57 | call to source |
 | standalone_iterators.cpp:40:10:40:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:41:10:41:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:42:10:42:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |