hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add flow through assignment operators.

Browse Source
This commit is contained in:
Geoffrey White
2020-06-16 17:14:09 +01:00
parent b9a65581ce
commit 833f5b0cf3
6 changed files with 60 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cpp/ql/src/semmle/code/cpp/MemberFunction.qll
View File

@@ -467,7 +467,7 @@ class ConversionOperator extends MemberFunction, ImplicitConversionFunction {
* takes exactly one parameter of type `T`, `T&`, `const T&`, `volatile
* T&`, or `const volatile T&`.
*/
class CopyAssignmentOperator extends Operator {
class CopyAssignmentOperator extends Operator,TaintFunction {
CopyAssignmentOperator() {
hasName("operator=") and
(
@@ -482,6 +482,17 @@ class CopyAssignmentOperator extends Operator {
}
override string getCanonicalQLClass() { result = "CopyAssignmentOperator" }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// taint flow from argument to self
input.isParameterDeref(0) and
output.isQualifierObject()
or
// taint flow from argument to return value
input.isParameterDeref(0) and
output.isReturnValueDeref()
// TODO: it would be more accurate to model copy assignment as data flow
}
}
/**
@@ -499,7 +510,7 @@ class CopyAssignmentOperator extends Operator {
* takes exactly one parameter of type `T&&`, `const T&&`, `volatile T&&`,
* or `const volatile T&&`.
*/
class MoveAssignmentOperator extends Operator {
class MoveAssignmentOperator extends Operator, TaintFunction {
MoveAssignmentOperator() {
hasName("operator=") and
hasMoveSignature(this) and
@@ -508,4 +519,15 @@ class MoveAssignmentOperator extends Operator {
}
override string getCanonicalQLClass() { result = "MoveAssignmentOperator" }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// taint flow from argument to self
input.isParameterDeref(0) and
output.isQualifierObject()
or
// taint flow from argument to return value
input.isParameterDeref(0) and
output.isReturnValueDeref()
// TODO: it would be more accurate to model move assignment as data flow
}
}

6
cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass.cpp
View File

@@ -39,7 +39,7 @@ void test_copyableclass()
sink(s1); // tainted
sink(s2); // tainted
sink(s3); // tainted
sink(s4); // tainted [NOT DETECTED]
sink(s4); // tainted
}
{
@@ -62,7 +62,7 @@ void test_copyableclass()
s2 = MyCopyableClass(source());
sink(s1); // tainted
sink(s2); // tainted [NOT DETECTED]
sink(s3 = source()); // tainted [NOT DETECTED]
sink(s2); // tainted
sink(s3 = source()); // tainted
}
}

18
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -22,6 +22,8 @@
| copyableclass.cpp:23:19:23:20 | call to MyCopyableClass | copyableclass.cpp:29:8:29:9 | s4 | |
| copyableclass.cpp:24:3:24:4 | ref arg s4 | copyableclass.cpp:29:8:29:9 | s4 | |
| copyableclass.cpp:24:8:24:8 | 1 | copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | copyableclass.cpp:24:3:24:4 | ref arg s4 | TAINT |
| copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | copyableclass.cpp:24:6:24:6 | call to operator= | TAINT |
| copyableclass.cpp:33:22:33:27 | call to source | copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | copyableclass.cpp:35:22:35:23 | s1 | |
| copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | copyableclass.cpp:39:8:39:9 | s1 | |
@@ -33,6 +35,8 @@
| copyableclass.cpp:36:19:36:20 | call to MyCopyableClass | copyableclass.cpp:42:8:42:9 | s4 | |
| copyableclass.cpp:37:3:37:4 | ref arg s4 | copyableclass.cpp:42:8:42:9 | s4 | |
| copyableclass.cpp:37:8:37:13 | call to source | copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | copyableclass.cpp:37:3:37:4 | ref arg s4 | TAINT |
| copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | copyableclass.cpp:37:6:37:6 | call to operator= | TAINT |
| copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:47:24:47:25 | s1 | |
| copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:48:22:48:23 | s1 | |
| copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:50:8:50:9 | s1 | |
@@ -44,14 +48,20 @@
| copyableclass.cpp:49:19:49:20 | call to MyCopyableClass | copyableclass.cpp:50:3:50:4 | s4 | |
| copyableclass.cpp:49:19:49:20 | call to MyCopyableClass | copyableclass.cpp:55:8:55:9 | s4 | |
| copyableclass.cpp:50:3:50:4 | ref arg s4 | copyableclass.cpp:55:8:55:9 | s4 | |
| copyableclass.cpp:50:8:50:9 | s1 | copyableclass.cpp:50:3:50:4 | ref arg s4 | TAINT |
| copyableclass.cpp:50:8:50:9 | s1 | copyableclass.cpp:50:6:50:6 | call to operator= | TAINT |
| copyableclass.cpp:59:23:59:48 | call to MyCopyableClass | copyableclass.cpp:64:8:64:9 | s1 | |
| copyableclass.cpp:59:40:59:45 | call to source | copyableclass.cpp:59:23:59:48 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:60:19:60:20 | call to MyCopyableClass | copyableclass.cpp:62:3:62:4 | s2 | |
| copyableclass.cpp:60:19:60:20 | call to MyCopyableClass | copyableclass.cpp:65:8:65:9 | s2 | |
| copyableclass.cpp:61:19:61:20 | call to MyCopyableClass | copyableclass.cpp:66:8:66:9 | s3 | |
| copyableclass.cpp:62:3:62:4 | ref arg s2 | copyableclass.cpp:65:8:65:9 | s2 | |
| copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | copyableclass.cpp:62:3:62:4 | ref arg s2 | TAINT |
| copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | copyableclass.cpp:62:6:62:6 | call to operator= | TAINT |
| copyableclass.cpp:62:24:62:29 | call to source | copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:66:13:66:18 | call to source | copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | TAINT |
| copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | copyableclass.cpp:66:8:66:9 | ref arg s3 | TAINT |
| copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | copyableclass.cpp:66:11:66:11 | call to operator= | TAINT |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
| file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 | |
@@ -217,6 +227,8 @@
| movableclass.cpp:29:18:29:19 | call to MyMovableClass | movableclass.cpp:34:8:34:9 | s3 | |
| movableclass.cpp:30:3:30:4 | ref arg s3 | movableclass.cpp:34:8:34:9 | s3 | |
| movableclass.cpp:30:8:30:8 | 1 | movableclass.cpp:30:8:30:8 | call to MyMovableClass | TAINT |
| movableclass.cpp:30:8:30:8 | call to MyMovableClass | movableclass.cpp:30:3:30:4 | ref arg s3 | TAINT |
| movableclass.cpp:30:8:30:8 | call to MyMovableClass | movableclass.cpp:30:6:30:6 | call to operator= | TAINT |
| movableclass.cpp:38:21:38:26 | call to source | movableclass.cpp:38:21:38:29 | call to MyMovableClass | TAINT |
| movableclass.cpp:38:21:38:29 | call to MyMovableClass | movableclass.cpp:43:8:43:9 | s1 | |
| movableclass.cpp:39:22:39:30 | call to MyMovableClass | movableclass.cpp:44:8:44:9 | s2 | |
@@ -225,11 +237,15 @@
| movableclass.cpp:40:18:40:19 | call to MyMovableClass | movableclass.cpp:45:8:45:9 | s3 | |
| movableclass.cpp:41:3:41:4 | ref arg s3 | movableclass.cpp:45:8:45:9 | s3 | |
| movableclass.cpp:41:8:41:13 | call to source | movableclass.cpp:41:8:41:15 | call to MyMovableClass | TAINT |
| movableclass.cpp:41:8:41:15 | call to MyMovableClass | movableclass.cpp:41:3:41:4 | ref arg s3 | TAINT |
| movableclass.cpp:41:8:41:15 | call to MyMovableClass | movableclass.cpp:41:6:41:6 | call to operator= | TAINT |
| movableclass.cpp:49:22:49:46 | call to MyMovableClass | movableclass.cpp:53:8:53:9 | s1 | |
| movableclass.cpp:49:38:49:43 | call to source | movableclass.cpp:49:22:49:46 | call to MyMovableClass | TAINT |
| movableclass.cpp:50:18:50:19 | call to MyMovableClass | movableclass.cpp:51:3:51:4 | s2 | |
| movableclass.cpp:50:18:50:19 | call to MyMovableClass | movableclass.cpp:54:8:54:9 | s2 | |
| movableclass.cpp:51:3:51:4 | ref arg s2 | movableclass.cpp:54:8:54:9 | s2 | |
| movableclass.cpp:51:8:51:31 | call to MyMovableClass | movableclass.cpp:51:3:51:4 | ref arg s2 | TAINT |
| movableclass.cpp:51:8:51:31 | call to MyMovableClass | movableclass.cpp:51:6:51:6 | call to operator= | TAINT |
| movableclass.cpp:51:23:51:28 | call to source | movableclass.cpp:51:8:51:31 | call to MyMovableClass | TAINT |
| movableclass.cpp:58:21:58:32 | call to getUnTainted | movableclass.cpp:58:21:58:35 | call to MyMovableClass | |
| movableclass.cpp:58:21:58:35 | call to MyMovableClass | movableclass.cpp:62:8:62:9 | s1 | |
@@ -237,6 +253,8 @@
| movableclass.cpp:59:21:59:33 | call to MyMovableClass | movableclass.cpp:63:8:63:9 | s2 | |
| movableclass.cpp:60:18:60:19 | call to MyMovableClass | movableclass.cpp:64:8:64:9 | s3 | |
| movableclass.cpp:64:13:64:18 | call to source | movableclass.cpp:64:13:64:20 | call to MyMovableClass | TAINT |
| movableclass.cpp:64:13:64:20 | call to MyMovableClass | movableclass.cpp:64:8:64:9 | ref arg s3 | TAINT |
| movableclass.cpp:64:13:64:20 | call to MyMovableClass | movableclass.cpp:64:11:64:11 | call to operator= | TAINT |
| stl.cpp:67:12:67:17 | call to source | stl.cpp:71:7:71:7 | a | |
| stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string | TAINT |
| stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:72:7:72:7 | b | |

6
cpp/ql/test/library-tests/dataflow/taint-tests/movableclass.cpp
View File

@@ -42,7 +42,7 @@ void test_copyableclass()
sink(s1); // tainted
sink(s2); // tainted
sink(s3); // tainted [NOT DETECTED]
sink(s3); // tainted
}
{
@@ -51,7 +51,7 @@ void test_copyableclass()
s2 = MyMovableClass(source());
sink(s1); // tainted
sink(s2); // tainted [NOT DETECTED]
sink(s2); // tainted
}
{
@@ -61,6 +61,6 @@ void test_copyableclass()
sink(s1);
sink(s2); // tainted
sink(s3 = source()); // tainted [NOT DETECTED]
sink(s3 = source()); // tainted
}
}

6
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -1,7 +1,10 @@
| copyableclass.cpp:39:8:39:9 | s1 | copyableclass.cpp:33:22:33:27 | call to source |
| copyableclass.cpp:40:8:40:9 | s2 | copyableclass.cpp:34:24:34:29 | call to source |
| copyableclass.cpp:41:8:41:9 | s3 | copyableclass.cpp:33:22:33:27 | call to source |
| copyableclass.cpp:42:8:42:9 | s4 | copyableclass.cpp:37:8:37:13 | call to source |
| copyableclass.cpp:64:8:64:9 | s1 | copyableclass.cpp:59:40:59:45 | call to source |
| copyableclass.cpp:65:8:65:9 | s2 | copyableclass.cpp:62:24:62:29 | call to source |
| copyableclass.cpp:66:11:66:11 | call to operator= | copyableclass.cpp:66:13:66:18 | call to source |
| format.cpp:57:8:57:13 | buffer | format.cpp:56:36:56:49 | call to source |
| format.cpp:62:8:62:13 | buffer | format.cpp:61:30:61:43 | call to source |
| format.cpp:67:8:67:13 | buffer | format.cpp:66:52:66:65 | call to source |
@@ -16,8 +19,11 @@
| format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
| movableclass.cpp:43:8:43:9 | s1 | movableclass.cpp:38:21:38:26 | call to source |
| movableclass.cpp:44:8:44:9 | s2 | movableclass.cpp:39:23:39:28 | call to source |
| movableclass.cpp:45:8:45:9 | s3 | movableclass.cpp:41:8:41:13 | call to source |
| movableclass.cpp:53:8:53:9 | s1 | movableclass.cpp:49:38:49:43 | call to source |
| movableclass.cpp:54:8:54:9 | s2 | movableclass.cpp:51:23:51:28 | call to source |
| movableclass.cpp:63:8:63:9 | s2 | movableclass.cpp:22:55:22:60 | call to source |
| movableclass.cpp:64:11:64:11 | call to operator= | movableclass.cpp:64:13:64:18 | call to source |
| stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
| stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
| stl.cpp:75:9:75:13 | call to c_str | stl.cpp:69:16:69:21 | call to source |

6
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -1,7 +1,10 @@
| copyableclass.cpp:39:8:39:9 | copyableclass.cpp:33:22:33:27 | AST only |
| copyableclass.cpp:40:8:40:9 | copyableclass.cpp:34:24:34:29 | AST only |
| copyableclass.cpp:41:8:41:9 | copyableclass.cpp:33:22:33:27 | AST only |
| copyableclass.cpp:42:8:42:9 | copyableclass.cpp:37:8:37:13 | AST only |
| copyableclass.cpp:64:8:64:9 | copyableclass.cpp:59:40:59:45 | AST only |
| copyableclass.cpp:65:8:65:9 | copyableclass.cpp:62:24:62:29 | AST only |
| copyableclass.cpp:66:11:66:11 | copyableclass.cpp:66:13:66:18 | AST only |
| format.cpp:57:8:57:13 | format.cpp:56:36:56:49 | AST only |
| format.cpp:62:8:62:13 | format.cpp:61:30:61:43 | AST only |
| format.cpp:67:8:67:13 | format.cpp:66:52:66:65 | AST only |
@@ -14,8 +17,11 @@
| format.cpp:110:8:110:14 | format.cpp:109:38:109:52 | AST only |
| movableclass.cpp:43:8:43:9 | movableclass.cpp:38:21:38:26 | AST only |
| movableclass.cpp:44:8:44:9 | movableclass.cpp:39:23:39:28 | AST only |
| movableclass.cpp:45:8:45:9 | movableclass.cpp:41:8:41:13 | AST only |
| movableclass.cpp:53:8:53:9 | movableclass.cpp:49:38:49:43 | AST only |
| movableclass.cpp:54:8:54:9 | movableclass.cpp:51:23:51:28 | AST only |
| movableclass.cpp:63:8:63:9 | movableclass.cpp:22:55:22:60 | AST only |
| movableclass.cpp:64:11:64:11 | movableclass.cpp:64:13:64:18 | AST only |
| stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
| stl.cpp:75:9:75:13 | stl.cpp:69:16:69:21 | AST only |
| stl.cpp:125:13:125:17 | stl.cpp:117:10:117:15 | AST only |