C++: Fix getAValueTypeParameterIndex().

2026-04-29 18:55:14 +02:00 · 2020-08-27 15:04:00 +01:00
parent 816b8abd7c
commit 865d91de80
5 changed files with 6 additions and 3 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -101,10 +101,10 @@ class StdSequenceContainerAssign extends TaintFunction {
   * value type of the container.
   */
  int getAValueTypeParameterIndex() {
-    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+    getParameter(result).getUnspecifiedType() = getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
    or
    getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      getDeclaringType().getTemplateArgument(0)
+      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType()
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2325,6 +2325,7 @@
 | vector.cpp:270:18:270:35 | call to source | vector.cpp:270:3:270:4 | ref arg v8 | TAINT |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:275:8:275:9 | v9 |  |
 | vector.cpp:271:3:271:4 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
+| vector.cpp:271:18:271:34 | call to source | vector.cpp:271:3:271:4 | ref arg v9 | TAINT |
 | vector.cpp:273:8:273:9 | ref arg v7 | vector.cpp:276:2:276:2 | v7 |  |
 | vector.cpp:274:8:274:9 | ref arg v8 | vector.cpp:276:2:276:2 | v8 |  |
 | vector.cpp:275:8:275:9 | ref arg v9 | vector.cpp:276:2:276:2 | v9 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -245,6 +245,7 @@
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
+| vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
 | vector.cpp:285:7:285:8 | v1 | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:286:10:286:13 | call to data | vector.cpp:284:15:284:20 | call to source |
 | vector.cpp:287:7:287:18 | access to array | vector.cpp:284:15:284:20 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -181,6 +181,7 @@
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
+| vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
 | vector.cpp:285:7:285:8 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:286:10:286:13 | vector.cpp:284:15:284:20 | AST only |
 | vector.cpp:287:7:287:18 | vector.cpp:284:15:284:20 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -272,7 +272,7 @@ void test_vector_assign() {

 		sink(v7); // tainted
 		sink(v8); // tainted
-		sink(v9); // tainted [NOT DETECTED]
+		sink(v9); // tainted
 	}
 }