C++: Reverse taint through operator<<.

2026-04-29 10:45:15 +02:00 · 2020-09-08 16:20:36 +01:00
parent b73ff8da63
commit 8a143bec3a
6 changed files with 23 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -90,10 +90,17 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
  exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
    call.getTarget() = f and
    inModel.isReturnValueDeref() and
-    outModel.isQualifierObject() and
-    f.hasTaintFlow(inModel, outModel) and
    nodeFrom.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = call and
-    nodeTo.asDefiningArgument() = call.getQualifier()
+    f.hasTaintFlow(inModel, outModel) and
+    (
+      outModel.isQualifierObject() and
+      nodeTo.asDefiningArgument() = call.getQualifier()
+      or
+      exists(int argOutIndex |
+        outModel.isParameterDeref(argOutIndex) and
+        nodeTo.asDefiningArgument() = call.getArgument(argOutIndex)
+      )
+    )
  )
 }

--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -313,6 +313,10 @@ class StdOStreamOut extends TaintFunction {
    // flow from qualifier to return value
    input.isQualifierObject() and
    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the qualifier
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
  }
 }

@@ -338,5 +342,9 @@ class StdOStreamOutNonMember extends TaintFunction {
    // flow from first parameter to return value
    input.isParameter(0) and
    output.isReturnValueDeref()
+    or
+    // reverse flow from returned reference to the first parameter
+    input.isReturnValueDeref() and
+    output.isParameterDeref(0)
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1406,6 +1406,7 @@
 | stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:44:7:44:9 | ss3 |  |
 | stringstream.cpp:33:7:33:9 | ss3 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
 | stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | TAINT |
+| stringstream.cpp:33:11:33:11 | ref arg call to operator<< | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
 | stringstream.cpp:33:23:33:28 | call to source | stringstream.cpp:33:11:33:11 | ref arg call to operator<< | TAINT |
@@ -1414,6 +1415,7 @@
 | stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:45:7:45:9 | ss4 |  |
 | stringstream.cpp:34:7:34:9 | ss4 | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
 | stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | TAINT |
+| stringstream.cpp:34:11:34:11 | ref arg call to operator<< | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
 | stringstream.cpp:34:26:34:30 | 456 | stringstream.cpp:34:11:34:11 | ref arg call to operator<< | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp
@@ -36,7 +36,7 @@ void test_stringstream_string(int amount)

 	sink(ss1);
 	sink(ss2); // tainted
-	sink(ss3); // tainted [NOT DETECTED]
+	sink(ss3); // tainted
 	sink(ss4); // tainted
 	sink(ss5); // tainted
 	sink(ss1.str());
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -161,6 +161,7 @@
 | stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:19 | call to source |
 | stringstream.cpp:35:11:35:11 | call to operator<< | stringstream.cpp:29:16:29:21 | call to source |
 | stringstream.cpp:38:7:38:9 | ss2 | stringstream.cpp:32:14:32:19 | call to source |
+| stringstream.cpp:39:7:39:9 | ss3 | stringstream.cpp:33:23:33:28 | call to source |
 | stringstream.cpp:40:7:40:9 | ss4 | stringstream.cpp:34:14:34:19 | call to source |
 | stringstream.cpp:41:7:41:9 | ss5 | stringstream.cpp:29:16:29:21 | call to source |
 | stringstream.cpp:76:11:76:11 | call to operator<< | stringstream.cpp:70:32:70:37 | source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -171,6 +171,7 @@
 | stringstream.cpp:34:23:34:23 | stringstream.cpp:34:14:34:19 | AST only |
 | stringstream.cpp:35:11:35:11 | stringstream.cpp:29:16:29:21 | AST only |
 | stringstream.cpp:38:7:38:9 | stringstream.cpp:32:14:32:19 | AST only |
+| stringstream.cpp:39:7:39:9 | stringstream.cpp:33:23:33:28 | AST only |
 | stringstream.cpp:40:7:40:9 | stringstream.cpp:34:14:34:19 | AST only |
 | stringstream.cpp:41:7:41:9 | stringstream.cpp:29:16:29:21 | AST only |
 | stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |