C++: Add an taint step from object to field for 'CComBSTR's.

2026-04-27 01:35:13 +02:00 · 2024-11-27 13:38:38 +00:00
parent 9b004848a3
commit 948be09257
3 changed files with 30 additions and 13 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll
@@ -51,3 +51,4 @@ private import implementations.StructuredExceptionHandling
 private import implementations.ZMQ
 private import implementations.Win32CommandExecution
 private import implementations.CA2AEX
+private import implementations.CComBSTR
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/CComBSTR.qll
@@ -0,0 +1,16 @@
+private import cpp
+private import semmle.code.cpp.ir.dataflow.FlowSteps
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+/** The `CComBSTR` class from the Microsoft "Active Template Library". */
+class CcomBstr extends Class {
+  CcomBstr() { this.hasGlobalName("CComBSTR") }
+}
+
+private class Mstr extends Field {
+  Mstr() { this.getDeclaringType() instanceof CcomBstr and this.hasName("m_str") }
+}
+
+private class MstrTaintInheritingContent extends TaintInheritingContent, DataFlow::FieldContent {
+  MstrTaintInheritingContent() { this.getField() instanceof Mstr }
+}
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp
@@ -459,14 +459,14 @@ void test_CComBSTR() {
  char* x = indirect_source<char>();
  {
    CComBSTR b(x);
-    sink(b.m_str); // $ MISSING: ir
+    sink(b.m_str); // $ ir

    CComBSTR b2(b);
-    sink(b2.m_str); // $ MISSING: ir
+    sink(b2.m_str); // $ ir
  }
  {
    CComBSTR b(10, x);
-    sink(b.m_str); // $ MISSING: ir
+    sink(b.m_str); // $ ir
  }
  {
    CComBSTR b(x);
@@ -474,33 +474,33 @@ void test_CComBSTR() {
    CComBSTR b2;
    sink(b2.m_str);
    b2 += b;
-    sink(b2.m_str); // $ MISSING: ir
+    sink(b2.m_str); // $ ir

    CComBSTR b3;
    b3 += x;
-    sink(b3.m_str); // $ MISSING: ir
+    sink(b3.m_str); // $ ir
    sink(static_cast<BSTR>(b3)); // $ ir
    sink(**&b3); // $ ir

    CComBSTR b4;
    b4.Append(source<char>());
-    sink(b4.m_str); // $ MISSING: ir
+    sink(b4.m_str); // $ ir

    CComBSTR b5;
    b5.AppendBSTR(b4.m_str);
-    sink(b5.m_str); // $ MISSING: ir
+    sink(b5.m_str); // $ ir

    CComBSTR b6;
    b6.AppendBytes(x, 10);
-    sink(b6.m_str); // $ MISSING: ir
+    sink(b6.m_str); // $ ir

    CComBSTR b7;
    b7.ArrayToBSTR(getSafeArray());
-    sink(b7.m_str); // $ MISSING: ir
+    sink(b7.m_str); // $ ir

    CComBSTR b8;
    b8.AssignBSTR(b7.m_str);
-    sink(b8.m_str); // $ MISSING: ir
+    sink(b8.m_str); // $ ir

    CComBSTR b9;
    SAFEARRAY safe;
@@ -514,14 +514,14 @@ void test_CComBSTR() {
  wchar_t* w = indirect_source<wchar_t>();
  {
    CComBSTR b(w);
-    sink(b.m_str); // $ MISSING: ir
+    sink(b.m_str); // $ ir

    CComBSTR b2;
    b2.Attach(w);
-    sink(b2.m_str); // $ MISSING: ir
+    sink(b2.m_str); // $ ir
  }
  {
    CComBSTR b(10, w);
-    sink(b.m_str); // $ MISSING: ir
+    sink(b.m_str); // $ ir
  }
 }