C++: outbound dataflow via this indirections

2026-04-30 11:15:13 +02:00 · 2020-05-28 13:11:22 -07:00
parent 7dc30e3fdc
commit a897caec76
7 changed files with 23 additions and 14 deletions
--- a/cpp/ql/src/semmle/code/cpp/Parameter.qll
+++ b/cpp/ql/src/semmle/code/cpp/Parameter.qll
@@ -165,6 +165,7 @@ class Parameter extends LocalScopeVariable, @parameter {
 class ParameterIndex extends int {
  ParameterIndex() {
    exists(Parameter p | this = p.getIndex()) or
-    exists(Call c | exists(c.getArgument(this))) // permit indexing varargs
+    exists(Call c | exists(c.getArgument(this))) or // permit indexing varargs
+    this = -1 // used for `this`
  }
 }
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -74,7 +74,13 @@ class ReturnValueNode extends ReturnNode {
 class ReturnIndirectionNode extends ReturnNode {
  override ReturnIndirectionInstruction primary;

-  override ReturnKind getKind() { result = TIndirectReturnKind(primary.getParameter().getIndex()) }
+  override ReturnKind getKind() { 
+    result = TIndirectReturnKind(-1) and
+    primary.isThisIndirection()
+    or
+    result = TIndirectReturnKind(primary.getParameter().getIndex())
+  }
+
 }

 /** A data flow node that represents the output of a call. */
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -541,6 +541,8 @@ class ReturnIndirectionInstruction extends VariableInstruction {
   * function.
   */
  final Language::Parameter getParameter() { result = var.(IRUserVariable).getVariable() }
+
+  final predicate isThisIndirection() { var instanceof IRThisVariable }
 }

 class CopyInstruction extends Instruction {
--- a/cpp/ql/test/library-tests/dataflow/fields/A.cpp
+++ b/cpp/ql/test/library-tests/dataflow/fields/A.cpp
@@ -129,7 +129,7 @@ public:
  {
    B *b = new B();
    f7(b);
-    sink(b->c); // $ast $f-:ir
+    sink(b->c); // $ast,ir
  }

  class D
@@ -149,7 +149,7 @@ public:
  {
    B *b = new B();
    D *d = new D(b, r());
-    sink(d->b);    // $ast=143:25 $ast=150:12 $f-:ir
+    sink(d->b);    // $ast,ir=143:25 $ast,ir=150:12
    sink(d->b->c); // $ast $f-:ir
    sink(b->c);    // $ast,ir
  }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -86,12 +86,12 @@ void class_field_test() {
 	mc1.myMethod();

 	sink(mc1.a);
-	sink(mc1.b); // tainted [NOT DETECTED with IR]
-	sink(mc1.c); // tainted [NOT DETECTED with IR]
-	sink(mc1.d); // tainted [NOT DETECTED with IR]
+	sink(mc1.b); // tainted
+	sink(mc1.c); // tainted
+	sink(mc1.d); // tainted
 	sink(mc2.a);
-	sink(mc2.b); // tainted [NOT DETECTED with IR]
-	sink(mc2.c); // tainted [NOT DETECTED with IR]
+	sink(mc2.b); // tainted
+	sink(mc2.c); // tainted
 	sink(mc2.d);
 }

--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -16,11 +16,6 @@
 | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |
-| taint.cpp:89:11:89:11 | taint.cpp:71:22:71:27 | AST only |
-| taint.cpp:90:11:90:11 | taint.cpp:72:7:72:12 | AST only |
-| taint.cpp:91:11:91:11 | taint.cpp:77:7:77:12 | AST only |
-| taint.cpp:93:11:93:11 | taint.cpp:71:22:71:27 | AST only |
-| taint.cpp:94:11:94:11 | taint.cpp:72:7:72:12 | AST only |
 | taint.cpp:109:7:109:13 | taint.cpp:105:12:105:17 | IR only |
 | taint.cpp:110:7:110:13 | taint.cpp:105:12:105:17 | IR only |
 | taint.cpp:111:7:111:13 | taint.cpp:106:12:106:17 | IR only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -3,6 +3,11 @@
 | taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
 | taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
 | taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |
+| taint.cpp:89:11:89:11 | b | taint.cpp:71:22:71:27 | call to source |
+| taint.cpp:90:11:90:11 | c | taint.cpp:72:7:72:12 | call to source |
+| taint.cpp:91:11:91:11 | d | taint.cpp:77:7:77:12 | call to source |
+| taint.cpp:93:11:93:11 | b | taint.cpp:71:22:71:27 | call to source |
+| taint.cpp:94:11:94:11 | c | taint.cpp:72:7:72:12 | call to source |
 | taint.cpp:109:7:109:13 | access to array | taint.cpp:105:12:105:17 | call to source |
 | taint.cpp:110:7:110:13 | access to array | taint.cpp:105:12:105:17 | call to source |
 | taint.cpp:111:7:111:13 | access to array | taint.cpp:106:12:106:17 | call to source |