From ae774a6b95e48bd0cac0f332dcb073a5a2344383 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 3 Feb 2023 16:59:54 +0000 Subject: [PATCH] C++: Add a test with an indirect source. --- .../dataflow-consistency.expected | 2 ++ .../dataflow/dataflow-tests/test.cpp | 26 +++++++++++++++++++ .../dataflow/dataflow-tests/test.ql | 4 +++ 3 files changed, 32 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected index fb5f6688311..025801f6b40 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected @@ -105,6 +105,8 @@ postWithInFlow | test.cpp:542:6:542:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:548:25:548:25 | x [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:552:25:552:25 | y [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:562:5:562:13 | globalInt [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:576:5:576:13 | globalInt [post update] | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition uniqueParameterNodePosition diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index f2be988548b..39f0488de2b 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -552,3 +552,29 @@ void test_sink_then_source() { sink_then_source_2(&y, y); } } + +int* indirect_source(); + +namespace IndirectFlowThroughGlobals { + int* globalInt; + + void taintGlobal() { + globalInt = indirect_source(); + } + + void f() { + sink(*globalInt); // $ ir=562:17 ir=576:17 // tainted or clean? Not sure. + taintGlobal(); + sink(*globalInt); // $ ir=562:17 MISSING: ast=562:17 SPURIOUS: ir=576:17 + } + + void calledAfterTaint() { + sink(*globalInt); // $ ir=576:17 MISSING: ast=576:17 SPURIOUS: ir=562:17 + } + + void taintAndCall() { + globalInt = indirect_source(); + calledAfterTaint(); + sink(*globalInt); // $ ir=576:17 MISSING: ast=576:17 SPURIOUS: ir=562:17 + } +} \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql index 82128fe371c..2b7927a3a15 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql @@ -24,6 +24,8 @@ module AstTest { or source.asParameter().getName().matches("source%") or + source.asExpr().(FunctionCall).getTarget().getName() = "indirect_source" + or source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%") or // Track uninitialized variables @@ -67,6 +69,8 @@ module IRTest { override predicate isSource(DataFlow::Node source) { source.asExpr().(FunctionCall).getTarget().getName() = "source" or + source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source" + or source.asParameter().getName().matches("source%") or source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")