hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4090 from geoffw0/strmethods

Browse Source 
C++: Model taint through many more methods in std::string
This commit is contained in:
Jonas Jensen
2020-08-19 16:40:46 +02:00
committed by GitHub
parent a23bb6d5ec d76b25ec22
commit b14bc42756
7 changed files with 478 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
change-notes/1.26/analysis-cpp.md
View File

@@ -19,6 +19,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
## Changes to libraries
* The models library now models more taint flows through `std::string`.
* The models library now models many more taint flows through `std::string`.
* The `SimpleRangeAnalysis` library now supports multiplications of the form
`e1 * e2` when `e1` and `e2` are unsigned.

86
cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -8,10 +8,13 @@ class StdBasicString extends TemplateClass {
}
/**
* The standard function `std::string.c_str`.
* The `std::string` functions `c_str` and `data`.
*/
class StdStringCStr extends TaintFunction {
StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
StdStringCStr() {
this.hasQualifiedName("std", "basic_string", "c_str") or
this.hasQualifiedName("std", "basic_string", "data")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from string itself (qualifier) to return value
@@ -40,12 +43,16 @@ class StdStringPlus extends TaintFunction {
}
/**
* The `std::string` functions `operator+=` and `append`.
* The `std::string` functions `operator+=`, `append`, `insert` and
* `replace`. All of these functions combine the existing string
* with a new string (or character) from one of the arguments.
*/
class StdStringAppend extends TaintFunction {
StdStringAppend() {
this.hasQualifiedName("std", "basic_string", "operator+=") or
this.hasQualifiedName("std", "basic_string", "append")
this.hasQualifiedName("std", "basic_string", "append") or
this.hasQualifiedName("std", "basic_string", "insert") or
this.hasQualifiedName("std", "basic_string", "replace")
}
/**
@@ -58,6 +65,35 @@ class StdStringAppend extends TaintFunction {
getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from string and parameter to string (qualifier) and return value
(
input.isQualifierObject() or
input.isParameterDeref(getAStringParameter())
) and
(
output.isQualifierObject() or
output.isReturnValueDeref()
)
}
}
/**
* The standard function `std::string.assign`.
*/
class StdStringAssign extends TaintFunction {
StdStringAssign() { this.hasQualifiedName("std", "basic_string", "assign") }
/**
* Gets the index of a parameter to this function that is a string (or
* character).
*/
int getAStringParameter() {
getParameter(result).getType() instanceof PointerType or
getParameter(result).getType() instanceof ReferenceType or
getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from parameter to string itself (qualifier) and return value
input.isParameterDeref(getAStringParameter()) and
@@ -67,3 +103,45 @@ class StdStringAppend extends TaintFunction {
)
}
}
/**
* The standard function `std::string.copy`.
*/
class StdStringCopy extends TaintFunction {
StdStringCopy() { this.hasQualifiedName("std", "basic_string", "copy") }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// copy(dest, num, pos)
input.isQualifierObject() and
output.isParameterDeref(0)
}
}
/**
* The standard function `std::string.substr`.
*/
class StdStringSubstr extends TaintFunction {
StdStringSubstr() { this.hasQualifiedName("std", "basic_string", "substr") }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// substr(pos, num)
input.isQualifierObject() and
output.isReturnValue()
}
}
/**
* The standard function `std::string.swap`.
*/
class StdStringSwap extends TaintFunction {
StdStringSwap() { this.hasQualifiedName("std", "basic_string", "swap") }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// str1.swap(str2)
input.isQualifierObject() and
output.isParameterDeref(0)
or
input.isParameterDeref(0) and
output.isQualifierObject()
}
}

183
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -457,6 +457,7 @@
| string.cpp:160:8:160:9 | s3 | string.cpp:161:3:161:4 | s6 | |
| string.cpp:160:8:160:9 | s3 | string.cpp:162:8:162:9 | s6 | |
| string.cpp:161:3:161:4 | ref arg s6 | string.cpp:162:8:162:9 | s6 | |
| string.cpp:161:3:161:4 | s6 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
| string.cpp:161:9:161:10 | s4 | string.cpp:161:3:161:4 | ref arg s6 | TAINT |
| string.cpp:161:9:161:10 | s4 | string.cpp:161:6:161:6 | call to operator+= | TAINT |
| string.cpp:164:8:164:9 | s3 | string.cpp:164:3:164:9 | ... = ... | |
@@ -465,15 +466,18 @@
| string.cpp:164:8:164:9 | s3 | string.cpp:167:8:167:9 | s7 | |
| string.cpp:165:3:165:4 | ref arg s7 | string.cpp:166:3:166:4 | s7 | |
| string.cpp:165:3:165:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 | |
| string.cpp:165:3:165:4 | s7 | string.cpp:165:6:165:6 | call to operator+= | TAINT |
| string.cpp:165:9:165:14 | call to source | string.cpp:165:3:165:4 | ref arg s7 | TAINT |
| string.cpp:165:9:165:14 | call to source | string.cpp:165:6:165:6 | call to operator+= | TAINT |
| string.cpp:166:3:166:4 | ref arg s7 | string.cpp:167:8:167:9 | s7 | |
| string.cpp:166:3:166:4 | s7 | string.cpp:166:6:166:6 | call to operator+= | TAINT |
| string.cpp:166:9:166:11 | | string.cpp:166:3:166:4 | ref arg s7 | TAINT |
| string.cpp:166:9:166:11 | | string.cpp:166:6:166:6 | call to operator+= | TAINT |
| string.cpp:169:8:169:9 | s3 | string.cpp:169:3:169:9 | ... = ... | |
| string.cpp:169:8:169:9 | s3 | string.cpp:170:3:170:4 | s8 | |
| string.cpp:169:8:169:9 | s3 | string.cpp:171:8:171:9 | s8 | |
| string.cpp:170:3:170:4 | ref arg s8 | string.cpp:171:8:171:9 | s8 | |
| string.cpp:170:3:170:4 | s8 | string.cpp:170:6:170:11 | call to append | TAINT |
| string.cpp:170:13:170:14 | s4 | string.cpp:170:3:170:4 | ref arg s8 | TAINT |
| string.cpp:170:13:170:14 | s4 | string.cpp:170:6:170:11 | call to append | TAINT |
| string.cpp:173:8:173:9 | s3 | string.cpp:173:3:173:9 | ... = ... | |
@@ -482,9 +486,11 @@
| string.cpp:173:8:173:9 | s3 | string.cpp:176:8:176:9 | s9 | |
| string.cpp:174:3:174:4 | ref arg s9 | string.cpp:175:3:175:4 | s9 | |
| string.cpp:174:3:174:4 | ref arg s9 | string.cpp:176:8:176:9 | s9 | |
| string.cpp:174:3:174:4 | s9 | string.cpp:174:6:174:11 | call to append | TAINT |
| string.cpp:174:13:174:18 | call to source | string.cpp:174:3:174:4 | ref arg s9 | TAINT |
| string.cpp:174:13:174:18 | call to source | string.cpp:174:6:174:11 | call to append | TAINT |
| string.cpp:175:3:175:4 | ref arg s9 | string.cpp:176:8:176:9 | s9 | |
| string.cpp:175:3:175:4 | s9 | string.cpp:175:6:175:11 | call to append | TAINT |
| string.cpp:175:13:175:15 | | string.cpp:175:3:175:4 | ref arg s9 | TAINT |
| string.cpp:175:13:175:15 | | string.cpp:175:6:175:11 | call to append | TAINT |
| string.cpp:180:19:180:23 | abc | string.cpp:180:19:180:24 | call to basic_string | TAINT |
@@ -492,8 +498,185 @@
| string.cpp:180:19:180:24 | call to basic_string | string.cpp:184:8:184:10 | s10 | |
| string.cpp:181:12:181:26 | call to source | string.cpp:183:17:183:17 | c | |
| string.cpp:183:3:183:5 | ref arg s10 | string.cpp:184:8:184:10 | s10 | |
| string.cpp:183:3:183:5 | s10 | string.cpp:183:7:183:12 | call to append | TAINT |
| string.cpp:183:17:183:17 | c | string.cpp:183:3:183:5 | ref arg s10 | TAINT |
| string.cpp:183:17:183:17 | c | string.cpp:183:7:183:12 | call to append | TAINT |
| string.cpp:189:17:189:23 | hello | string.cpp:189:17:189:24 | call to basic_string | TAINT |
| string.cpp:189:17:189:24 | call to basic_string | string.cpp:195:17:195:18 | s1 | |
| string.cpp:189:17:189:24 | call to basic_string | string.cpp:204:17:204:18 | s1 | |
| string.cpp:190:17:190:22 | call to source | string.cpp:190:17:190:25 | call to basic_string | TAINT |
| string.cpp:190:17:190:25 | call to basic_string | string.cpp:198:17:198:18 | s2 | |
| string.cpp:191:11:191:25 | call to source | string.cpp:201:21:201:21 | c | |
| string.cpp:192:14:192:15 | call to basic_string | string.cpp:195:7:195:8 | s3 | |
| string.cpp:192:14:192:15 | call to basic_string | string.cpp:196:7:196:8 | s3 | |
| string.cpp:192:18:192:19 | call to basic_string | string.cpp:198:7:198:8 | s4 | |
| string.cpp:192:18:192:19 | call to basic_string | string.cpp:199:7:199:8 | s4 | |
| string.cpp:192:22:192:23 | call to basic_string | string.cpp:201:7:201:8 | s5 | |
| string.cpp:192:22:192:23 | call to basic_string | string.cpp:202:7:202:8 | s5 | |
| string.cpp:193:17:193:22 | call to source | string.cpp:193:17:193:25 | call to basic_string | TAINT |
| string.cpp:193:17:193:25 | call to basic_string | string.cpp:204:7:204:8 | s6 | |
| string.cpp:193:17:193:25 | call to basic_string | string.cpp:205:7:205:8 | s6 | |
| string.cpp:195:7:195:8 | ref arg s3 | string.cpp:196:7:196:8 | s3 | |
| string.cpp:195:17:195:18 | s1 | string.cpp:195:7:195:8 | ref arg s3 | TAINT |
| string.cpp:195:17:195:18 | s1 | string.cpp:195:10:195:15 | call to assign | TAINT |
| string.cpp:198:7:198:8 | ref arg s4 | string.cpp:199:7:199:8 | s4 | |
| string.cpp:198:17:198:18 | s2 | string.cpp:198:7:198:8 | ref arg s4 | TAINT |
| string.cpp:198:17:198:18 | s2 | string.cpp:198:10:198:15 | call to assign | TAINT |
| string.cpp:201:7:201:8 | ref arg s5 | string.cpp:202:7:202:8 | s5 | |
| string.cpp:201:21:201:21 | c | string.cpp:201:7:201:8 | ref arg s5 | TAINT |
| string.cpp:201:21:201:21 | c | string.cpp:201:10:201:15 | call to assign | TAINT |
| string.cpp:204:7:204:8 | ref arg s6 | string.cpp:205:7:205:8 | s6 | |
| string.cpp:204:17:204:18 | s1 | string.cpp:204:7:204:8 | ref arg s6 | TAINT |
| string.cpp:204:17:204:18 | s1 | string.cpp:204:10:204:15 | call to assign | TAINT |
| string.cpp:209:17:209:23 | hello | string.cpp:209:17:209:24 | call to basic_string | TAINT |
| string.cpp:209:17:209:24 | call to basic_string | string.cpp:214:7:214:8 | s1 | |
| string.cpp:209:17:209:24 | call to basic_string | string.cpp:215:20:215:21 | s1 | |
| string.cpp:209:17:209:24 | call to basic_string | string.cpp:219:20:219:21 | s1 | |
| string.cpp:209:17:209:24 | call to basic_string | string.cpp:222:7:222:8 | s1 | |
| string.cpp:209:17:209:24 | call to basic_string | string.cpp:226:7:226:8 | s1 | |
| string.cpp:210:17:210:22 | call to source | string.cpp:210:17:210:25 | call to basic_string | TAINT |
| string.cpp:210:17:210:25 | call to basic_string | string.cpp:218:7:218:8 | s2 | |
| string.cpp:210:17:210:25 | call to basic_string | string.cpp:223:20:223:21 | s2 | |
| string.cpp:211:11:211:25 | call to source | string.cpp:227:24:227:24 | c | |
| string.cpp:214:7:214:8 | s1 | string.cpp:214:2:214:8 | ... = ... | |
| string.cpp:214:7:214:8 | s1 | string.cpp:215:7:215:8 | s3 | |
| string.cpp:214:7:214:8 | s1 | string.cpp:216:7:216:8 | s3 | |
| string.cpp:215:7:215:8 | ref arg s3 | string.cpp:216:7:216:8 | s3 | |
| string.cpp:215:7:215:8 | s3 | string.cpp:215:10:215:15 | call to insert | TAINT |
| string.cpp:215:20:215:21 | s1 | string.cpp:215:7:215:8 | ref arg s3 | TAINT |
| string.cpp:215:20:215:21 | s1 | string.cpp:215:10:215:15 | call to insert | TAINT |
| string.cpp:218:7:218:8 | s2 | string.cpp:218:2:218:8 | ... = ... | |
| string.cpp:218:7:218:8 | s2 | string.cpp:219:7:219:8 | s4 | |
| string.cpp:218:7:218:8 | s2 | string.cpp:220:7:220:8 | s4 | |
| string.cpp:219:7:219:8 | ref arg s4 | string.cpp:220:7:220:8 | s4 | |
| string.cpp:219:7:219:8 | s4 | string.cpp:219:10:219:15 | call to insert | TAINT |
| string.cpp:219:20:219:21 | s1 | string.cpp:219:7:219:8 | ref arg s4 | TAINT |
| string.cpp:219:20:219:21 | s1 | string.cpp:219:10:219:15 | call to insert | TAINT |
| string.cpp:222:7:222:8 | s1 | string.cpp:222:2:222:8 | ... = ... | |
| string.cpp:222:7:222:8 | s1 | string.cpp:223:7:223:8 | s5 | |
| string.cpp:222:7:222:8 | s1 | string.cpp:224:7:224:8 | s5 | |
| string.cpp:223:7:223:8 | ref arg s5 | string.cpp:224:7:224:8 | s5 | |
| string.cpp:223:7:223:8 | s5 | string.cpp:223:10:223:15 | call to insert | TAINT |
| string.cpp:223:20:223:21 | s2 | string.cpp:223:7:223:8 | ref arg s5 | TAINT |
| string.cpp:223:20:223:21 | s2 | string.cpp:223:10:223:15 | call to insert | TAINT |
| string.cpp:226:7:226:8 | s1 | string.cpp:226:2:226:8 | ... = ... | |
| string.cpp:226:7:226:8 | s1 | string.cpp:227:7:227:8 | s6 | |
| string.cpp:226:7:226:8 | s1 | string.cpp:228:7:228:8 | s6 | |
| string.cpp:227:7:227:8 | ref arg s6 | string.cpp:228:7:228:8 | s6 | |
| string.cpp:227:7:227:8 | s6 | string.cpp:227:10:227:15 | call to insert | TAINT |
| string.cpp:227:24:227:24 | c | string.cpp:227:7:227:8 | ref arg s6 | TAINT |
| string.cpp:227:24:227:24 | c | string.cpp:227:10:227:15 | call to insert | TAINT |
| string.cpp:232:17:232:23 | hello | string.cpp:232:17:232:24 | call to basic_string | TAINT |
| string.cpp:232:17:232:24 | call to basic_string | string.cpp:237:7:237:8 | s1 | |
| string.cpp:232:17:232:24 | call to basic_string | string.cpp:238:24:238:25 | s1 | |
| string.cpp:232:17:232:24 | call to basic_string | string.cpp:242:24:242:25 | s1 | |
| string.cpp:232:17:232:24 | call to basic_string | string.cpp:245:7:245:8 | s1 | |
| string.cpp:232:17:232:24 | call to basic_string | string.cpp:249:7:249:8 | s1 | |
| string.cpp:233:17:233:22 | call to source | string.cpp:233:17:233:25 | call to basic_string | TAINT |
| string.cpp:233:17:233:25 | call to basic_string | string.cpp:241:7:241:8 | s2 | |
| string.cpp:233:17:233:25 | call to basic_string | string.cpp:246:24:246:25 | s2 | |
| string.cpp:234:11:234:25 | call to source | string.cpp:250:28:250:28 | c | |
| string.cpp:237:7:237:8 | s1 | string.cpp:237:2:237:8 | ... = ... | |
| string.cpp:237:7:237:8 | s1 | string.cpp:238:7:238:8 | s3 | |
| string.cpp:237:7:237:8 | s1 | string.cpp:239:7:239:8 | s3 | |
| string.cpp:238:7:238:8 | ref arg s3 | string.cpp:239:7:239:8 | s3 | |
| string.cpp:238:7:238:8 | s3 | string.cpp:238:10:238:16 | call to replace | TAINT |
| string.cpp:238:24:238:25 | s1 | string.cpp:238:7:238:8 | ref arg s3 | TAINT |
| string.cpp:238:24:238:25 | s1 | string.cpp:238:10:238:16 | call to replace | TAINT |
| string.cpp:241:7:241:8 | s2 | string.cpp:241:2:241:8 | ... = ... | |
| string.cpp:241:7:241:8 | s2 | string.cpp:242:7:242:8 | s4 | |
| string.cpp:241:7:241:8 | s2 | string.cpp:243:7:243:8 | s4 | |
| string.cpp:242:7:242:8 | ref arg s4 | string.cpp:243:7:243:8 | s4 | |
| string.cpp:242:7:242:8 | s4 | string.cpp:242:10:242:16 | call to replace | TAINT |
| string.cpp:242:24:242:25 | s1 | string.cpp:242:7:242:8 | ref arg s4 | TAINT |
| string.cpp:242:24:242:25 | s1 | string.cpp:242:10:242:16 | call to replace | TAINT |
| string.cpp:245:7:245:8 | s1 | string.cpp:245:2:245:8 | ... = ... | |
| string.cpp:245:7:245:8 | s1 | string.cpp:246:7:246:8 | s5 | |
| string.cpp:245:7:245:8 | s1 | string.cpp:247:7:247:8 | s5 | |
| string.cpp:246:7:246:8 | ref arg s5 | string.cpp:247:7:247:8 | s5 | |
| string.cpp:246:7:246:8 | s5 | string.cpp:246:10:246:16 | call to replace | TAINT |
| string.cpp:246:24:246:25 | s2 | string.cpp:246:7:246:8 | ref arg s5 | TAINT |
| string.cpp:246:24:246:25 | s2 | string.cpp:246:10:246:16 | call to replace | TAINT |
| string.cpp:249:7:249:8 | s1 | string.cpp:249:2:249:8 | ... = ... | |
| string.cpp:249:7:249:8 | s1 | string.cpp:250:7:250:8 | s6 | |
| string.cpp:249:7:249:8 | s1 | string.cpp:251:7:251:8 | s6 | |
| string.cpp:250:7:250:8 | ref arg s6 | string.cpp:251:7:251:8 | s6 | |
| string.cpp:250:7:250:8 | s6 | string.cpp:250:10:250:16 | call to replace | TAINT |
| string.cpp:250:28:250:28 | c | string.cpp:250:7:250:8 | ref arg s6 | TAINT |
| string.cpp:250:28:250:28 | c | string.cpp:250:10:250:16 | call to replace | TAINT |
| string.cpp:255:17:255:20 | {...} | string.cpp:260:10:260:11 | b1 | |
| string.cpp:255:17:255:20 | {...} | string.cpp:261:7:261:8 | b1 | |
| string.cpp:255:19:255:19 | 0 | string.cpp:255:17:255:20 | {...} | TAINT |
| string.cpp:256:17:256:20 | {...} | string.cpp:263:10:263:11 | b2 | |
| string.cpp:256:17:256:20 | {...} | string.cpp:264:7:264:8 | b2 | |
| string.cpp:256:19:256:19 | 0 | string.cpp:256:17:256:20 | {...} | TAINT |
| string.cpp:257:17:257:23 | hello | string.cpp:257:17:257:24 | call to basic_string | TAINT |
| string.cpp:257:17:257:24 | call to basic_string | string.cpp:260:2:260:3 | s1 | |
| string.cpp:257:17:257:24 | call to basic_string | string.cpp:260:14:260:15 | s1 | |
| string.cpp:257:17:257:24 | call to basic_string | string.cpp:263:14:263:15 | s1 | |
| string.cpp:258:17:258:22 | call to source | string.cpp:258:17:258:25 | call to basic_string | TAINT |
| string.cpp:258:17:258:25 | call to basic_string | string.cpp:263:2:263:3 | s2 | |
| string.cpp:260:2:260:3 | s1 | string.cpp:260:10:260:11 | ref arg b1 | TAINT |
| string.cpp:260:10:260:11 | ref arg b1 | string.cpp:261:7:261:8 | b1 | |
| string.cpp:263:2:263:3 | s2 | string.cpp:263:10:263:11 | ref arg b2 | TAINT |
| string.cpp:263:10:263:11 | ref arg b2 | string.cpp:264:7:264:8 | b2 | |
| string.cpp:268:17:268:23 | hello | string.cpp:268:17:268:24 | call to basic_string | TAINT |
| string.cpp:268:17:268:24 | call to basic_string | string.cpp:273:7:273:8 | s1 | |
| string.cpp:268:17:268:24 | call to basic_string | string.cpp:278:2:278:3 | s1 | |
| string.cpp:268:17:268:24 | call to basic_string | string.cpp:281:7:281:8 | s1 | |
| string.cpp:269:17:269:22 | call to source | string.cpp:269:17:269:25 | call to basic_string | TAINT |
| string.cpp:269:17:269:25 | call to basic_string | string.cpp:274:7:274:8 | s2 | |
| string.cpp:269:17:269:25 | call to basic_string | string.cpp:278:10:278:11 | s2 | |
| string.cpp:269:17:269:25 | call to basic_string | string.cpp:282:7:282:8 | s2 | |
| string.cpp:270:17:270:23 | world | string.cpp:270:17:270:24 | call to basic_string | TAINT |
| string.cpp:270:17:270:24 | call to basic_string | string.cpp:275:7:275:8 | s3 | |
| string.cpp:270:17:270:24 | call to basic_string | string.cpp:279:10:279:11 | s3 | |
| string.cpp:270:17:270:24 | call to basic_string | string.cpp:283:7:283:8 | s3 | |
| string.cpp:271:17:271:22 | call to source | string.cpp:271:17:271:25 | call to basic_string | TAINT |
| string.cpp:271:17:271:25 | call to basic_string | string.cpp:276:7:276:8 | s4 | |
| string.cpp:271:17:271:25 | call to basic_string | string.cpp:279:2:279:3 | s4 | |
| string.cpp:271:17:271:25 | call to basic_string | string.cpp:284:7:284:8 | s4 | |
| string.cpp:278:2:278:3 | ref arg s1 | string.cpp:281:7:281:8 | s1 | |
| string.cpp:278:2:278:3 | s1 | string.cpp:278:10:278:11 | ref arg s2 | TAINT |
| string.cpp:278:10:278:11 | ref arg s2 | string.cpp:282:7:282:8 | s2 | |
| string.cpp:278:10:278:11 | s2 | string.cpp:278:2:278:3 | ref arg s1 | TAINT |
| string.cpp:279:2:279:3 | ref arg s4 | string.cpp:284:7:284:8 | s4 | |
| string.cpp:279:2:279:3 | s4 | string.cpp:279:10:279:11 | ref arg s3 | TAINT |
| string.cpp:279:10:279:11 | ref arg s3 | string.cpp:283:7:283:8 | s3 | |
| string.cpp:279:10:279:11 | s3 | string.cpp:279:2:279:3 | ref arg s4 | TAINT |
| string.cpp:288:17:288:22 | call to source | string.cpp:288:17:288:25 | call to basic_string | TAINT |
| string.cpp:288:17:288:25 | call to basic_string | string.cpp:292:7:292:8 | s1 | |
| string.cpp:288:17:288:25 | call to basic_string | string.cpp:296:2:296:3 | s1 | |
| string.cpp:288:17:288:25 | call to basic_string | string.cpp:300:7:300:8 | s1 | |
| string.cpp:289:17:289:22 | call to source | string.cpp:289:17:289:25 | call to basic_string | TAINT |
| string.cpp:289:17:289:25 | call to basic_string | string.cpp:293:7:293:8 | s2 | |
| string.cpp:290:17:290:22 | call to source | string.cpp:290:17:290:25 | call to basic_string | TAINT |
| string.cpp:290:17:290:25 | call to basic_string | string.cpp:294:7:294:8 | s3 | |
| string.cpp:290:17:290:25 | call to basic_string | string.cpp:298:7:298:8 | s3 | |
| string.cpp:296:2:296:3 | ref arg s1 | string.cpp:300:7:300:8 | s1 | |
| string.cpp:297:7:297:8 | | string.cpp:297:7:297:8 | call to basic_string | TAINT |
| string.cpp:297:7:297:8 | call to basic_string | string.cpp:297:2:297:8 | ... = ... | |
| string.cpp:297:7:297:8 | call to basic_string | string.cpp:301:7:301:8 | s2 | |
| string.cpp:298:7:298:8 | s3 | string.cpp:298:2:298:8 | ... = ... | |
| string.cpp:298:7:298:8 | s3 | string.cpp:302:7:302:8 | s3 | |
| string.cpp:307:16:307:20 | 123 | string.cpp:307:16:307:21 | call to basic_string | TAINT |
| string.cpp:307:16:307:21 | call to basic_string | string.cpp:310:7:310:7 | a | |
| string.cpp:307:16:307:21 | call to basic_string | string.cpp:312:7:312:7 | a | |
| string.cpp:308:16:308:21 | call to source | string.cpp:308:16:308:24 | call to basic_string | TAINT |
| string.cpp:308:16:308:24 | call to basic_string | string.cpp:311:7:311:7 | b | |
| string.cpp:308:16:308:24 | call to basic_string | string.cpp:313:7:313:7 | b | |
| string.cpp:310:7:310:7 | a | string.cpp:310:9:310:12 | call to data | TAINT |
| string.cpp:310:7:310:7 | ref arg a | string.cpp:312:7:312:7 | a | |
| string.cpp:311:7:311:7 | b | string.cpp:311:9:311:12 | call to data | TAINT |
| string.cpp:311:7:311:7 | ref arg b | string.cpp:313:7:313:7 | b | |
| string.cpp:318:16:318:20 | 123 | string.cpp:318:16:318:21 | call to basic_string | TAINT |
| string.cpp:318:16:318:21 | call to basic_string | string.cpp:321:7:321:7 | a | |
| string.cpp:318:16:318:21 | call to basic_string | string.cpp:321:19:321:19 | a | |
| string.cpp:319:16:319:21 | call to source | string.cpp:319:16:319:24 | call to basic_string | TAINT |
| string.cpp:319:16:319:24 | call to basic_string | string.cpp:322:7:322:7 | b | |
| string.cpp:319:16:319:24 | call to basic_string | string.cpp:322:19:322:19 | b | |
| string.cpp:321:7:321:7 | a | string.cpp:321:9:321:14 | call to substr | TAINT |
| string.cpp:322:7:322:7 | b | string.cpp:322:9:322:14 | call to substr | TAINT |
| stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:16:2:16:4 | ss1 | |
| stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:22:7:22:9 | ss1 | |
| stringstream.cpp:13:20:13:22 | call to basic_stringstream | stringstream.cpp:27:7:27:9 | ss1 | |

13
cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
View File

@@ -39,11 +39,14 @@ namespace std
class basic_string {
public:
typedef typename Allocator::size_type size_type;
static const size_type npos = -1;
explicit basic_string(const Allocator& a = Allocator());
basic_string(const charT* s, const Allocator& a = Allocator());
const charT* c_str() const;
charT* data() noexcept;
size_t length() const;
typedef std::iterator<random_access_iterator_tag, charT> iterator;
typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
@@ -60,6 +63,16 @@ namespace std
basic_string& append(const basic_string& str);
basic_string& append(const charT* s);
basic_string& append(size_type n, charT c);
basic_string& assign(const basic_string& str);
basic_string& assign(size_type n, charT c);
basic_string& insert(size_type pos, const basic_string& str);
basic_string& insert(size_type pos, size_type n, charT c);
basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
size_type copy(charT* s, size_type n, size_type pos = 0) const;
void clear() noexcept;
basic_string substr(size_type pos = 0, size_type n = npos) const;
void swap(basic_string& s) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
};
template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);

137
cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
View File

@@ -184,3 +184,140 @@ void test_string_append() {
sink(s10); // tainted
}
}
void test_string_assign() {
std::string s1("hello");
std::string s2(source());
char c = ns_char::source();
std::string s3, s4, s5;
std::string s6(source());
sink(s3.assign(s1));
sink(s3);
sink(s4.assign(s2)); // tainted
sink(s4); // tainted
sink(s5.assign(10, c)); // tainted
sink(s5); // tainted
sink(s6.assign(s1));
sink(s6); // [FALSE POSITIVE]
}
void test_string_insert() {
std::string s1("hello");
std::string s2(source());
char c = ns_char::source();
std::string s3, s4, s5, s6;
s3 = s1;
sink(s3.insert(0, s1));
sink(s3);
s4 = s2;
sink(s4.insert(0, s1)); // tainted
sink(s4); // tainted
s5 = s1;
sink(s5.insert(0, s2)); // tainted
sink(s5); // tainted
s6 = s1;
sink(s6.insert(0, 10, c)); // tainted
sink(s6); // tainted
}
void test_string_replace() {
std::string s1("hello");
std::string s2(source());
char c = ns_char::source();
std::string s3, s4, s5, s6;
s3 = s1;
sink(s3.replace(1, 2, s1));
sink(s3);
s4 = s2;
sink(s4.replace(1, 2, s1)); // tainted
sink(s4); // tainted
s5 = s1;
sink(s5.replace(1, 2, s2)); // tainted
sink(s5); // tainted
s6 = s1;
sink(s6.replace(1, 2, 10, c)); // tainted
sink(s6); // tainted
}
void test_string_copy() {
char b1[1024] = {0};
char b2[1024] = {0};
std::string s1("hello");
std::string s2(source());
s1.copy(b1, s1.length(), 0);
sink(b1);
s2.copy(b2, s1.length(), 0);
sink(b2); // tainted
}
void test_string_swap() {
std::string s1("hello");
std::string s2(source());
std::string s3("world");
std::string s4(source());
sink(s1);
sink(s2); // tainted
sink(s3);
sink(s4); // tainted
s1.swap(s2);
s4.swap(s3);
sink(s1); // tainted
sink(s2); // [FALSE POSITIVE]
sink(s3); // tainted
sink(s4); // [FALSE POSITIVE]
}
void test_string_clear() {
std::string s1(source());
std::string s2(source());
std::string s3(source());
sink(s1); // tainted
sink(s2); // tainted
sink(s3); // tainted
s1.clear();
s2 = "";
s3 = s3;
sink(s1); // [FALSE POSITIVE]
sink(s2);
sink(s3); // tainted
}
void test_string_data()
{
std::string a("123");
std::string b(source());
sink(a.data());
sink(b.data()); // tainted
sink(a.length());
sink(b.length());
}
void test_string_substr()
{
std::string a("123");
std::string b(source());
sink(a.substr(0, a.length()));
sink(b.substr(0, b.length())); // tainted
}

31
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -60,6 +60,37 @@
| string.cpp:171:8:171:9 | s8 | string.cpp:154:18:154:23 | call to source |
| string.cpp:176:8:176:9 | s9 | string.cpp:174:13:174:18 | call to source |
| string.cpp:184:8:184:10 | s10 | string.cpp:181:12:181:26 | call to source |
| string.cpp:198:10:198:15 | call to assign | string.cpp:190:17:190:22 | call to source |
| string.cpp:199:7:199:8 | s4 | string.cpp:190:17:190:22 | call to source |
| string.cpp:201:10:201:15 | call to assign | string.cpp:191:11:191:25 | call to source |
| string.cpp:202:7:202:8 | s5 | string.cpp:191:11:191:25 | call to source |
| string.cpp:205:7:205:8 | s6 | string.cpp:193:17:193:22 | call to source |
| string.cpp:219:10:219:15 | call to insert | string.cpp:210:17:210:22 | call to source |
| string.cpp:220:7:220:8 | s4 | string.cpp:210:17:210:22 | call to source |
| string.cpp:223:10:223:15 | call to insert | string.cpp:210:17:210:22 | call to source |
| string.cpp:224:7:224:8 | s5 | string.cpp:210:17:210:22 | call to source |
| string.cpp:227:10:227:15 | call to insert | string.cpp:211:11:211:25 | call to source |
| string.cpp:228:7:228:8 | s6 | string.cpp:211:11:211:25 | call to source |
| string.cpp:242:10:242:16 | call to replace | string.cpp:233:17:233:22 | call to source |
| string.cpp:243:7:243:8 | s4 | string.cpp:233:17:233:22 | call to source |
| string.cpp:246:10:246:16 | call to replace | string.cpp:233:17:233:22 | call to source |
| string.cpp:247:7:247:8 | s5 | string.cpp:233:17:233:22 | call to source |
| string.cpp:250:10:250:16 | call to replace | string.cpp:234:11:234:25 | call to source |
| string.cpp:251:7:251:8 | s6 | string.cpp:234:11:234:25 | call to source |
| string.cpp:264:7:264:8 | b2 | string.cpp:258:17:258:22 | call to source |
| string.cpp:274:7:274:8 | s2 | string.cpp:269:17:269:22 | call to source |
| string.cpp:276:7:276:8 | s4 | string.cpp:271:17:271:22 | call to source |
| string.cpp:281:7:281:8 | s1 | string.cpp:269:17:269:22 | call to source |
| string.cpp:282:7:282:8 | s2 | string.cpp:269:17:269:22 | call to source |
| string.cpp:283:7:283:8 | s3 | string.cpp:271:17:271:22 | call to source |
| string.cpp:284:7:284:8 | s4 | string.cpp:271:17:271:22 | call to source |
| string.cpp:292:7:292:8 | s1 | string.cpp:288:17:288:22 | call to source |
| string.cpp:293:7:293:8 | s2 | string.cpp:289:17:289:22 | call to source |
| string.cpp:294:7:294:8 | s3 | string.cpp:290:17:290:22 | call to source |
| string.cpp:300:7:300:8 | s1 | string.cpp:288:17:288:22 | call to source |
| string.cpp:302:7:302:8 | s3 | string.cpp:290:17:290:22 | call to source |
| string.cpp:311:9:311:12 | call to data | string.cpp:308:16:308:21 | call to source |
| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
| structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
| structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
| structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

31
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -57,6 +57,37 @@
| string.cpp:171:8:171:9 | string.cpp:154:18:154:23 | AST only |
| string.cpp:176:8:176:9 | string.cpp:174:13:174:18 | AST only |
| string.cpp:184:8:184:10 | string.cpp:181:12:181:26 | AST only |
| string.cpp:198:10:198:15 | string.cpp:190:17:190:22 | AST only |
| string.cpp:199:7:199:8 | string.cpp:190:17:190:22 | AST only |
| string.cpp:201:10:201:15 | string.cpp:191:11:191:25 | AST only |
| string.cpp:202:7:202:8 | string.cpp:191:11:191:25 | AST only |
| string.cpp:205:7:205:8 | string.cpp:193:17:193:22 | AST only |
| string.cpp:219:10:219:15 | string.cpp:210:17:210:22 | AST only |
| string.cpp:220:7:220:8 | string.cpp:210:17:210:22 | AST only |
| string.cpp:223:10:223:15 | string.cpp:210:17:210:22 | AST only |
| string.cpp:224:7:224:8 | string.cpp:210:17:210:22 | AST only |
| string.cpp:227:10:227:15 | string.cpp:211:11:211:25 | AST only |
| string.cpp:228:7:228:8 | string.cpp:211:11:211:25 | AST only |
| string.cpp:242:10:242:16 | string.cpp:233:17:233:22 | AST only |
| string.cpp:243:7:243:8 | string.cpp:233:17:233:22 | AST only |
| string.cpp:246:10:246:16 | string.cpp:233:17:233:22 | AST only |
| string.cpp:247:7:247:8 | string.cpp:233:17:233:22 | AST only |
| string.cpp:250:10:250:16 | string.cpp:234:11:234:25 | AST only |
| string.cpp:251:7:251:8 | string.cpp:234:11:234:25 | AST only |
| string.cpp:264:7:264:8 | string.cpp:258:17:258:22 | AST only |
| string.cpp:274:7:274:8 | string.cpp:269:17:269:22 | AST only |
| string.cpp:276:7:276:8 | string.cpp:271:17:271:22 | AST only |
| string.cpp:281:7:281:8 | string.cpp:269:17:269:22 | AST only |
| string.cpp:282:7:282:8 | string.cpp:269:17:269:22 | AST only |
| string.cpp:283:7:283:8 | string.cpp:271:17:271:22 | AST only |
| string.cpp:284:7:284:8 | string.cpp:271:17:271:22 | AST only |
| string.cpp:292:7:292:8 | string.cpp:288:17:288:22 | AST only |
| string.cpp:293:7:293:8 | string.cpp:289:17:289:22 | AST only |
| string.cpp:294:7:294:8 | string.cpp:290:17:290:22 | AST only |
| string.cpp:300:7:300:8 | string.cpp:288:17:288:22 | AST only |
| string.cpp:302:7:302:8 | string.cpp:290:17:290:22 | AST only |
| string.cpp:311:9:311:12 | string.cpp:308:16:308:21 | AST only |
| string.cpp:322:9:322:14 | string.cpp:319:16:319:21 | AST only |
| structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
| structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
| structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |