hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Address review comments.

Browse Source
This commit is contained in:
Geoffrey White
2020-08-12 12:43:28 +01:00
parent a655124213
commit b99ca60154
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -26,8 +26,7 @@ class StdStringCStr extends TaintFunction {
class StdStringPlus extends TaintFunction { class StdStringPlus extends TaintFunction {
StdStringPlus() { StdStringPlus() {
this.hasQualifiedName("std", "operator+") and this.hasQualifiedName("std", "operator+") and
this.getParameter(0).getType().getUnspecifiedType().(ReferenceType).getBaseType() = this.getUnspecifiedType() = any(StdBasicString s).getAnInstantiation()
any(StdBasicString s).getAnInstantiation()
} }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -49,9 +48,17 @@ class StdStringAppend extends TaintFunction {
this.hasQualifiedName("std", "basic_string", "append") this.hasQualifiedName("std", "basic_string", "append")
} }
/**
* Gets the index of a parameter to this function that is a string.
*/
int getAStringParameter() {
getParameter(result).getType() instanceof PointerType or
getParameter(result).getType() instanceof ReferenceType
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from parameter to string itself (qualifier) and return value // flow from parameter to string itself (qualifier) and return value
input.isParameterDeref(0) and input.isParameterDeref(getAStringParameter()) and
( (
output.isQualifierObject() or output.isQualifierObject() or
output.isReturnValueDeref() output.isReturnValueDeref()