C++: Add += and friends to adjustedSink

2025-12-24 04:36:35 +01:00 · 2020-02-10 15:50:52 +01:00
parent 99a9d7f676
commit bcd84efe8d
1 changed files with 3 additions and 0 deletions
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -338,6 +338,9 @@ private Element adjustedSink(DataFlow::Node sink) {
  or
  // Taint `e--` and `e++` when `e` is tainted.
  result.(PostfixCrementOperation).getAnOperand() = sink.asExpr()
+  or
+  // Taint `e1 += e2` when `e1` or `e2` is tainted.
+  result.(AssignArithmeticOperation).getAnOperand() = sink.asExpr()
 }

 predicate tainted(Expr source, Element tainted) {