hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Model taint flow through std::swap.

Browse Source
This commit is contained in:
Geoffrey White
2019-07-12 17:06:44 +01:00
parent f132bca06e
commit c2fd2e273e
6 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cpp/ql/src/semmle/code/cpp/models/Models.qll
View File

@@ -6,3 +6,4 @@ private import implementations.Pure
private import implementations.Strcat private import implementations.Strcat
private import implementations.Strcpy private import implementations.Strcpy
private import implementations.Strftime private import implementations.Strftime
private import implementations.Swap

23
cpp/ql/src/semmle/code/cpp/models/implementations/Swap.qll Normal file
View File

@@ -0,0 +1,23 @@
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Taint
/**
* The standard function `swap`.
*/
class Swap extends DataFlowFunction {
Swap() {
this.hasQualifiedName("std", "swap")
}
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
(
input.isInParameterPointer(0) and
output.isOutParameterPointer(1)
)
or
(
input.isInParameterPointer(1) and
output.isOutParameterPointer(0)
)
}
}

2
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -171,5 +171,7 @@
| taint.cpp:208:6:208:6 | 0 | taint.cpp:216:7:216:7 | y | | | taint.cpp:208:6:208:6 | 0 | taint.cpp:216:7:216:7 | y | |
| taint.cpp:213:12:213:12 | ref arg x | taint.cpp:213:12:213:12 | x | | | taint.cpp:213:12:213:12 | ref arg x | taint.cpp:213:12:213:12 | x | |
| taint.cpp:213:12:213:12 | ref arg x | taint.cpp:215:7:215:7 | x | | | taint.cpp:213:12:213:12 | ref arg x | taint.cpp:215:7:215:7 | x | |
| taint.cpp:213:12:213:12 | x | taint.cpp:213:15:213:15 | ref arg y | |
| taint.cpp:213:15:213:15 | ref arg y | taint.cpp:213:15:213:15 | y | | | taint.cpp:213:15:213:15 | ref arg y | taint.cpp:213:15:213:15 | y | |
| taint.cpp:213:15:213:15 | ref arg y | taint.cpp:216:7:216:7 | y | | | taint.cpp:213:15:213:15 | ref arg y | taint.cpp:216:7:216:7 | y | |
| taint.cpp:213:15:213:15 | y | taint.cpp:213:12:213:12 | ref arg x | |

2
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -213,5 +213,5 @@ void test_swap() {
std::swap(x, y); std::swap(x, y);
sink(x); // [FALSE POSITIVE] sink(x); // [FALSE POSITIVE]
sink(y); // tainted [NOT DETECTED] sink(y); // tainted
} }

1
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -16,3 +16,4 @@
| taint.cpp:195:7:195:7 | x | taint.cpp:193:6:193:6 | x | | taint.cpp:195:7:195:7 | x | taint.cpp:193:6:193:6 | x |
| taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source | | taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source |
| taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source | | taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source |
| taint.cpp:216:7:216:7 | y | taint.cpp:207:6:207:11 | call to source |

1
cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
View File

@@ -8,3 +8,4 @@
| taint.cpp:192:23:192:28 | taint.cpp:195:7:195:7 | AST only | | taint.cpp:192:23:192:28 | taint.cpp:195:7:195:7 | AST only |
| taint.cpp:193:6:193:6 | taint.cpp:195:7:195:7 | AST only | | taint.cpp:193:6:193:6 | taint.cpp:195:7:195:7 | AST only |
| taint.cpp:207:6:207:11 | taint.cpp:215:7:215:7 | AST only | | taint.cpp:207:6:207:11 | taint.cpp:215:7:215:7 | AST only |
| taint.cpp:207:6:207:11 | taint.cpp:216:7:216:7 | AST only |