C++: Taint through std::string operator+.

2026-04-27 01:35:13 +02:00 · 2020-08-11 15:02:36 +01:00
parent a57dfd6b67
commit cf6f530823
5 changed files with 55 additions and 5 deletions
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -519,6 +519,18 @@
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:327:8:327:9 | s2 |  |
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:328:8:328:9 | s2 |  |
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:328:13:328:14 | s2 |  |
+| stl.cpp:325:8:325:9 | s1 | stl.cpp:325:11:325:11 | call to operator+ | TAINT |
+| stl.cpp:325:13:325:14 | s1 | stl.cpp:325:11:325:11 | call to operator+ | TAINT |
+| stl.cpp:326:8:326:9 | s1 | stl.cpp:326:11:326:11 | call to operator+ | TAINT |
+| stl.cpp:326:13:326:14 | s2 | stl.cpp:326:11:326:11 | call to operator+ | TAINT |
+| stl.cpp:327:8:327:9 | s2 | stl.cpp:327:11:327:11 | call to operator+ | TAINT |
+| stl.cpp:327:13:327:14 | s1 | stl.cpp:327:11:327:11 | call to operator+ | TAINT |
+| stl.cpp:328:8:328:9 | s2 | stl.cpp:328:11:328:11 | call to operator+ | TAINT |
+| stl.cpp:328:13:328:14 | s2 | stl.cpp:328:11:328:11 | call to operator+ | TAINT |
+| stl.cpp:330:8:330:9 | s1 | stl.cpp:330:11:330:11 | call to operator+ | TAINT |
+| stl.cpp:330:13:330:20 |  world | stl.cpp:330:11:330:11 | call to operator+ | TAINT |
+| stl.cpp:331:8:331:9 | s1 | stl.cpp:331:11:331:11 | call to operator+ | TAINT |
+| stl.cpp:331:13:331:18 | call to source | stl.cpp:331:11:331:11 | call to operator+ | TAINT |
 | stl.cpp:335:18:335:22 | abc | stl.cpp:335:18:335:23 | call to basic_string | TAINT |
 | stl.cpp:335:18:335:23 | call to basic_string | stl.cpp:339:8:339:9 | s3 |  |
 | stl.cpp:335:18:335:23 | call to basic_string | stl.cpp:342:8:342:9 | s3 |  |
@@ -529,8 +541,10 @@
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:339:13:339:14 | s4 |  |
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:343:9:343:10 | s4 |  |
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:352:13:352:14 | s4 |  |
+| stl.cpp:339:8:339:9 | s3 | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
 | stl.cpp:339:11:339:11 | call to operator+ | stl.cpp:339:3:339:14 | ... = ... |  |
 | stl.cpp:339:11:339:11 | call to operator+ | stl.cpp:340:8:340:9 | s5 |  |
+| stl.cpp:339:13:339:14 | s4 | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:342:3:342:9 | ... = ... |  |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:343:3:343:4 | s6 |  |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:344:8:344:9 | s6 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
@@ -323,12 +323,12 @@ void test_string_append() {
 		std::string s2(source());

 		sink(s1 + s1);
-		sink(s1 + s2); // tainted [NOT DETECTED]
-		sink(s2 + s1); // tainted [NOT DETECTED]
-		sink(s2 + s2); // tainted [NOT DETECTED]
+		sink(s1 + s2); // tainted
+		sink(s2 + s1); // tainted
+		sink(s2 + s2); // tainted
 	
 		sink(s1 + " world");
-		sink(s1 + source()); // tainted [NOT DETECTED]
+		sink(s1 + source()); // tainted
 	}

 	{
@@ -337,7 +337,7 @@ void test_string_append() {
 		std::string s5, s6, s7, s8, s9;

 		s5 = s3 + s4;
-		sink(s5); // tainted [NOT DETECTED]
+		sink(s5); // tainted

 		s6 = s3;
 		s6 += s4;
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -53,6 +53,11 @@
 | stl.cpp:303:8:303:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:311:8:311:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:316:8:316:8 | x | stl.cpp:296:43:296:49 | source1 |
+| stl.cpp:326:11:326:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:327:11:327:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:328:11:328:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:331:11:331:11 | call to operator+ | stl.cpp:331:13:331:18 | call to source |
+| stl.cpp:340:8:340:9 | s5 | stl.cpp:336:18:336:23 | call to source |
 | stl.cpp:353:8:353:9 | s8 | stl.cpp:336:18:336:23 | call to source |
 | stl.cpp:358:8:358:9 | s9 | stl.cpp:356:13:356:18 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -50,6 +50,11 @@
 | stl.cpp:303:8:303:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:311:8:311:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:316:8:316:8 | stl.cpp:296:43:296:49 | AST only |
+| stl.cpp:326:11:326:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:327:11:327:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:328:11:328:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:331:11:331:11 | stl.cpp:331:13:331:18 | AST only |
+| stl.cpp:340:8:340:9 | stl.cpp:336:18:336:23 | AST only |
 | stl.cpp:353:8:353:9 | stl.cpp:336:18:336:23 | AST only |
 | stl.cpp:358:8:358:9 | stl.cpp:356:13:356:18 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |