C++: Model insert_or_assign.

cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll

@@ -6,11 +6,11 @@ import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.implementations.Iterator
 
 /**
- * The standard map `insert` function.
+ * The standard map `insert` and `insert_or_assign` functions.
  */
 class StdMapInsert extends TaintFunction {
   StdMapInsert() {
-    this.hasQualifiedName("std", ["map", "unordered_map"], "insert")
+    this.hasQualifiedName("std", ["map", "unordered_map"], ["insert", "insert_or_assign"])
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -673,6 +673,8 @@
 | map.cpp:108:7:108:8 | ref arg m5 | map.cpp:120:7:120:8 | m5 |  |
 | map.cpp:108:7:108:8 | ref arg m5 | map.cpp:126:7:126:8 | m5 |  |
 | map.cpp:108:7:108:8 | ref arg m5 | map.cpp:249:1:249:1 | m5 |  |
+| map.cpp:108:34:108:39 | call to source | map.cpp:108:7:108:8 | ref arg m5 | TAINT |
+| map.cpp:108:34:108:39 | call to source | map.cpp:108:10:108:25 | call to insert_or_assign | TAINT |
 | map.cpp:108:44:108:48 | first | map.cpp:108:7:108:48 | call to iterator |  |
 | map.cpp:109:7:109:8 | ref arg m6 | map.cpp:115:7:115:8 | m6 |  |
 | map.cpp:109:7:109:8 | ref arg m6 | map.cpp:121:7:121:8 | m6 |  |
@@ -685,6 +687,8 @@
 | map.cpp:109:27:109:28 | ref arg m6 | map.cpp:127:7:127:8 | m6 |  |
 | map.cpp:109:27:109:28 | ref arg m6 | map.cpp:249:1:249:1 | m6 |  |
 | map.cpp:109:30:109:34 | call to begin | map.cpp:109:27:109:36 | call to iterator | TAINT |
+| map.cpp:109:46:109:51 | call to source | map.cpp:109:7:109:8 | ref arg m6 | TAINT |
+| map.cpp:109:46:109:51 | call to source | map.cpp:109:10:109:25 | call to insert_or_assign | TAINT |
 | map.cpp:110:7:110:8 | m1 | map.cpp:110:7:110:8 | call to map |  |
 | map.cpp:111:7:111:8 | m2 | map.cpp:111:7:111:8 | call to map |  |
 | map.cpp:112:7:112:8 | m3 | map.cpp:112:7:112:8 | call to map |  |
@@ -1312,6 +1316,8 @@
 | map.cpp:260:7:260:8 | ref arg m5 | map.cpp:272:7:272:8 | m5 |  |
 | map.cpp:260:7:260:8 | ref arg m5 | map.cpp:278:7:278:8 | m5 |  |
 | map.cpp:260:7:260:8 | ref arg m5 | map.cpp:398:1:398:1 | m5 |  |
+| map.cpp:260:34:260:39 | call to source | map.cpp:260:7:260:8 | ref arg m5 | TAINT |
+| map.cpp:260:34:260:39 | call to source | map.cpp:260:10:260:25 | call to insert_or_assign | TAINT |
 | map.cpp:260:44:260:48 | first | map.cpp:260:7:260:48 | call to iterator |  |
 | map.cpp:261:7:261:8 | ref arg m6 | map.cpp:267:7:267:8 | m6 |  |
 | map.cpp:261:7:261:8 | ref arg m6 | map.cpp:273:7:273:8 | m6 |  |
@@ -1324,6 +1330,8 @@
 | map.cpp:261:27:261:28 | ref arg m6 | map.cpp:279:7:279:8 | m6 |  |
 | map.cpp:261:27:261:28 | ref arg m6 | map.cpp:398:1:398:1 | m6 |  |
 | map.cpp:261:30:261:34 | call to begin | map.cpp:261:27:261:36 | call to iterator | TAINT |
+| map.cpp:261:46:261:51 | call to source | map.cpp:261:7:261:8 | ref arg m6 | TAINT |
+| map.cpp:261:46:261:51 | call to source | map.cpp:261:10:261:25 | call to insert_or_assign | TAINT |
 | map.cpp:262:7:262:8 | m1 | map.cpp:262:7:262:8 | call to unordered_map |  |
 | map.cpp:263:7:263:8 | m2 | map.cpp:263:7:263:8 | call to unordered_map |  |
 | map.cpp:264:7:264:8 | m3 | map.cpp:264:7:264:8 | call to unordered_map |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -105,14 +105,14 @@ void test_map()
 	sink(m2.insert(std::make_pair("abc", source())).first); // tainted [NOT DETECTED]
 	sink(m3.insert(std::make_pair(source(), "def")).first); // tainted [NOT DETECTED]
 	sink(m4.insert(m4.begin(), std::pair<char *, char *>("abc", source()))); // tainted
-	sink(m5.insert_or_assign("abc", source()).first); // tainted [NOT DETECTED]
-	sink(m6.insert_or_assign(m6.begin(), "abc", source())); // tainted [NOT DETECTED]
+	sink(m5.insert_or_assign("abc", source()).first); // tainted
+	sink(m6.insert_or_assign(m6.begin(), "abc", source())); // tainted
 	sink(m1);
 	sink(m2); // tainted
 	sink(m3); // tainted
 	sink(m4); // tainted
-	sink(m5); // tainted [NOT DETECTED]
-	sink(m6); // tainted [NOT DETECTED]
+	sink(m5); // tainted
+	sink(m6); // tainted
 	sink(m1.find("abc"));
 	sink(m2.find("abc")); // tainted [NOT DETECTED]
 	sink(m3.find("abc"));
@@ -257,14 +257,14 @@ void test_unordered_map()
 	sink(m2.insert(std::make_pair("abc", source())).first); // tainted [NOT DETECTED]
 	sink(m3.insert(std::make_pair(source(), "def")).first); // tainted [NOT DETECTED]
 	sink(m4.insert(m4.begin(), std::pair<char *, char *>("abc", source()))); // tainted
-	sink(m5.insert_or_assign("abc", source()).first); // tainted [NOT DETECTED]
-	sink(m6.insert_or_assign(m6.begin(), "abc", source())); // tainted [NOT DETECTED]
+	sink(m5.insert_or_assign("abc", source()).first); // tainted
+	sink(m6.insert_or_assign(m6.begin(), "abc", source())); // tainted
 	sink(m1);
 	sink(m2); // tainted
 	sink(m3); // tainted
 	sink(m4); // tainted
-	sink(m5); // tainted [NOT DETECTED]
-	sink(m6); // tainted [NOT DETECTED]
+	sink(m5); // tainted
+	sink(m6); // tainted
 	sink(m1.find("abc"));
 	sink(m2.find("abc")); // tainted [NOT DETECTED]
 	sink(m3.find("abc"));

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -47,9 +47,12 @@
 | map.cpp:86:7:86:32 | call to pair | map.cpp:86:24:86:29 | call to source |
 | map.cpp:92:7:92:7 | call to pair | map.cpp:91:33:91:38 | call to source |
 | map.cpp:107:10:107:15 | call to insert | map.cpp:107:62:107:67 | call to source |
+| map.cpp:109:10:109:25 | call to insert_or_assign | map.cpp:109:46:109:51 | call to source |
 | map.cpp:111:7:111:8 | call to map | map.cpp:105:39:105:44 | call to source |
 | map.cpp:112:7:112:8 | call to map | map.cpp:106:32:106:37 | call to source |
 | map.cpp:113:7:113:8 | call to map | map.cpp:107:62:107:67 | call to source |
+| map.cpp:114:7:114:8 | call to map | map.cpp:108:34:108:39 | call to source |
+| map.cpp:115:7:115:8 | call to map | map.cpp:109:46:109:51 | call to source |
 | map.cpp:134:7:134:8 | call to map | map.cpp:105:39:105:44 | call to source |
 | map.cpp:135:7:135:8 | call to map | map.cpp:105:39:105:44 | call to source |
 | map.cpp:136:7:136:8 | call to map | map.cpp:105:39:105:44 | call to source |
@@ -92,9 +95,12 @@
 | map.cpp:226:7:226:9 | call to map | map.cpp:221:39:221:44 | call to source |
 | map.cpp:226:7:226:9 | call to map | map.cpp:221:49:221:54 | call to source |
 | map.cpp:259:10:259:15 | call to insert | map.cpp:259:62:259:67 | call to source |
+| map.cpp:261:10:261:25 | call to insert_or_assign | map.cpp:261:46:261:51 | call to source |
 | map.cpp:263:7:263:8 | call to unordered_map | map.cpp:257:39:257:44 | call to source |
 | map.cpp:264:7:264:8 | call to unordered_map | map.cpp:258:32:258:37 | call to source |
 | map.cpp:265:7:265:8 | call to unordered_map | map.cpp:259:62:259:67 | call to source |
+| map.cpp:266:7:266:8 | call to unordered_map | map.cpp:260:34:260:39 | call to source |
+| map.cpp:267:7:267:8 | call to unordered_map | map.cpp:261:46:261:51 | call to source |
 | map.cpp:286:7:286:8 | call to unordered_map | map.cpp:257:39:257:44 | call to source |
 | map.cpp:287:7:287:8 | call to unordered_map | map.cpp:257:39:257:44 | call to source |
 | map.cpp:288:7:288:8 | call to unordered_map | map.cpp:257:39:257:44 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -44,9 +44,12 @@
 | map.cpp:96:9:96:14 | map.cpp:91:33:91:38 | IR only |
 | map.cpp:105:7:105:54 | map.cpp:105:39:105:44 | IR only |
 | map.cpp:106:7:106:54 | map.cpp:106:32:106:37 | IR only |
+| map.cpp:108:7:108:48 | map.cpp:108:34:108:39 | IR only |
 | map.cpp:111:7:111:8 | map.cpp:105:39:105:44 | AST only |
 | map.cpp:112:7:112:8 | map.cpp:106:32:106:37 | AST only |
 | map.cpp:113:7:113:8 | map.cpp:107:62:107:67 | AST only |
+| map.cpp:114:7:114:8 | map.cpp:108:34:108:39 | AST only |
+| map.cpp:115:7:115:8 | map.cpp:109:46:109:51 | AST only |
 | map.cpp:134:7:134:8 | map.cpp:105:39:105:44 | AST only |
 | map.cpp:135:7:135:8 | map.cpp:105:39:105:44 | AST only |
 | map.cpp:136:7:136:8 | map.cpp:105:39:105:44 | AST only |
@@ -90,9 +93,12 @@
 | map.cpp:226:7:226:9 | map.cpp:221:49:221:54 | AST only |
 | map.cpp:257:7:257:54 | map.cpp:257:39:257:44 | IR only |
 | map.cpp:258:7:258:54 | map.cpp:258:32:258:37 | IR only |
+| map.cpp:260:7:260:48 | map.cpp:260:34:260:39 | IR only |
 | map.cpp:263:7:263:8 | map.cpp:257:39:257:44 | AST only |
 | map.cpp:264:7:264:8 | map.cpp:258:32:258:37 | AST only |
 | map.cpp:265:7:265:8 | map.cpp:259:62:259:67 | AST only |
+| map.cpp:266:7:266:8 | map.cpp:260:34:260:39 | AST only |
+| map.cpp:267:7:267:8 | map.cpp:261:46:261:51 | AST only |
 | map.cpp:286:7:286:8 | map.cpp:257:39:257:44 | AST only |
 | map.cpp:287:7:287:8 | map.cpp:257:39:257:44 | AST only |
 | map.cpp:288:7:288:8 | map.cpp:257:39:257:44 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

@@ -81,6 +81,8 @@
 | map.cpp:105:7:105:54 | call to iterator | map.cpp:105:39:105:44 | call to source |
 | map.cpp:106:7:106:54 | call to iterator | map.cpp:106:32:106:37 | call to source |
 | map.cpp:107:10:107:15 | call to insert | map.cpp:107:62:107:67 | call to source |
+| map.cpp:108:7:108:48 | call to iterator | map.cpp:108:34:108:39 | call to source |
+| map.cpp:109:10:109:25 | call to insert_or_assign | map.cpp:109:46:109:51 | call to source |
 | map.cpp:151:8:151:10 | call to pair | map.cpp:105:39:105:44 | call to source |
 | map.cpp:152:12:152:16 | first | map.cpp:105:39:105:44 | call to source |
 | map.cpp:153:12:153:17 | second | map.cpp:105:39:105:44 | call to source |
@@ -92,6 +94,8 @@
 | map.cpp:257:7:257:54 | call to iterator | map.cpp:257:39:257:44 | call to source |
 | map.cpp:258:7:258:54 | call to iterator | map.cpp:258:32:258:37 | call to source |
 | map.cpp:259:10:259:15 | call to insert | map.cpp:259:62:259:67 | call to source |
+| map.cpp:260:7:260:48 | call to iterator | map.cpp:260:34:260:39 | call to source |
+| map.cpp:261:10:261:25 | call to insert_or_assign | map.cpp:261:46:261:51 | call to source |
 | map.cpp:303:8:303:10 | call to pair | map.cpp:257:39:257:44 | call to source |
 | map.cpp:304:12:304:16 | first | map.cpp:257:39:257:44 | call to source |
 | map.cpp:305:12:305:17 | second | map.cpp:257:39:257:44 | call to source |