C++: Model erase.

cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll

@@ -87,3 +87,19 @@ class StdMapFind extends TaintFunction {
     output.isReturnValue()
   }
 }
+
+/**
+ * The standard map `erase` function.
+ */
+class StdMapErase extends TaintFunction {
+  StdMapErase() {
+    this.hasQualifiedName("std", ["map", "unordered_map"], "erase")
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to iterator return value
+    getType().getUnderlyingType() instanceof Iterator and
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -1123,6 +1123,7 @@
 | map.cpp:221:39:221:44 | call to source | map.cpp:221:13:221:57 | call to pair | TAINT |
 | map.cpp:221:49:221:54 | call to source | map.cpp:221:13:221:57 | call to pair | TAINT |
 | map.cpp:222:7:222:9 | m23 | map.cpp:222:7:222:9 | call to map |  |
+| map.cpp:223:7:223:9 | m23 | map.cpp:223:11:223:15 | call to erase | TAINT |
 | map.cpp:223:7:223:9 | ref arg m23 | map.cpp:224:7:224:9 | m23 |  |
 | map.cpp:223:7:223:9 | ref arg m23 | map.cpp:225:2:225:4 | m23 |  |
 | map.cpp:223:7:223:9 | ref arg m23 | map.cpp:226:7:226:9 | m23 |  |
@@ -1754,6 +1755,7 @@
 | map.cpp:370:39:370:44 | call to source | map.cpp:370:13:370:57 | call to pair | TAINT |
 | map.cpp:370:49:370:54 | call to source | map.cpp:370:13:370:57 | call to pair | TAINT |
 | map.cpp:371:7:371:9 | m23 | map.cpp:371:7:371:9 | call to unordered_map |  |
+| map.cpp:372:7:372:9 | m23 | map.cpp:372:11:372:15 | call to erase | TAINT |
 | map.cpp:372:7:372:9 | ref arg m23 | map.cpp:373:7:373:9 | m23 |  |
 | map.cpp:372:7:372:9 | ref arg m23 | map.cpp:374:2:374:4 | m23 |  |
 | map.cpp:372:7:372:9 | ref arg m23 | map.cpp:375:7:375:9 | m23 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

@@ -220,7 +220,7 @@ void test_map()
 	m23.insert(std::pair<char *, char *>(source(), source()));
 	m23.insert(std::pair<char *, char *>(source(), source()));
 	sink(m23); // tainted
-	sink(m23.erase(m23.begin())); // tainted [NOT DETECTED]
+	sink(m23.erase(m23.begin())); // tainted
 	sink(m23); // tainted
 	m23.clear();
 	sink(m23); // [FALSE POSITIVE]
@@ -369,7 +369,7 @@ void test_unordered_map()
 	m23.insert(std::pair<char *, char *>(source(), source()));
 	m23.insert(std::pair<char *, char *>(source(), source()));
 	sink(m23); // tainted
-	sink(m23.erase(m23.begin())); // tainted [NOT DETECTED]
+	sink(m23.erase(m23.begin())); // tainted
 	sink(m23); // tainted
 	m23.clear();
 	sink(m23); // [FALSE POSITIVE]

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -99,6 +99,10 @@
 | map.cpp:222:7:222:9 | call to map | map.cpp:220:49:220:54 | call to source |
 | map.cpp:222:7:222:9 | call to map | map.cpp:221:39:221:44 | call to source |
 | map.cpp:222:7:222:9 | call to map | map.cpp:221:49:221:54 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:220:39:220:44 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:220:49:220:54 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:221:39:221:44 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:221:49:221:54 | call to source |
 | map.cpp:224:7:224:9 | call to map | map.cpp:220:39:220:44 | call to source |
 | map.cpp:224:7:224:9 | call to map | map.cpp:220:49:220:54 | call to source |
 | map.cpp:224:7:224:9 | call to map | map.cpp:221:39:221:44 | call to source |
@@ -160,6 +164,10 @@
 | map.cpp:371:7:371:9 | call to unordered_map | map.cpp:369:49:369:54 | call to source |
 | map.cpp:371:7:371:9 | call to unordered_map | map.cpp:370:39:370:44 | call to source |
 | map.cpp:371:7:371:9 | call to unordered_map | map.cpp:370:49:370:54 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:369:39:369:44 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:369:49:369:54 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:370:39:370:44 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:370:49:370:54 | call to source |
 | map.cpp:373:7:373:9 | call to unordered_map | map.cpp:369:39:369:44 | call to source |
 | map.cpp:373:7:373:9 | call to unordered_map | map.cpp:369:49:369:54 | call to source |
 | map.cpp:373:7:373:9 | call to unordered_map | map.cpp:370:39:370:44 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

@@ -98,6 +98,10 @@
 | map.cpp:159:12:159:17 | second | map.cpp:105:39:105:44 | call to source |
 | map.cpp:165:7:165:27 | ... = ... | map.cpp:165:20:165:25 | call to source |
 | map.cpp:167:7:167:30 | ... = ... | map.cpp:167:23:167:28 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:220:39:220:44 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:220:49:220:54 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:221:39:221:44 | call to source |
+| map.cpp:223:11:223:15 | call to erase | map.cpp:221:49:221:54 | call to source |
 | map.cpp:257:7:257:54 | call to iterator | map.cpp:257:39:257:44 | call to source |
 | map.cpp:258:7:258:54 | call to iterator | map.cpp:258:32:258:37 | call to source |
 | map.cpp:259:10:259:15 | call to insert | map.cpp:259:62:259:67 | call to source |
@@ -118,6 +122,10 @@
 | map.cpp:311:12:311:17 | second | map.cpp:257:39:257:44 | call to source |
 | map.cpp:317:7:317:27 | ... = ... | map.cpp:317:20:317:25 | call to source |
 | map.cpp:319:7:319:30 | ... = ... | map.cpp:319:23:319:28 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:369:39:369:44 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:369:49:369:54 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:370:39:370:44 | call to source |
+| map.cpp:372:11:372:15 | call to erase | map.cpp:370:49:370:54 | call to source |
 | movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
 | movableclass.cpp:45:8:45:9 | s2 | movableclass.cpp:40:23:40:28 | call to source |
 | movableclass.cpp:46:8:46:9 | s3 | movableclass.cpp:42:8:42:13 | call to source |