C++: Add more test cases for taint through qualifier fields.

2026-04-26 17:25:19 +02:00 · 2024-03-13 16:10:45 +00:00
parent 6019a38266
commit f52b6e0449
3 changed files with 35 additions and 21 deletions
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected
@@ -2,22 +2,22 @@
 | tests.cpp:126:5:126:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
 | tests.cpp:129:5:129:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
 | tests.cpp:129:5:129:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
-| tests.cpp:218:7:218:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:218:7:218:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:218:7:218:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
-| tests.cpp:219:6:219:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
-| tests.cpp:219:6:219:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
-| tests.cpp:247:7:247:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
-| tests.cpp:247:7:247:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
-| tests.cpp:358:5:358:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:358:5:358:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:358:5:358:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:358:5:358:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:358:5:358:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
-| tests.cpp:360:6:360:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
-| tests.cpp:360:6:360:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:220:7:220:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:220:7:220:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:220:7:220:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
+| tests.cpp:221:6:221:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
+| tests.cpp:221:6:221:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
+| tests.cpp:249:7:249:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:249:7:249:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
+| tests.cpp:370:5:370:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:370:5:370:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:370:5:370:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:370:5:370:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:370:5:370:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
+| tests.cpp:372:6:372:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
+| tests.cpp:372:6:372:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
@@ -27,6 +27,7 @@ private class TestSources extends SourceModelCsv {
        ";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
        ";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
        ";MyClass;true;qualifierSource;;;Argument[-1];remote",
+        ";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
        ";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
      ]
  }
@@ -52,6 +53,7 @@ private class TestSinks extends SinkModelCsv {
        ";MyClass;true;memberMadSinkVar;;;;test-sink",
        ";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
        ";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
+        ";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
        "MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
        "MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
        "MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
--- a/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
+++ b/cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp
@@ -207,12 +207,14 @@ public:
 	void memberRemoteMadSourceIndirectArg0(int *x); // $ interpretElement
 	int memberRemoteMadSourceVar; // $ interpretElement
 	void qualifierSource(); // $ interpretElement
+	void qualifierFieldSource(); // $ interpretElement

 	// sinks
 	void memberMadSinkArg0(int x); // $ interpretElement
 	int memberMadSinkVar; // $ interpretElement
 	void qualifierSink(); // $ interpretElement
 	void qualifierArg0Sink(int x); // $ interpretElement
+	void qualifierFieldSink(); // $ interpretElement

 	// summaries
 	void madArg0ToSelf(int x); // $ interpretElement
@@ -251,7 +253,7 @@ namespace MyNamespace {
 MyNamespace::MyClass source3();

 void test_class_members() {
-	MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9;
+	MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9, mc10, mc11;
 	MyClass *ptr, *mc4_ptr;
 	MyDerivedClass mdc;
 	MyNamespace::MyClass mnc, mnc2;
@@ -332,7 +334,7 @@ void test_class_members() {
 	mc7.madArg0ToField(source());
 	sink(mc7.madFieldToReturn()); // $ MISSING: ir

-	// test taint through qualifier
+	// test taint involving qualifier

 	sink(mc8);
 	mc8.qualifierArg0Sink(0);
@@ -346,6 +348,16 @@ void test_class_members() {
 	sink(mc8); // $ ir
 	mc8.qualifierSink(); // $ ir
 	mc9.qualifierArg0Sink(0); // $ ir
+
+	// test taint involving qualifier field
+
+	sink(mc10.val);
+	mc10.qualifierFieldSource();
+	sink(mc10.val); // $ MISSING: ir
+
+	mc11.val = source();
+	sink(mc11.val); // $ ir
+	mc11.qualifierFieldSink(); // $ MISSING: ir
 }

 // --- MAD cases involving function pointers ---