C++: Add support for iterator parameters to std::vector::assign.

2025-12-18 01:33:15 +01:00 · 2020-09-02 16:49:18 +01:00
parent 8e9faac363
commit f61c7ffc1a
5 changed files with 22 additions and 4 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -106,9 +106,17 @@ class StdSequenceContainerAssign extends TaintFunction {
      getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
  }

+  /**
+   * Gets the index of a parameter to this function that is an iterator.
+   */
+  int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
+
  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to string itself (qualifier) and return value
-    input.isParameterDeref(getAValueTypeParameterIndex()) and
+    // flow from parameter to container itself (qualifier)
+    (
+      input.isParameterDeref(getAValueTypeParameterIndex()) or
+      input.isParameter(getAnIteratorParameterIndex())
+    ) and
    output.isQualifierObject()
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -2781,17 +2781,21 @@
 | vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:249:25:249:26 | v1 |  |
 | vector.cpp:249:13:249:14 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
 | vector.cpp:249:13:249:14 | v1 | vector.cpp:249:16:249:20 | call to begin | TAINT |
+| vector.cpp:249:16:249:20 | call to begin | vector.cpp:249:3:249:4 | ref arg v4 | TAINT |
 | vector.cpp:249:25:249:26 | ref arg v1 | vector.cpp:277:1:277:1 | v1 |  |
 | vector.cpp:249:25:249:26 | v1 | vector.cpp:249:28:249:30 | call to end | TAINT |
+| vector.cpp:249:28:249:30 | call to end | vector.cpp:249:3:249:4 | ref arg v4 | TAINT |
 | vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:258:8:258:9 | v5 |  |
 | vector.cpp:250:3:250:4 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:250:25:250:26 | v3 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
 | vector.cpp:250:13:250:14 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:250:13:250:14 | v3 | vector.cpp:250:16:250:20 | call to begin | TAINT |
+| vector.cpp:250:16:250:20 | call to begin | vector.cpp:250:3:250:4 | ref arg v5 | TAINT |
 | vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:251:8:251:9 | v3 |  |
 | vector.cpp:250:25:250:26 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:250:25:250:26 | v3 | vector.cpp:250:28:250:30 | call to end | TAINT |
+| vector.cpp:250:28:250:30 | call to end | vector.cpp:250:3:250:4 | ref arg v5 | TAINT |
 | vector.cpp:251:8:251:9 | ref arg v3 | vector.cpp:277:1:277:1 | v3 |  |
 | vector.cpp:251:8:251:9 | v3 | vector.cpp:251:11:251:15 | call to begin | TAINT |
 | vector.cpp:251:11:251:15 | call to begin | vector.cpp:251:3:251:17 | ... = ... |  |
@@ -2812,7 +2816,9 @@
 | vector.cpp:254:3:254:4 | ref arg i2 | vector.cpp:260:8:260:9 | i2 |  |
 | vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:261:8:261:9 | v6 |  |
 | vector.cpp:255:3:255:4 | ref arg v6 | vector.cpp:262:2:262:2 | v6 |  |
+| vector.cpp:255:13:255:14 | call to iterator | vector.cpp:255:3:255:4 | ref arg v6 | TAINT |
 | vector.cpp:255:13:255:14 | i1 | vector.cpp:255:13:255:14 | call to iterator |  |
+| vector.cpp:255:17:255:18 | call to iterator | vector.cpp:255:3:255:4 | ref arg v6 | TAINT |
 | vector.cpp:255:17:255:18 | i2 | vector.cpp:255:17:255:18 | call to iterator |  |
 | vector.cpp:257:8:257:9 | ref arg v4 | vector.cpp:262:2:262:2 | v4 |  |
 | vector.cpp:258:8:258:9 | ref arg v5 | vector.cpp:262:2:262:2 | v5 |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -284,8 +284,10 @@
 | vector.cpp:201:13:201:13 | call to operator[] | vector.cpp:200:14:200:19 | call to source |
 | vector.cpp:242:7:242:8 | v2 | vector.cpp:238:17:238:30 | call to source |
 | vector.cpp:243:7:243:8 | v3 | vector.cpp:239:15:239:20 | call to source |
+| vector.cpp:258:8:258:9 | v5 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:259:8:259:9 | i1 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:260:8:260:9 | i2 | vector.cpp:239:15:239:20 | call to source |
+| vector.cpp:261:8:261:9 | v6 | vector.cpp:239:15:239:20 | call to source |
 | vector.cpp:273:8:273:9 | v7 | vector.cpp:269:18:269:31 | call to source |
 | vector.cpp:274:8:274:9 | v8 | vector.cpp:270:18:270:35 | call to source |
 | vector.cpp:275:8:275:9 | v9 | vector.cpp:271:18:271:34 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -233,8 +233,10 @@
 | vector.cpp:201:13:201:13 | vector.cpp:200:14:200:19 | AST only |
 | vector.cpp:242:7:242:8 | vector.cpp:238:17:238:30 | AST only |
 | vector.cpp:243:7:243:8 | vector.cpp:239:15:239:20 | AST only |
+| vector.cpp:258:8:258:9 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:259:8:259:9 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:260:8:260:9 | vector.cpp:239:15:239:20 | AST only |
+| vector.cpp:261:8:261:9 | vector.cpp:239:15:239:20 | AST only |
 | vector.cpp:273:8:273:9 | vector.cpp:269:18:269:31 | AST only |
 | vector.cpp:274:8:274:9 | vector.cpp:270:18:270:35 | AST only |
 | vector.cpp:275:8:275:9 | vector.cpp:271:18:271:34 | AST only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -255,10 +255,10 @@ void test_vector_assign() {
 		v6.assign(i1, i2);

 		sink(v4);
-		sink(v5); // tainted [NOT DETECTED]
+		sink(v5); // tainted
 		sink(i1); // tainted
 		sink(i2); // tainted
-		sink(v6); // tainted [NOT DETECTED]
+		sink(v6); // tainted
 	}

 	{