C++: Also track flow out of indirect sources.

MathiasVP · MathiasVP · commit 09df318e9e56 · 2023-02-27T14:57:35.000Z
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -15,42 +15,27 @@
 | smart_pointer.cpp:38:14:38:24 | // $ ast,ir | Missing result:ir= |
 | smart_pointer.cpp:46:14:46:24 | // $ ast,ir | Missing result:ir= |
 | string.cpp:31:11:31:21 | // $ ast,ir | Missing result:ir= |
-| string.cpp:33:19:33:29 | // $ ast,ir | Missing result:ir= |
-| string.cpp:39:28:39:38 | // $ ast,ir | Missing result:ir= |
-| string.cpp:43:28:43:38 | // $ ast,ir | Missing result:ir= |
-| string.cpp:46:28:46:38 | // $ ast,ir | Missing result:ir= |
 | string.cpp:57:12:57:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:70:12:70:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:71:12:71:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:93:13:93:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:94:13:94:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:95:13:95:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:114:13:114:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:115:13:115:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:159:13:159:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:162:19:162:29 | // $ ast,ir | Missing result:ir= |
 | string.cpp:163:13:163:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:167:20:167:30 | // $ ast,ir | Missing result:ir= |
 | string.cpp:168:13:168:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:172:13:172:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:177:13:177:23 | // $ ast,ir | Missing result:ir= |
 | string.cpp:185:14:185:24 | // $ ast,ir | Missing result:ir= |
-| string.cpp:199:23:199:33 | // $ ast,ir | Missing result:ir= |
 | string.cpp:200:12:200:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:202:26:202:36 | // $ ast,ir | Missing result:ir= |
 | string.cpp:203:12:203:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:206:12:206:32 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
-| string.cpp:220:26:220:36 | // $ ast,ir | Missing result:ir= |
 | string.cpp:221:12:221:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:224:26:224:36 | // $ ast,ir | Missing result:ir= |
 | string.cpp:225:12:225:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:228:29:228:39 | // $ ast,ir | Missing result:ir= |
 | string.cpp:229:12:229:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:243:30:243:40 | // $ ast,ir | Missing result:ir= |
 | string.cpp:244:12:244:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:247:30:247:40 | // $ ast,ir | Missing result:ir= |
 | string.cpp:248:12:248:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:251:33:251:43 | // $ ast,ir | Missing result:ir= |
 | string.cpp:252:12:252:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:265:12:265:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:275:12:275:22 | // $ ast,ir | Missing result:ir= |
@@ -64,36 +49,25 @@
 | string.cpp:295:12:295:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:301:12:301:32 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
 | string.cpp:303:12:303:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:312:18:312:28 | // $ ast,ir | Missing result:ir= |
 | string.cpp:340:11:340:21 | // $ ast,ir | Missing result:ir= |
 | string.cpp:341:11:341:21 | // $ ast,ir | Missing result:ir= |
 | string.cpp:342:11:342:21 | // $ ast,ir | Missing result:ir= |
 | string.cpp:350:13:350:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:351:20:351:30 | // $ ast,ir | Missing result:ir= |
-| string.cpp:363:42:363:52 | // $ ast,ir | Missing result:ir= |
 | string.cpp:364:13:364:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:436:27:436:37 | // $ ast,ir | Missing result:ir= |
 | string.cpp:437:12:437:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:450:12:450:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:463:12:463:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:466:13:466:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:478:41:478:51 | // $ ast,ir | Missing result:ir= |
 | string.cpp:479:12:479:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:481:42:481:52 | // $ ast,ir | Missing result:ir= |
 | string.cpp:482:13:482:23 | // $ ast,ir | Missing result:ir= |
-| string.cpp:494:43:494:53 | // $ ast,ir | Missing result:ir= |
 | string.cpp:495:12:495:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:498:13:498:33 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
 | string.cpp:511:12:511:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:513:12:513:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:536:33:536:43 | // $ ast,ir | Missing result:ir= |
-| string.cpp:538:36:538:46 | // $ ast,ir | Missing result:ir= |
 | string.cpp:541:12:541:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:542:12:542:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:543:12:543:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:544:12:544:22 | // $ ast,ir | Missing result:ir= |
-| string.cpp:556:41:556:51 | // $ ast,ir | Missing result:ir= |
-| string.cpp:557:44:557:54 | // $ ast,ir | Missing result:ir= |
 | string.cpp:561:12:561:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:562:12:562:22 | // $ ast,ir | Missing result:ir= |
 | string.cpp:563:12:563:22 | // $ ast,ir | Missing result:ir= |
@@ -104,18 +78,11 @@
 | stringstream.cpp:41:13:41:23 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:52:13:52:23 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:53:13:53:33 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
-| stringstream.cpp:56:36:56:46 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:57:55:57:65 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:59:13:59:23 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:60:14:60:24 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:63:33:63:43 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:64:72:64:82 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:66:14:66:24 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:67:14:67:24 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:76:23:76:33 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:78:19:78:29 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:81:13:81:23 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:100:43:100:53 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:103:13:103:23 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:105:13:105:23 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:107:13:107:23 | // $ ast,ir | Missing result:ir= |
@@ -126,41 +93,15 @@
 | stringstream.cpp:149:12:149:22 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:150:12:150:22 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:151:12:151:22 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:162:27:162:37 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:166:27:166:37 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:179:21:179:31 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:196:39:196:49 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:215:31:215:41 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:216:31:216:41 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:223:36:223:46 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:224:36:224:46 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:230:49:230:59 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:239:12:239:22 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:240:12:240:32 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
 | stringstream.cpp:247:12:247:22 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:248:12:248:32 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
 | stringstream.cpp:251:12:251:22 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:252:12:252:22 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:262:47:262:57 | // $ ast,ir | Missing result:ir= |
-| stringstream.cpp:266:80:266:90 | // $ ast,ir | Missing result:ir= |
 | stringstream.cpp:267:13:267:23 | // $ ast,ir | Missing result:ir= |
 | taint.cpp:173:17:173:27 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:374:11:374:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:376:11:376:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:384:11:384:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:393:11:393:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:404:11:404:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:406:11:406:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:414:11:414:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:460:11:460:21 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:469:23:469:33 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:527:13:527:33 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
 | taint.cpp:553:14:553:51 | // $ ast=550:24 ir SPURIOUS: ast=551:6 | Missing result:ir= |
-| taint.cpp:562:15:562:25 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:575:15:575:35 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
-| taint.cpp:668:19:668:29 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:680:19:680:29 | // $ ast,ir | Missing result:ir= |
-| taint.cpp:694:13:694:23 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:52:12:52:22 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:58:12:58:22 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:64:12:64:22 | // $ ast,ir | Missing result:ir= |
@@ -190,9 +131,7 @@
 | vector.cpp:274:13:274:23 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:275:13:275:23 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:285:12:285:22 | // $ ast,ir | Missing result:ir= |
-| vector.cpp:286:19:286:29 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:290:12:290:22 | // $ ast,ir | Missing result:ir= |
-| vector.cpp:291:19:291:29 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:309:11:309:21 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:312:11:312:21 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:324:12:324:22 | // $ ast,ir | Missing result:ir= |
@@ -203,7 +142,6 @@
 | vector.cpp:392:12:392:65 | // $ ast=330:10 ir=330:10 SPURIOUS: ast=389:8 ir=389:8 | Missing result:ir=330:10 |
 | vector.cpp:400:13:400:23 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:429:14:429:24 | // $ ast,ir | Missing result:ir= |
-| vector.cpp:436:14:436:24 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:473:12:473:22 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:482:14:482:24 | // $ ast,ir | Missing result:ir= |
 | vector.cpp:485:14:485:24 | // $ ast,ir | Missing result:ir= |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
@@ -82,7 +82,9 @@ module IRTest {
     TestAllocationConfig() { this = "TestAllocationConfig" }
 
     override predicate isSource(DataFlow::Node source) {
-      source.asConvertedExpr().(FunctionCall).getTarget().getName() = "source"
+      source.asExpr().(FunctionCall).getTarget().getName() = "source"
+      or
+      source.asIndirectExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asParameter().getName().matches("source%")
       or
@@ -95,7 +97,7 @@ module IRTest {
     override predicate isSink(DataFlow::Node sink) {
       exists(FunctionCall call |
         call.getTarget().getName() = "sink" and
-        sink.asExpr() = call.getAnArgument()
+        [sink.asExpr(), sink.asIndirectExpr()] = call.getAnArgument()
       )
     }
 
