Model copy-ish constructors for std::pair

Dave Bartolomeo · Dave Bartolomeo · commit 1dae8f62c13b · 2020-10-17T11:33:20.000-04:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll
@@ -4,6 +4,37 @@
 
 import semmle.code.cpp.models.interfaces.Taint
 
+/**
+ * An instantiation of `std::pair<T1, T2>`.
+ */
+class StdPairClass extends ClassTemplateInstantiation {
+  StdPairClass() { getTemplate().hasQualifiedName("std", "pair") }
+}
+
+/**
+ * Any of the single-parameter constructors of `std::pair` that takes a reference to an
+ * instantiation of `std::pair`. These constructors allow conversion between pair types when the
+ * underlying element types are convertible.
+ */
+class StdPairCopyishConstructor extends Constructor, TaintFunction {
+  StdPairCopyishConstructor() {
+    this.getDeclaringType() instanceof StdPairClass and
+    this.getNumberOfParameters() = 1 and
+    this.getParameter(0).getUnspecifiedType().(ReferenceType).getBaseType().getUnspecifiedType()
+      instanceof StdPairClass
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from the source object to the constructed object
+    input.isParameterDeref(0) and
+    (
+      output.isReturnValue()
+      or
+      output.isQualifierObject()
+    )
+  }
+}
+
 /**
  * Additional model for `std::pair` constructors.
  */
