C++: fix up some iterator taint flows

Robert Marsh · Robert Marsh · commit 2a6c6244073f · 2020-08-27T10:27:53.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -196,7 +196,7 @@ class IteratorFieldMemberOperator extends Operator, TaintFunction {
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierAddress() and
+    input.isQualifierObject() and
     output.isReturnValue()
   }
 }
@@ -211,10 +211,7 @@ class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFuncti
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isQualifierObject() or
-      input.isParameter(0)
-    ) and
+    input.isQualifierObject() and
     output.isReturnValue()
   }
 }
@@ -234,9 +231,6 @@ class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFun
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameter(0) and
-    output.isQualifierObject()
-    or
     input.isQualifierObject() and
     output.isReturnValueDeref()
   }
@@ -252,10 +246,7 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction {
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    (
-      input.isQualifierObject() or
-      input.isParameter(0)
-    ) and
+    input.isQualifierObject() and
     output.isReturnValue()
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ class IteratorFieldMemberOperator extends Operator, TaintFunction {`
`196`	`196`	`}`
`197`	`197`
`198`	`198`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`199`		`- input.isQualifierAddress() and`
	`199`	`+ input.isQualifierObject() and`
`200`	`200`	`output.isReturnValue()`
`201`	`201`	`}`
`202`	`202`	`}`
`@@ -211,10 +211,7 @@ class IteratorBinaryArithmeticMemberOperator extends MemberFunction, TaintFuncti`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`214`		`- (`
`215`		`- input.isQualifierObject() or`
`216`		`- input.isParameter(0)`
`217`		`- ) and`
	`214`	`+ input.isQualifierObject() and`
`218`	`215`	`output.isReturnValue()`
`219`	`216`	`}`
`220`	`217`	`}`
`@@ -234,9 +231,6 @@ class IteratorAssignArithmeticMemberOperator extends MemberFunction, DataFlowFun`
`234`	`231`	`}`
`235`	`232`
`236`	`233`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`237`		`- input.isParameter(0) and`
`238`		`- output.isQualifierObject()`
`239`		`- or`
`240`	`234`	`input.isQualifierObject() and`
`241`	`235`	`output.isReturnValueDeref()`
`242`	`236`	`}`
`@@ -252,10 +246,7 @@ class IteratorArrayMemberOperator extends MemberFunction, TaintFunction {`
`252`	`246`	`}`
`253`	`247`
`254`	`248`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`255`		`- (`
`256`		`- input.isQualifierObject() or`
`257`		`- input.isParameter(0)`
`258`		`- ) and`
	`249`	`+ input.isQualifierObject() and`
`259`	`250`	`output.isReturnValue()`
`260`	`251`	`}`
`261`	`252`	`}`