C++: Repair the range based for test.

geoffw0 · geoffw0 · commit 43c8efdf6367 · 2020-08-20T10:19:54.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -13,6 +13,7 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.StdContainer
 private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides models for C++ containers such as `std::vector` and `std::list`.
+ */
+
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * Model standard container constructors.
+ */
+class StdContainerConstructor extends Constructor, TaintFunction {
+  StdContainerConstructor() { this.getDeclaringType().hasQualifiedName("std", "vector") }
+
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * type of thing contained.
+   */
+  int getAnElementParameter() {
+    getParameter(result).getType().getUnspecifiedType().(ReferenceType).getBaseType() =
+      getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any parameter of type `T` to the returned object
+    input.isParameterDeref(getAnElementParameter()) and
+    output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1330,59 +1330,61 @@
 | taint.cpp:483:18:483:19 | ref arg & ... | taint.cpp:483:19:483:19 | n [inner post update] |  |
 | taint.cpp:483:19:483:19 | n | taint.cpp:483:18:483:19 | & ... |  |
 | taint.cpp:483:28:483:34 | source1 | taint.cpp:483:11:483:15 | ref arg & ... | TAINT |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:12:21:12:27 | source1 |  |
-| vector.cpp:8:43:8:49 | source1 | vector.cpp:26:33:26:39 | source1 |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:14:14:14:14 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:38:18:38 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:12:21:12:28 | call to vector | vector.cpp:30:1:30:1 | v |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to begin | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | call to end | vector.cpp:14:14:14:14 | (__end) |  |
-| vector.cpp:14:14:14:14 | call to operator* | vector.cpp:15:8:15:8 | x |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__begin) | vector.cpp:14:14:14:14 | (__begin) |  |
-| vector.cpp:14:14:14:14 | ref arg (__range) | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | (__range) |  |
-| vector.cpp:14:14:14:14 | v | vector.cpp:14:14:14:14 | call to operator* | TAINT |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:38:18:38 | ref arg v | vector.cpp:30:1:30:1 | v |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:40:18:44 | call to begin | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:18:55:18:55 | v |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:22:15:22:15 | v |  |
-| vector.cpp:18:55:18:55 | ref arg v | vector.cpp:30:1:30:1 | v |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:49:18:50 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:18:66:18:67 | it |  |
-| vector.cpp:18:66:18:67 | ref arg it | vector.cpp:19:9:19:10 | it |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to begin | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | call to end | vector.cpp:22:15:22:15 | (__end) |  |
-| vector.cpp:22:15:22:15 | call to operator* | vector.cpp:23:8:23:8 | x |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__begin) | vector.cpp:22:15:22:15 | (__begin) |  |
-| vector.cpp:22:15:22:15 | ref arg (__range) | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | (__range) |  |
-| vector.cpp:22:15:22:15 | v | vector.cpp:22:15:22:15 | call to operator* | TAINT |
-| vector.cpp:26:33:26:40 | call to vector | vector.cpp:27:21:27:27 | const_v |  |
-| vector.cpp:26:33:26:40 | call to vector | vector.cpp:30:1:30:1 | const_v |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to begin | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | call to end | vector.cpp:27:21:27:21 | (__end) |  |
-| vector.cpp:27:21:27:21 | call to operator* | vector.cpp:28:8:28:8 | x |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:21 | ref arg (__begin) | vector.cpp:27:21:27:21 | (__begin) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | (__range) |  |
-| vector.cpp:27:21:27:27 | const_v | vector.cpp:27:21:27:21 | call to operator* | TAINT |
+| vector.cpp:8:43:8:49 | source1 | vector.cpp:9:26:9:32 | source1 |  |
+| vector.cpp:8:43:8:49 | source1 | vector.cpp:23:38:23:44 | source1 |  |
+| vector.cpp:9:21:9:33 | call to vector | vector.cpp:11:14:11:14 | v |  |
+| vector.cpp:9:21:9:33 | call to vector | vector.cpp:15:38:15:38 | v |  |
+| vector.cpp:9:21:9:33 | call to vector | vector.cpp:15:55:15:55 | v |  |
+| vector.cpp:9:21:9:33 | call to vector | vector.cpp:19:15:19:15 | v |  |
+| vector.cpp:9:21:9:33 | call to vector | vector.cpp:27:1:27:1 | v |  |
+| vector.cpp:9:26:9:32 | source1 | vector.cpp:9:21:9:33 | call to vector | TAINT |
+| vector.cpp:11:14:11:14 | call to begin | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | call to begin | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | call to begin | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | call to end | vector.cpp:11:14:11:14 | (__end) |  |
+| vector.cpp:11:14:11:14 | call to operator* | vector.cpp:12:8:12:8 | x |  |
+| vector.cpp:11:14:11:14 | ref arg (__begin) | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | ref arg (__begin) | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | ref arg (__begin) | vector.cpp:11:14:11:14 | (__begin) |  |
+| vector.cpp:11:14:11:14 | ref arg (__range) | vector.cpp:11:14:11:14 | (__range) |  |
+| vector.cpp:11:14:11:14 | v | vector.cpp:11:14:11:14 | (__range) |  |
+| vector.cpp:11:14:11:14 | v | vector.cpp:11:14:11:14 | (__range) |  |
+| vector.cpp:11:14:11:14 | v | vector.cpp:11:14:11:14 | call to operator* | TAINT |
+| vector.cpp:15:38:15:38 | ref arg v | vector.cpp:15:55:15:55 | v |  |
+| vector.cpp:15:38:15:38 | ref arg v | vector.cpp:19:15:19:15 | v |  |
+| vector.cpp:15:38:15:38 | ref arg v | vector.cpp:27:1:27:1 | v |  |
+| vector.cpp:15:40:15:44 | call to begin | vector.cpp:15:49:15:50 | it |  |
+| vector.cpp:15:40:15:44 | call to begin | vector.cpp:15:66:15:67 | it |  |
+| vector.cpp:15:40:15:44 | call to begin | vector.cpp:16:9:16:10 | it |  |
+| vector.cpp:15:55:15:55 | ref arg v | vector.cpp:15:55:15:55 | v |  |
+| vector.cpp:15:55:15:55 | ref arg v | vector.cpp:19:15:19:15 | v |  |
+| vector.cpp:15:55:15:55 | ref arg v | vector.cpp:27:1:27:1 | v |  |
+| vector.cpp:15:66:15:67 | ref arg it | vector.cpp:15:49:15:50 | it |  |
+| vector.cpp:15:66:15:67 | ref arg it | vector.cpp:15:66:15:67 | it |  |
+| vector.cpp:15:66:15:67 | ref arg it | vector.cpp:16:9:16:10 | it |  |
+| vector.cpp:19:15:19:15 | call to begin | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | call to begin | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | call to begin | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | call to end | vector.cpp:19:15:19:15 | (__end) |  |
+| vector.cpp:19:15:19:15 | call to operator* | vector.cpp:20:8:20:8 | x |  |
+| vector.cpp:19:15:19:15 | ref arg (__begin) | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | ref arg (__begin) | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | ref arg (__begin) | vector.cpp:19:15:19:15 | (__begin) |  |
+| vector.cpp:19:15:19:15 | ref arg (__range) | vector.cpp:19:15:19:15 | (__range) |  |
+| vector.cpp:19:15:19:15 | v | vector.cpp:19:15:19:15 | (__range) |  |
+| vector.cpp:19:15:19:15 | v | vector.cpp:19:15:19:15 | (__range) |  |
+| vector.cpp:19:15:19:15 | v | vector.cpp:19:15:19:15 | call to operator* | TAINT |
+| vector.cpp:23:33:23:45 | call to vector | vector.cpp:24:21:24:27 | const_v |  |
+| vector.cpp:23:33:23:45 | call to vector | vector.cpp:27:1:27:1 | const_v |  |
+| vector.cpp:23:38:23:44 | source1 | vector.cpp:23:33:23:45 | call to vector | TAINT |
+| vector.cpp:24:21:24:21 | call to begin | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:21 | call to begin | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:21 | call to begin | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:21 | call to end | vector.cpp:24:21:24:21 | (__end) |  |
+| vector.cpp:24:21:24:21 | call to operator* | vector.cpp:25:8:25:8 | x |  |
+| vector.cpp:24:21:24:21 | ref arg (__begin) | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:21 | ref arg (__begin) | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:21 | ref arg (__begin) | vector.cpp:24:21:24:21 | (__begin) |  |
+| vector.cpp:24:21:24:27 | const_v | vector.cpp:24:21:24:21 | (__range) |  |
+| vector.cpp:24:21:24:27 | const_v | vector.cpp:24:21:24:21 | (__range) |  |
+| vector.cpp:24:21:24:27 | const_v | vector.cpp:24:21:24:21 | call to operator* | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -117,6 +117,7 @@ namespace std {
 		vector() noexcept(noexcept(Allocator())) : vector(Allocator()) { }
 		explicit vector(const Allocator&) noexcept;
 		explicit vector(size_type n, const Allocator& = Allocator());
+		vector(size_type n, const T& value, const Allocator& = Allocator()); 
 		~vector();
 
 		vector& operator=(const vector& x);
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -166,3 +166,6 @@
 | taint.cpp:470:7:470:7 | x | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:471:7:471:7 | y | taint.cpp:462:6:462:11 | call to source |
 | taint.cpp:485:7:485:10 | line | taint.cpp:480:26:480:32 | source1 |
+| vector.cpp:12:8:12:8 | x | vector.cpp:8:43:8:49 | source1 |
+| vector.cpp:20:8:20:8 | x | vector.cpp:8:43:8:49 | source1 |
+| vector.cpp:25:8:25:8 | x | vector.cpp:8:43:8:49 | source1 |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -101,3 +101,6 @@
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:471:7:471:7 | taint.cpp:462:6:462:11 | AST only |
+| vector.cpp:12:8:12:8 | vector.cpp:8:43:8:49 | AST only |
+| vector.cpp:20:8:20:8 | vector.cpp:8:43:8:49 | AST only |
+| vector.cpp:25:8:25:8 | vector.cpp:8:43:8:49 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -6,10 +6,7 @@ using namespace std;
 void sink(int);
 
 void test_range_based_for_loop_vector(int source1) {
-	// Tainting the vector by allocating a tainted length. This doesn't represent
-	// how a vector would typically get tainted, but it allows this test to avoid
-	// being concerned with std::vector modeling.
-	std::vector<int> v(source1);
+	std::vector<int> v(100, source1);
 
 	for(int x : v) {
 		sink(x); // tainted [NOT DETECTED by IR]
@@ -23,7 +20,7 @@ void test_range_based_for_loop_vector(int source1) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}
 
-	const std::vector<int> const_v(source1);
+	const std::vector<int> const_v(100, source1);
 	for(const int& x : const_v) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}
