Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 46a07fa

Browse files
geoffw0geoffw0
committed
C++: Model std::stringstream::str.
1 parent 17ccc13 commit 46a07fa

5 files changed

Lines changed: 53 additions & 7 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -352,3 +352,20 @@ class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
352352
output.isParameterDeref(0)
353353
}
354354
}
355+
356+
/**
357+
* The `std::stringstream` function `str`.
358+
*/
359+
class StdStringStreamStr extends TaintFunction {
360+
StdStringStreamStr() { this.hasQualifiedName("std", "basic_stringstream", "str") }
361+
362+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
363+
// flow from qualifier to return value (if any)
364+
input.isQualifierObject() and
365+
output.isReturnValue()
366+
or
367+
// flow from first parameter (if any) to qualifier
368+
input.isParameterDeref(0) and
369+
output.isQualifierObject()
370+
}
371+
}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1425,16 +1425,29 @@
14251425
| stringstream.cpp:35:7:35:9 | ss5 | stringstream.cpp:35:11:35:11 | call to operator<< | |
14261426
| stringstream.cpp:35:14:35:14 | t | stringstream.cpp:35:7:35:9 | ref arg ss5 | TAINT |
14271427
| stringstream.cpp:35:14:35:14 | t | stringstream.cpp:35:11:35:11 | call to operator<< | TAINT |
1428+
| stringstream.cpp:42:7:42:9 | ss1 | stringstream.cpp:42:11:42:13 | call to str | TAINT |
1429+
| stringstream.cpp:43:7:43:9 | ss2 | stringstream.cpp:43:11:43:13 | call to str | TAINT |
1430+
| stringstream.cpp:44:7:44:9 | ss3 | stringstream.cpp:44:11:44:13 | call to str | TAINT |
1431+
| stringstream.cpp:45:7:45:9 | ss4 | stringstream.cpp:45:11:45:13 | call to str | TAINT |
1432+
| stringstream.cpp:46:7:46:9 | ss5 | stringstream.cpp:46:11:46:13 | call to str | TAINT |
14281433
| stringstream.cpp:48:2:48:4 | ref arg ss6 | stringstream.cpp:49:2:49:4 | ss6 | |
14291434
| stringstream.cpp:48:2:48:4 | ref arg ss6 | stringstream.cpp:52:7:52:9 | ss6 | |
1435+
| stringstream.cpp:48:2:48:4 | ss6 | stringstream.cpp:48:6:48:8 | call to str | TAINT |
14301436
| stringstream.cpp:48:10:48:14 | abc | stringstream.cpp:48:10:48:14 | call to basic_string | TAINT |
1437+
| stringstream.cpp:48:10:48:14 | call to basic_string | stringstream.cpp:48:2:48:4 | ref arg ss6 | TAINT |
14311438
| stringstream.cpp:49:2:49:4 | ref arg ss6 | stringstream.cpp:52:7:52:9 | ss6 | |
1439+
| stringstream.cpp:49:2:49:4 | ss6 | stringstream.cpp:49:6:49:8 | call to str | TAINT |
14321440
| stringstream.cpp:49:10:49:15 | call to source | stringstream.cpp:49:10:49:17 | call to basic_string | TAINT |
1441+
| stringstream.cpp:49:10:49:17 | call to basic_string | stringstream.cpp:49:2:49:4 | ref arg ss6 | TAINT |
14331442
| stringstream.cpp:50:2:50:4 | ref arg ss7 | stringstream.cpp:51:2:51:4 | ss7 | |
14341443
| stringstream.cpp:50:2:50:4 | ref arg ss7 | stringstream.cpp:53:7:53:9 | ss7 | |
1444+
| stringstream.cpp:50:2:50:4 | ss7 | stringstream.cpp:50:6:50:8 | call to str | TAINT |
14351445
| stringstream.cpp:50:10:50:15 | call to source | stringstream.cpp:50:10:50:17 | call to basic_string | TAINT |
1446+
| stringstream.cpp:50:10:50:17 | call to basic_string | stringstream.cpp:50:2:50:4 | ref arg ss7 | TAINT |
14361447
| stringstream.cpp:51:2:51:4 | ref arg ss7 | stringstream.cpp:53:7:53:9 | ss7 | |
1448+
| stringstream.cpp:51:2:51:4 | ss7 | stringstream.cpp:51:6:51:8 | call to str | TAINT |
14371449
| stringstream.cpp:51:10:51:14 | abc | stringstream.cpp:51:10:51:14 | call to basic_string | TAINT |
1450+
| stringstream.cpp:51:10:51:14 | call to basic_string | stringstream.cpp:51:2:51:4 | ref arg ss7 | TAINT |
14381451
| stringstream.cpp:55:7:55:9 | ref arg ss8 | stringstream.cpp:58:7:58:9 | ss8 | |
14391452
| stringstream.cpp:56:7:56:9 | ref arg ss9 | stringstream.cpp:59:7:59:9 | ss9 | |
14401453
| stringstream.cpp:57:7:57:10 | ref arg ss10 | stringstream.cpp:60:7:60:10 | ss10 | |
@@ -1470,6 +1483,8 @@
14701483
| stringstream.cpp:78:7:78:9 | ref arg ss2 | stringstream.cpp:81:7:81:9 | ss2 | |
14711484
| stringstream.cpp:78:7:78:9 | ref arg ss2 | stringstream.cpp:83:7:83:9 | ss2 | |
14721485
| stringstream.cpp:78:14:78:15 | ref arg v2 | stringstream.cpp:85:7:85:8 | v2 | |
1486+
| stringstream.cpp:82:7:82:9 | ss1 | stringstream.cpp:82:11:82:13 | call to str | TAINT |
1487+
| stringstream.cpp:83:7:83:9 | ss2 | stringstream.cpp:83:11:83:13 | call to str | TAINT |
14731488
| stringstream.cpp:90:18:90:23 | call to basic_string | stringstream.cpp:92:24:92:25 | s1 | |
14741489
| stringstream.cpp:90:19:90:23 | abc | stringstream.cpp:90:18:90:23 | call to basic_string | TAINT |
14751490
| stringstream.cpp:91:18:91:26 | call to basic_string | stringstream.cpp:93:24:93:25 | s2 | |

cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -40,17 +40,17 @@ void test_stringstream_string(int amount)
4040
sink(ss4); // tainted
4141
sink(ss5); // tainted
4242
sink(ss1.str());
43-
sink(ss2.str()); // tainted [NOT DETECTED]
44-
sink(ss3.str()); // tainted [NOT DETECTED]
45-
sink(ss4.str()); // tainted [NOT DETECTED]
46-
sink(ss5.str()); // tainted [NOT DETECTED]
43+
sink(ss2.str()); // tainted
44+
sink(ss3.str()); // tainted
45+
sink(ss4.str()); // tainted
46+
sink(ss5.str()); // tainted
4747

4848
ss6.str("abc");
4949
ss6.str(source()); // (overwrites)
5050
ss7.str(source());
5151
ss7.str("abc"); // (overwrites)
52-
sink(ss6); // tainted [NOT DETECTED]
53-
sink(ss7);
52+
sink(ss6); // tainted
53+
sink(ss7); // [FALSE POSITIVE]
5454

5555
sink(ss8.put('a'));
5656
sink(ss9.put(ns_char::source())); // tainted [NOT DETECTED]
@@ -80,7 +80,7 @@ void test_stringstream_int(int source)
8080
sink(ss1);
8181
sink(ss2); // tainted
8282
sink(ss1.str());
83-
sink(ss2.str()); // tainted [NOT DETECTED]
83+
sink(ss2.str()); // tainted
8484
sink(v1);
8585
sink(v2); // tainted [NOT DETECTED]
8686
}

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,8 +164,15 @@
164164
| stringstream.cpp:39:7:39:9 | ss3 | stringstream.cpp:33:23:33:28 | call to source |
165165
| stringstream.cpp:40:7:40:9 | ss4 | stringstream.cpp:34:14:34:19 | call to source |
166166
| stringstream.cpp:41:7:41:9 | ss5 | stringstream.cpp:29:16:29:21 | call to source |
167+
| stringstream.cpp:43:11:43:13 | call to str | stringstream.cpp:32:14:32:19 | call to source |
168+
| stringstream.cpp:44:11:44:13 | call to str | stringstream.cpp:33:23:33:28 | call to source |
169+
| stringstream.cpp:45:11:45:13 | call to str | stringstream.cpp:34:14:34:19 | call to source |
170+
| stringstream.cpp:46:11:46:13 | call to str | stringstream.cpp:29:16:29:21 | call to source |
171+
| stringstream.cpp:52:7:52:9 | ss6 | stringstream.cpp:49:10:49:15 | call to source |
172+
| stringstream.cpp:53:7:53:9 | ss7 | stringstream.cpp:50:10:50:15 | call to source |
167173
| stringstream.cpp:76:11:76:11 | call to operator<< | stringstream.cpp:70:32:70:37 | source |
168174
| stringstream.cpp:81:7:81:9 | ss2 | stringstream.cpp:70:32:70:37 | source |
175+
| stringstream.cpp:83:11:83:13 | call to str | stringstream.cpp:70:32:70:37 | source |
169176
| stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
170177
| structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
171178
| structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,8 +180,15 @@
180180
| stringstream.cpp:39:7:39:9 | stringstream.cpp:33:23:33:28 | AST only |
181181
| stringstream.cpp:40:7:40:9 | stringstream.cpp:34:14:34:19 | AST only |
182182
| stringstream.cpp:41:7:41:9 | stringstream.cpp:29:16:29:21 | AST only |
183+
| stringstream.cpp:43:11:43:13 | stringstream.cpp:32:14:32:19 | AST only |
184+
| stringstream.cpp:44:11:44:13 | stringstream.cpp:33:23:33:28 | AST only |
185+
| stringstream.cpp:45:11:45:13 | stringstream.cpp:34:14:34:19 | AST only |
186+
| stringstream.cpp:46:11:46:13 | stringstream.cpp:29:16:29:21 | AST only |
187+
| stringstream.cpp:52:7:52:9 | stringstream.cpp:49:10:49:15 | AST only |
188+
| stringstream.cpp:53:7:53:9 | stringstream.cpp:50:10:50:15 | AST only |
183189
| stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |
184190
| stringstream.cpp:81:7:81:9 | stringstream.cpp:70:32:70:37 | AST only |
191+
| stringstream.cpp:83:11:83:13 | stringstream.cpp:70:32:70:37 | AST only |
185192
| stringstream.cpp:143:11:143:11 | stringstream.cpp:143:14:143:21 | IR only |
186193
| stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
187194
| stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:21 | IR only |

0 commit comments

Comments
 (0)