C++: emplace and emplace_back takes its arguments by universal references, so they should also specify flow as indirections.

MathiasVP · MathiasVP · commit 47ab9ba81b5a · 2021-02-04T11:16:27.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([1 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and
     (
       output.isQualifierObject() or
       output.isReturnValue()
@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
     output.isQualifierObject()
   }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -491,8 +491,8 @@ void test_vector_emplace() {
 	std::vector<int> v1(10), v2(10);
 
 	v1.emplace_back(source());
-	sink(v1); // $ ast MISSING: ir
+	sink(v1); // $ ast,ir
 
 	v2.emplace(v2.begin(), source());
-	sink(v2); // $ ast MISSING: ir
+	sink(v2); // $ ast,ir
 }

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {`
`193`	`193`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`194`	`194`	`// flow from any parameter except the position iterator to qualifier and return value`
`195`	`195`	`// (here we assume taint flow from any constructor parameter to the constructed object)`
`196`		`- input.isParameter([1 .. getNumberOfParameters() - 1]) and`
	`196`	`+ input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and`
`197`	`197`	`(`
`198`	`198`	`output.isQualifierObject() or`
`199`	`199`	`output.isReturnValue()`
`@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {`
`210`	`210`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`211`	`211`	`// flow from any parameter to qualifier`
`212`	`212`	`// (here we assume taint flow from any constructor parameter to the constructed object)`
`213`		`- input.isParameter([0 .. getNumberOfParameters() - 1]) and`
	`213`	`+ input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and`
`214`	`214`	`output.isQualifierObject()`
`215`	`215`	`}`
`216`	`216`	`}`
Original file line number	Diff line number	Diff line change
`@@ -491,8 +491,8 @@ void test_vector_emplace() {`
`491`	`491`	`std::vector<int> v1(10), v2(10);`
`492`	`492`
`493`	`493`	`v1.emplace_back(source());`
`494`		`- sink(v1); // $ ast MISSING: ir`
	`494`	`+ sink(v1); // $ ast,ir`
`495`	`495`
`496`	`496`	`v2.emplace(v2.begin(), source());`
`497`		`- sink(v2); // $ ast MISSING: ir`
	`497`	`+ sink(v2); // $ ast,ir`
`498`	`498`	`}`