C++: Change some of the taint flows to data flows.

geoffw0 · geoffw0 · commit 5a3d41879a43 · 2020-09-08T16:49:11.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -298,9 +298,15 @@ class StdBasicOStream extends TemplateClass {
 /**
  * The `std::ostream` function `operator<<` (defined as a member function).
  */
-class StdOStreamOut extends TaintFunction {
+class StdOStreamOut extends DataFlowFunction, TaintFunction {
   StdOStreamOut() { this.hasQualifiedName("std", "basic_ostream", "operator<<") }
 
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from qualifier to return value
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
+  }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
     input.isParameter(0) and
@@ -310,10 +316,6 @@ class StdOStreamOut extends TaintFunction {
     input.isParameter(0) and
     output.isReturnValueDeref()
     or
-    // flow from qualifier to return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
     // reverse flow from returned reference to the qualifier
     input.isReturnValueDeref() and
     output.isQualifierObject()
@@ -323,13 +325,19 @@ class StdOStreamOut extends TaintFunction {
 /**
  * The `std::ostream` function `operator<<` (defined as a non-member function).
  */
-class StdOStreamOutNonMember extends TaintFunction {
+class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
   StdOStreamOutNonMember() {
     this.hasQualifiedName("std", "operator<<") and
     this.getUnspecifiedType().(ReferenceType).getBaseType() =
       any(StdBasicOStream s).getAnInstantiation()
   }
 
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from first parameter to return value
+    input.isParameter(0) and
+    output.isReturnValueDeref()
+  }
+
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from second parameter to first parameter
     input.isParameter(1) and
@@ -339,10 +347,6 @@ class StdOStreamOutNonMember extends TaintFunction {
     input.isParameter(1) and
     output.isReturnValueDeref()
     or
-    // flow from first parameter to return value
-    input.isParameter(0) and
-    output.isReturnValueDeref()
-    or
     // reverse flow from returned reference to the first parameter
     input.isReturnValueDeref() and
     output.isParameterDeref(0)
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -1457,13 +1457,11 @@
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:77:7:77:9 | ss1 |  |
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:80:7:80:9 | ss1 |  |
 | stringstream.cpp:75:7:75:9 | ref arg ss1 | stringstream.cpp:82:7:82:9 | ss1 |  |
-| stringstream.cpp:75:7:75:9 | ss1 | stringstream.cpp:75:11:75:11 | call to operator<< | TAINT |
 | stringstream.cpp:75:14:75:17 | 1234 | stringstream.cpp:75:7:75:9 | ref arg ss1 | TAINT |
 | stringstream.cpp:75:14:75:17 | 1234 | stringstream.cpp:75:11:75:11 | call to operator<< | TAINT |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:78:7:78:9 | ss2 |  |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:81:7:81:9 | ss2 |  |
 | stringstream.cpp:76:7:76:9 | ref arg ss2 | stringstream.cpp:83:7:83:9 | ss2 |  |
-| stringstream.cpp:76:7:76:9 | ss2 | stringstream.cpp:76:11:76:11 | call to operator<< | TAINT |
 | stringstream.cpp:76:14:76:19 | source | stringstream.cpp:76:7:76:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:76:14:76:19 | source | stringstream.cpp:76:11:76:11 | call to operator<< | TAINT |
 | stringstream.cpp:77:7:77:9 | ref arg ss1 | stringstream.cpp:80:7:80:9 | ss1 |  |
