Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 61158e7

Browse files
geoffw0geoffw0
committed
C++: Improve StdContainerConstructor model.
1 parent acd1437 commit 61158e7

1 file changed

Lines changed: 17 additions & 7 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,37 @@
11
/**
2-
* Provides models for C++ containers such as `std::vector` and `std::list`.
2+
* Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
33
*/
44

55
import semmle.code.cpp.models.interfaces.Taint
66

77
/**
8-
* Model standard container constructors.
8+
* Additional model for standard container constructors that reference the
9+
* value type of the container (that is, the `T` in `std::vector<T>`). For
10+
* example the fill constructor:
11+
* ```
12+
* std::vector<std::string> v(100, potentially_tainted_string);
13+
* ```
914
*/
1015
class StdContainerConstructor extends Constructor, TaintFunction {
11-
StdContainerConstructor() { this.getDeclaringType().hasQualifiedName("std", "vector") }
16+
StdContainerConstructor() {
17+
this.getDeclaringType().hasQualifiedName("std", "vector") or
18+
this.getDeclaringType().hasQualifiedName("std", "deque") or
19+
this.getDeclaringType().hasQualifiedName("std", "list") or
20+
this.getDeclaringType().hasQualifiedName("std", "forward_list")
21+
}
1222

1323
/**
1424
* Gets the index of a parameter to this function that is a reference to the
15-
* type of thing contained.
25+
* value type of the container.
1626
*/
17-
int getAnElementParameter() {
27+
int getAValueTypeParameter() {
1828
getParameter(result).getType().getUnspecifiedType().(ReferenceType).getBaseType() =
1929
getDeclaringType().getTemplateArgument(0) // i.e. the `T` of this `std::vector<T>`
2030
}
2131

2232
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
23-
// taint flow from any parameter of type `T` to the returned object
24-
input.isParameterDeref(getAnElementParameter()) and
33+
// taint flow from any parameter of the value type to the returned object
34+
input.isParameterDeref(getAValueTypeParameter()) and
2535
output.isReturnValue() // TODO: this should be `isQualifierObject` by our current definitions, but that flow is not yet supported.
2636
}
2737
}

0 commit comments

Comments
 (0)