Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8a143be

Browse files
geoffw0geoffw0
committed
C++: Reverse taint through operator<<.
1 parent b73ff8d commit 8a143be

6 files changed

Lines changed: 23 additions & 4 deletions

File tree

cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -90,10 +90,17 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
9090
exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
9191
call.getTarget() = f and
9292
inModel.isReturnValueDeref() and
93-
outModel.isQualifierObject() and
94-
f.hasTaintFlow(inModel, outModel) and
9593
nodeFrom.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = call and
96-
nodeTo.asDefiningArgument() = call.getQualifier()
94+
f.hasTaintFlow(inModel, outModel) and
95+
(
96+
outModel.isQualifierObject() and
97+
nodeTo.asDefiningArgument() = call.getQualifier()
98+
or
99+
exists(int argOutIndex |
100+
outModel.isParameterDeref(argOutIndex) and
101+
nodeTo.asDefiningArgument() = call.getArgument(argOutIndex)
102+
)
103+
)
97104
)
98105
}
99106

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -313,6 +313,10 @@ class StdOStreamOut extends TaintFunction {
313313
// flow from qualifier to return value
314314
input.isQualifierObject() and
315315
output.isReturnValueDeref()
316+
or
317+
// reverse flow from returned reference to the qualifier
318+
input.isReturnValueDeref() and
319+
output.isQualifierObject()
316320
}
317321
}
318322

@@ -338,5 +342,9 @@ class StdOStreamOutNonMember extends TaintFunction {
338342
// flow from first parameter to return value
339343
input.isParameter(0) and
340344
output.isReturnValueDeref()
345+
or
346+
// reverse flow from returned reference to the first parameter
347+
input.isReturnValueDeref() and
348+
output.isParameterDeref(0)
341349
}
342350
}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1406,6 +1406,7 @@
14061406
| stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:44:7:44:9 | ss3 | |
14071407
| stringstream.cpp:33:7:33:9 | ss3 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
14081408
| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | TAINT |
1409+
| stringstream.cpp:33:11:33:11 | ref arg call to operator<< | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
14091410
| stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
14101411
| stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
14111412
| stringstream.cpp:33:23:33:28 | call to source | stringstream.cpp:33:11:33:11 | ref arg call to operator<< | TAINT |
@@ -1414,6 +1415,7 @@
14141415
| stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:45:7:45:9 | ss4 | |
14151416
| stringstream.cpp:34:7:34:9 | ss4 | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
14161417
| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | TAINT |
1418+
| stringstream.cpp:34:11:34:11 | ref arg call to operator<< | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
14171419
| stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
14181420
| stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
14191421
| stringstream.cpp:34:26:34:30 | 456 | stringstream.cpp:34:11:34:11 | ref arg call to operator<< | TAINT |

cpp/ql/test/library-tests/dataflow/taint-tests/stringstream.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ void test_stringstream_string(int amount)
3636

3737
sink(ss1);
3838
sink(ss2); // tainted
39-
sink(ss3); // tainted [NOT DETECTED]
39+
sink(ss3); // tainted
4040
sink(ss4); // tainted
4141
sink(ss5); // tainted
4242
sink(ss1.str());

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,7 @@
161161
| stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:19 | call to source |
162162
| stringstream.cpp:35:11:35:11 | call to operator<< | stringstream.cpp:29:16:29:21 | call to source |
163163
| stringstream.cpp:38:7:38:9 | ss2 | stringstream.cpp:32:14:32:19 | call to source |
164+
| stringstream.cpp:39:7:39:9 | ss3 | stringstream.cpp:33:23:33:28 | call to source |
164165
| stringstream.cpp:40:7:40:9 | ss4 | stringstream.cpp:34:14:34:19 | call to source |
165166
| stringstream.cpp:41:7:41:9 | ss5 | stringstream.cpp:29:16:29:21 | call to source |
166167
| stringstream.cpp:76:11:76:11 | call to operator<< | stringstream.cpp:70:32:70:37 | source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,6 +171,7 @@
171171
| stringstream.cpp:34:23:34:23 | stringstream.cpp:34:14:34:19 | AST only |
172172
| stringstream.cpp:35:11:35:11 | stringstream.cpp:29:16:29:21 | AST only |
173173
| stringstream.cpp:38:7:38:9 | stringstream.cpp:32:14:32:19 | AST only |
174+
| stringstream.cpp:39:7:39:9 | stringstream.cpp:33:23:33:28 | AST only |
174175
| stringstream.cpp:40:7:40:9 | stringstream.cpp:34:14:34:19 | AST only |
175176
| stringstream.cpp:41:7:41:9 | stringstream.cpp:29:16:29:21 | AST only |
176177
| stringstream.cpp:76:11:76:11 | stringstream.cpp:70:32:70:37 | AST only |

0 commit comments

Comments
 (0)