Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 905b04a

Browse files
geoffw0geoffw0
committed
C++: Model classes in StdString.qll.
1 parent 346a007 commit 905b04a

1 file changed

Lines changed: 94 additions & 27 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

Lines changed: 94 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ import semmle.code.cpp.models.interfaces.DataFlow
1313
*/
1414
private class StdBasicString extends TemplateClass {
1515
StdBasicString() { this.hasQualifiedName("std", "basic_string") }
16+
17+
Declaration getAnInstMemberNamed(string name) {
18+
result = getAnInstantiation().getAMember() and
19+
result.hasName(name)
20+
}
1621
}
1722

1823
/**
@@ -24,7 +29,7 @@ private class StdBasicString extends TemplateClass {
2429
* ```
2530
*/
2631
private class StdStringConstructor extends Constructor, TaintFunction {
27-
StdStringConstructor() { this.getDeclaringType().hasQualifiedName("std", "basic_string") }
32+
StdStringConstructor() { this = any(StdBasicString s).getAnInstantiation().getAMember() }
2833

2934
/**
3035
* Gets the index of a parameter to this function that is a string (or
@@ -69,7 +74,9 @@ private class StdStringConstructor extends Constructor, TaintFunction {
6974
* The `std::string` function `c_str`.
7075
*/
7176
private class StdStringCStr extends TaintFunction {
72-
StdStringCStr() { this.hasQualifiedName("std", "basic_string", "c_str") }
77+
StdStringCStr() {
78+
this = any(StdBasicString s).getAnInstMemberNamed("c_str")
79+
}
7380

7481
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
7582
// flow from string itself (qualifier) to return value
@@ -82,7 +89,9 @@ private class StdStringCStr extends TaintFunction {
8289
* The `std::string` function `data`.
8390
*/
8491
private class StdStringData extends TaintFunction {
85-
StdStringData() { this.hasQualifiedName("std", "basic_string", "data") }
92+
StdStringData() {
93+
this = any(StdBasicString s).getAnInstMemberNamed("data")
94+
}
8695

8796
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
8897
// flow from string itself (qualifier) to return value
@@ -100,7 +109,9 @@ private class StdStringData extends TaintFunction {
100109
* The `std::string` function `push_back`.
101110
*/
102111
private class StdStringPush extends TaintFunction {
103-
StdStringPush() { this.hasQualifiedName("std", "basic_string", "push_back") }
112+
StdStringPush() {
113+
this = any(StdBasicString s).getAnInstMemberNamed("push_back")
114+
}
104115

105116
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
106117
// flow from parameter to qualifier
@@ -113,7 +124,9 @@ private class StdStringPush extends TaintFunction {
113124
* The `std::string` functions `front` and `back`.
114125
*/
115126
private class StdStringFrontBack extends TaintFunction {
116-
StdStringFrontBack() { this.hasQualifiedName("std", "basic_string", ["front", "back"]) }
127+
StdStringFrontBack() {
128+
this = any(StdBasicString s).getAnInstMemberNamed(["front", "back"])
129+
}
117130

118131
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
119132
// flow from object to returned reference
@@ -123,7 +136,7 @@ private class StdStringFrontBack extends TaintFunction {
123136
}
124137

125138
/**
126-
* The `std::string` function `operator+`.
139+
* The (non-member) `std::string` function `operator+`.
127140
*/
128141
private class StdStringPlus extends TaintFunction {
129142
StdStringPlus() {
@@ -148,7 +161,7 @@ private class StdStringPlus extends TaintFunction {
148161
*/
149162
private class StdStringAppend extends TaintFunction {
150163
StdStringAppend() {
151-
this.hasQualifiedName("std", "basic_string", ["operator+=", "append", "insert", "replace"])
164+
this = any(StdBasicString s).getAnInstMemberNamed(["operator+=", "append", "insert", "replace"])
152165
}
153166

154167
/**
@@ -190,7 +203,9 @@ private class StdStringAppend extends TaintFunction {
190203
* The standard function `std::string.assign`.
191204
*/
192205
private class StdStringAssign extends TaintFunction {
193-
StdStringAssign() { this.hasQualifiedName("std", "basic_string", "assign") }
206+
StdStringAssign() {
207+
this = any(StdBasicString s).getAnInstMemberNamed("assign")
208+
}
194209

195210
/**
196211
* Gets the index of a parameter to this function that is a string (or
@@ -230,7 +245,9 @@ private class StdStringAssign extends TaintFunction {
230245
* The standard function `std::string.copy`.
231246
*/
232247
private class StdStringCopy extends TaintFunction {
233-
StdStringCopy() { this.hasQualifiedName("std", "basic_string", "copy") }
248+
StdStringCopy() {
249+
this = any(StdBasicString s).getAnInstMemberNamed("copy")
250+
}
234251

235252
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
236253
// copy(dest, num, pos)
@@ -243,7 +260,9 @@ private class StdStringCopy extends TaintFunction {
243260
* The standard function `std::string.substr`.
244261
*/
245262
private class StdStringSubstr extends TaintFunction {
246-
StdStringSubstr() { this.hasQualifiedName("std", "basic_string", "substr") }
263+
StdStringSubstr() {
264+
this = any(StdBasicString s).getAnInstMemberNamed("substr")
265+
}
247266

248267
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
249268
// substr(pos, num)
@@ -252,13 +271,25 @@ private class StdStringSubstr extends TaintFunction {
252271
}
253272
}
254273

274+
/**
275+
* The `std::basic_stringstream` template class.
276+
*/
277+
private class StdBasicStringStream extends TemplateClass {
278+
StdBasicStringStream() { this.hasQualifiedName("std", "basic_stringstream") }
279+
280+
Declaration getAnInstMemberNamed(string name) {
281+
result = getAnInstantiation().getAMember() and
282+
result.hasName(name)
283+
}
284+
}
285+
255286
/**
256287
* The standard functions `std::string.swap` and `std::stringstream::swap`.
257288
*/
258289
private class StdStringSwap extends TaintFunction {
259290
StdStringSwap() {
260-
this.hasQualifiedName("std", "basic_string", "swap") or
261-
this.hasQualifiedName("std", "basic_stringstream", "swap")
291+
this = any(StdBasicString s).getAnInstMemberNamed("swap") or
292+
this = any(StdBasicStringStream s).getAnInstMemberNamed("swap")
262293
}
263294

264295
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -275,7 +306,9 @@ private class StdStringSwap extends TaintFunction {
275306
* The `std::string` functions `at` and `operator[]`.
276307
*/
277308
private class StdStringAt extends TaintFunction {
278-
StdStringAt() { this.hasQualifiedName("std", "basic_string", ["at", "operator[]"]) }
309+
StdStringAt() {
310+
this = any(StdBasicString s).getAnInstMemberNamed(["at", "operator[]"])
311+
}
279312

280313
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
281314
// flow from qualifier to referenced return value
@@ -293,13 +326,20 @@ private class StdStringAt extends TaintFunction {
293326
*/
294327
private class StdBasicIStream extends TemplateClass {
295328
StdBasicIStream() { this.hasQualifiedName("std", "basic_istream") }
329+
330+
Declaration getAnInstMemberNamed(string name) {
331+
result = getAnInstantiation().getAMember() and
332+
result.hasName(name)
333+
}
296334
}
297335

298336
/**
299337
* The `std::istream` function `operator>>` (defined as a member function).
300338
*/
301339
private class StdIStreamIn extends DataFlowFunction, TaintFunction {
302-
StdIStreamIn() { this.hasQualifiedName("std", "basic_istream", "operator>>") }
340+
StdIStreamIn() {
341+
this = any(StdBasicIStream s).getAnInstMemberNamed("operator>>")
342+
}
303343

304344
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
305345
// returns reference to `*this`
@@ -350,7 +390,7 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
350390
*/
351391
private class StdIStreamGet extends TaintFunction {
352392
StdIStreamGet() {
353-
this.hasQualifiedName("std", "basic_istream", ["get", "peek"]) and
393+
this = any(StdBasicIStream s).getAnInstMemberNamed(["get", "peek"]) and
354394
this.getNumberOfParameters() = 0
355395
}
356396

@@ -366,7 +406,7 @@ private class StdIStreamGet extends TaintFunction {
366406
*/
367407
private class StdIStreamRead extends DataFlowFunction, TaintFunction {
368408
StdIStreamRead() {
369-
this.hasQualifiedName("std", "basic_istream", ["get", "read"]) and
409+
this = any(StdBasicIStream s).getAnInstMemberNamed(["get", "read"]) and
370410
this.getNumberOfParameters() > 0
371411
}
372412

@@ -391,7 +431,9 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {
391431
* The `std::istream` function `readsome`.
392432
*/
393433
private class StdIStreamReadSome extends TaintFunction {
394-
StdIStreamReadSome() { this.hasQualifiedName("std", "basic_istream", "readsome") }
434+
StdIStreamReadSome() {
435+
this = any(StdBasicIStream s).getAnInstMemberNamed("readsome")
436+
}
395437

396438
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
397439
// flow from qualifier to first parameter
@@ -404,7 +446,9 @@ private class StdIStreamReadSome extends TaintFunction {
404446
* The `std::istream` function `putback`.
405447
*/
406448
private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
407-
StdIStreamPutBack() { this.hasQualifiedName("std", "basic_istream", "putback") }
449+
StdIStreamPutBack() {
450+
this = any(StdBasicIStream s).getAnInstMemberNamed("putback")
451+
}
408452

409453
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
410454
// returns reference to `*this`
@@ -437,7 +481,9 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
437481
* The `std::istream` function `getline`.
438482
*/
439483
private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
440-
StdIStreamGetLine() { this.hasQualifiedName("std", "basic_istream", "getline") }
484+
StdIStreamGetLine() {
485+
this = any(StdBasicIStream s).getAnInstMemberNamed("getline")
486+
}
441487

442488
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
443489
// returns reference to `*this`
@@ -484,14 +530,21 @@ private class StdGetLine extends DataFlowFunction, TaintFunction {
484530
*/
485531
private class StdBasicOStream extends TemplateClass {
486532
StdBasicOStream() { this.hasQualifiedName("std", "basic_ostream") }
533+
534+
Declaration getAnInstMemberNamed(string name) {
535+
result = getAnInstantiation().getAMember() and
536+
result.hasName(name)
537+
}
487538
}
488539

489540
/**
490541
* The `std::ostream` functions `operator<<` (defined as a member function),
491542
* `put` and `write`.
492543
*/
493544
private class StdOStreamOut extends DataFlowFunction, TaintFunction {
494-
StdOStreamOut() { this.hasQualifiedName("std", "basic_ostream", ["operator<<", "put", "write"]) }
545+
StdOStreamOut() {
546+
this = any(StdBasicOStream s).getAnInstMemberNamed(["operator<<", "put", "write"])
547+
}
495548

496549
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
497550
// returns reference to `*this`
@@ -556,9 +609,7 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
556609
* input parameter.
557610
*/
558611
private class StdStringStreamConstructor extends Constructor, TaintFunction {
559-
StdStringStreamConstructor() {
560-
this.getDeclaringType().hasQualifiedName("std", "basic_stringstream")
561-
}
612+
StdStringStreamConstructor() { this = any(StdBasicStringStream s).getAnInstantiation().getAMember() }
562613

563614
/**
564615
* Gets the index of a parameter to this function that is a string.
@@ -582,7 +633,9 @@ private class StdStringStreamConstructor extends Constructor, TaintFunction {
582633
* The `std::stringstream` function `str`.
583634
*/
584635
private class StdStringStreamStr extends TaintFunction {
585-
StdStringStreamStr() { this.hasQualifiedName("std", "basic_stringstream", "str") }
636+
StdStringStreamStr() {
637+
this = any(StdBasicStringStream s).getAnInstMemberNamed("str")
638+
}
586639

587640
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
588641
// flow from qualifier to return value (if any)
@@ -595,15 +648,29 @@ private class StdStringStreamStr extends TaintFunction {
595648
}
596649
}
597650

651+
/**
652+
* The `std::basic_ios` template class.
653+
*/
654+
private class StdBasicIOS extends TemplateClass {
655+
StdBasicIOS() { this.hasQualifiedName("std", "basic_ios") }
656+
657+
Declaration getAnInstMemberNamed(string name) {
658+
result = getAnInstantiation().getAMember() and
659+
result.hasName(name)
660+
}
661+
}
662+
598663
/**
599664
* A `std::` stream function that does not require a model, except that it
600665
* returns a reference to `*this` and thus could be used in a chain.
601666
*/
602667
private class StdStreamFunction extends DataFlowFunction, TaintFunction {
603668
StdStreamFunction() {
604-
this.hasQualifiedName("std", "basic_istream", ["ignore", "unget", "seekg"]) or
605-
this.hasQualifiedName("std", "basic_ostream", ["seekp", "flush"]) or
606-
this.hasQualifiedName("std", "basic_ios", "copyfmt")
669+
this = any(StdBasicIStream s).getAnInstMemberNamed(["ignore", "unget", "seekg"])
670+
or
671+
this = any(StdBasicOStream s).getAnInstMemberNamed(["seekp", "flush"])
672+
or
673+
this = any(StdBasicIOS s).getAnInstMemberNamed("copyfmt")
607674
}
608675

609676
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {

0 commit comments

Comments
 (0)