Revert "C++: Remove the problematic taint tracking rule. It seems like we get the flows from dataflow already now."

MathiasVP · MathiasVP · commit 92d81edae664 · 2020-09-16T14:25:42.000+02:00
This reverts commit 78b24b7.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -257,6 +257,15 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   i2.(ChiInstruction).getPartial() = i1.(WriteSideEffectInstruction) and
   not i2.isResultConflated()
   or
+  // Flow from an element to an array or union that contains it.
+  i2.(ChiInstruction).getPartial() = i1 and
+  not i2.isResultConflated() and
+  exists(Type t | i2.getResultLanguageType().hasType(t, false) |
+    t instanceof Union
+    or
+    t instanceof ArrayType
+  )
+  or
   exists(BinaryInstruction bin |
     bin = i2 and
     predictableInstruction(i2.getAnOperand().getDef()) and
