Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 95ca4b6

Browse files
geoffw0geoffw0
committed
C++: Add model for std::vector::insert.
1 parent f61c7ff commit 95ca4b6

5 files changed

Lines changed: 73 additions & 6 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,42 @@ class StdSequenceContainerFrontBack extends TaintFunction {
8989
}
9090
}
9191

92+
/**
93+
* The standard container function `insert`.
94+
*/
95+
class StdSequenceContainerInsert extends TaintFunction {
96+
StdSequenceContainerInsert() {
97+
this.hasQualifiedName("std", ["vector", "deque", "list"], "insert")
98+
}
99+
100+
/**
101+
* Gets the index of a parameter to this function that is a reference to the
102+
* value type of the container.
103+
*/
104+
int getAValueTypeParameterIndex() {
105+
getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
106+
getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
107+
}
108+
109+
/**
110+
* Gets the index of a parameter to this function that is an iterator.
111+
*/
112+
int getAnIteratorParameterIndex() { getParameter(result).getType() instanceof Iterator }
113+
114+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
115+
// flow from parameter to container itself (qualifier) and return value
116+
(
117+
input.isQualifierObject() or
118+
input.isParameterDeref(getAValueTypeParameterIndex()) or
119+
input.isParameter(getAnIteratorParameterIndex())
120+
) and
121+
(
122+
output.isQualifierObject() or
123+
output.isReturnValueDeref()
124+
)
125+
}
126+
}
127+
92128
/**
93129
* The standard container function `assign`.
94130
*/

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2388,6 +2388,9 @@
23882388
| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:84:7:84:8 | v7 | |
23892389
| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:85:7:85:8 | v7 | |
23902390
| vector.cpp:81:3:81:4 | ref arg v7 | vector.cpp:101:1:101:1 | v7 | |
2391+
| vector.cpp:81:3:81:4 | v7 | vector.cpp:81:6:81:11 | call to insert | TAINT |
2392+
| vector.cpp:81:17:81:22 | call to source | vector.cpp:81:3:81:4 | ref arg v7 | TAINT |
2393+
| vector.cpp:81:17:81:22 | call to source | vector.cpp:81:6:81:11 | call to insert | TAINT |
23912394
| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:84:7:84:8 | v7 | |
23922395
| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:85:7:85:8 | v7 | |
23932396
| vector.cpp:83:7:83:8 | ref arg v7 | vector.cpp:101:1:101:1 | v7 | |
@@ -2403,6 +2406,7 @@
24032406
| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:93:7:93:8 | v8 | |
24042407
| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:94:7:94:8 | v8 | |
24052408
| vector.cpp:90:3:90:4 | ref arg v8 | vector.cpp:101:1:101:1 | v8 | |
2409+
| vector.cpp:90:3:90:4 | v8 | vector.cpp:90:6:90:11 | call to insert | TAINT |
24062410
| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:93:7:93:8 | v8 | |
24072411
| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:94:7:94:8 | v8 | |
24082412
| vector.cpp:92:7:92:8 | ref arg v8 | vector.cpp:101:1:101:1 | v8 | |
@@ -2918,6 +2922,7 @@
29182922
| vector.cpp:303:2:303:2 | ref arg d | vector.cpp:312:7:312:7 | d | |
29192923
| vector.cpp:303:2:303:2 | ref arg d | vector.cpp:313:1:313:1 | d | |
29202924
| vector.cpp:303:14:303:19 | call to source | vector.cpp:303:2:303:2 | ref arg d | TAINT |
2925+
| vector.cpp:305:7:305:7 | a | vector.cpp:305:9:305:14 | call to insert | TAINT |
29212926
| vector.cpp:305:7:305:7 | ref arg a | vector.cpp:306:7:306:7 | a | |
29222927
| vector.cpp:305:7:305:7 | ref arg a | vector.cpp:311:25:311:25 | a | |
29232928
| vector.cpp:305:7:305:7 | ref arg a | vector.cpp:311:36:311:36 | a | |
@@ -2932,11 +2937,16 @@
29322937
| vector.cpp:305:25:305:25 | b | vector.cpp:305:27:305:31 | call to begin | TAINT |
29332938
| vector.cpp:305:25:305:25 | ref arg b | vector.cpp:305:36:305:36 | b | |
29342939
| vector.cpp:305:25:305:25 | ref arg b | vector.cpp:313:1:313:1 | b | |
2940+
| vector.cpp:305:27:305:31 | call to begin | vector.cpp:305:7:305:7 | ref arg a | TAINT |
2941+
| vector.cpp:305:27:305:31 | call to begin | vector.cpp:305:9:305:14 | call to insert | TAINT |
29352942
| vector.cpp:305:36:305:36 | b | vector.cpp:305:38:305:40 | call to end | TAINT |
29362943
| vector.cpp:305:36:305:36 | ref arg b | vector.cpp:313:1:313:1 | b | |
2944+
| vector.cpp:305:38:305:40 | call to end | vector.cpp:305:7:305:7 | ref arg a | TAINT |
2945+
| vector.cpp:305:38:305:40 | call to end | vector.cpp:305:9:305:14 | call to insert | TAINT |
29372946
| vector.cpp:306:7:306:7 | ref arg a | vector.cpp:311:25:311:25 | a | |
29382947
| vector.cpp:306:7:306:7 | ref arg a | vector.cpp:311:36:311:36 | a | |
29392948
| vector.cpp:306:7:306:7 | ref arg a | vector.cpp:313:1:313:1 | a | |
2949+
| vector.cpp:308:7:308:7 | c | vector.cpp:308:9:308:14 | call to insert | TAINT |
29402950
| vector.cpp:308:7:308:7 | ref arg c | vector.cpp:309:7:309:7 | c | |
29412951
| vector.cpp:308:7:308:7 | ref arg c | vector.cpp:313:1:313:1 | c | |
29422952
| vector.cpp:308:16:308:16 | c | vector.cpp:308:18:308:20 | call to end | TAINT |
@@ -2950,12 +2960,17 @@
29502960
| vector.cpp:308:25:308:25 | ref arg d | vector.cpp:311:16:311:16 | d | |
29512961
| vector.cpp:308:25:308:25 | ref arg d | vector.cpp:312:7:312:7 | d | |
29522962
| vector.cpp:308:25:308:25 | ref arg d | vector.cpp:313:1:313:1 | d | |
2963+
| vector.cpp:308:27:308:31 | call to begin | vector.cpp:308:7:308:7 | ref arg c | TAINT |
2964+
| vector.cpp:308:27:308:31 | call to begin | vector.cpp:308:9:308:14 | call to insert | TAINT |
29532965
| vector.cpp:308:36:308:36 | d | vector.cpp:308:38:308:40 | call to end | TAINT |
29542966
| vector.cpp:308:36:308:36 | ref arg d | vector.cpp:311:7:311:7 | d | |
29552967
| vector.cpp:308:36:308:36 | ref arg d | vector.cpp:311:16:311:16 | d | |
29562968
| vector.cpp:308:36:308:36 | ref arg d | vector.cpp:312:7:312:7 | d | |
29572969
| vector.cpp:308:36:308:36 | ref arg d | vector.cpp:313:1:313:1 | d | |
2970+
| vector.cpp:308:38:308:40 | call to end | vector.cpp:308:7:308:7 | ref arg c | TAINT |
2971+
| vector.cpp:308:38:308:40 | call to end | vector.cpp:308:9:308:14 | call to insert | TAINT |
29582972
| vector.cpp:309:7:309:7 | ref arg c | vector.cpp:313:1:313:1 | c | |
2973+
| vector.cpp:311:7:311:7 | d | vector.cpp:311:9:311:14 | call to insert | TAINT |
29592974
| vector.cpp:311:7:311:7 | ref arg d | vector.cpp:312:7:312:7 | d | |
29602975
| vector.cpp:311:7:311:7 | ref arg d | vector.cpp:313:1:313:1 | d | |
29612976
| vector.cpp:311:16:311:16 | d | vector.cpp:311:18:311:20 | call to end | TAINT |
@@ -2966,6 +2981,10 @@
29662981
| vector.cpp:311:25:311:25 | a | vector.cpp:311:27:311:31 | call to begin | TAINT |
29672982
| vector.cpp:311:25:311:25 | ref arg a | vector.cpp:311:36:311:36 | a | |
29682983
| vector.cpp:311:25:311:25 | ref arg a | vector.cpp:313:1:313:1 | a | |
2984+
| vector.cpp:311:27:311:31 | call to begin | vector.cpp:311:7:311:7 | ref arg d | TAINT |
2985+
| vector.cpp:311:27:311:31 | call to begin | vector.cpp:311:9:311:14 | call to insert | TAINT |
29692986
| vector.cpp:311:36:311:36 | a | vector.cpp:311:38:311:40 | call to end | TAINT |
29702987
| vector.cpp:311:36:311:36 | ref arg a | vector.cpp:313:1:313:1 | a | |
2988+
| vector.cpp:311:38:311:40 | call to end | vector.cpp:311:7:311:7 | ref arg d | TAINT |
2989+
| vector.cpp:311:38:311:40 | call to end | vector.cpp:311:9:311:14 | call to insert | TAINT |
29712990
| vector.cpp:312:7:312:7 | ref arg d | vector.cpp:313:1:313:1 | d | |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,9 @@
263263
| vector.cpp:72:10:72:13 | call to back | vector.cpp:69:15:69:20 | call to source |
264264
| vector.cpp:75:7:75:8 | v6 | vector.cpp:74:17:74:22 | call to source |
265265
| vector.cpp:76:7:76:18 | access to array | vector.cpp:74:17:74:22 | call to source |
266+
| vector.cpp:83:7:83:8 | v7 | vector.cpp:81:17:81:22 | call to source |
267+
| vector.cpp:84:10:84:14 | call to front | vector.cpp:81:17:81:22 | call to source |
268+
| vector.cpp:85:10:85:13 | call to back | vector.cpp:81:17:81:22 | call to source |
266269
| vector.cpp:97:7:97:8 | v9 | vector.cpp:96:13:96:18 | call to source |
267270
| vector.cpp:98:10:98:11 | call to at | vector.cpp:96:13:96:18 | call to source |
268271
| vector.cpp:99:10:99:11 | call to at | vector.cpp:96:13:96:18 | call to source |
@@ -297,4 +300,7 @@
297300
| vector.cpp:290:7:290:8 | v2 | vector.cpp:289:17:289:30 | call to source |
298301
| vector.cpp:291:10:291:13 | call to data | vector.cpp:289:17:289:30 | call to source |
299302
| vector.cpp:292:7:292:18 | access to array | vector.cpp:289:17:289:30 | call to source |
303+
| vector.cpp:308:9:308:14 | call to insert | vector.cpp:303:14:303:19 | call to source |
304+
| vector.cpp:309:7:309:7 | c | vector.cpp:303:14:303:19 | call to source |
305+
| vector.cpp:311:9:311:14 | call to insert | vector.cpp:303:14:303:19 | call to source |
300306
| vector.cpp:312:7:312:7 | d | vector.cpp:303:14:303:19 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,9 @@
211211
| vector.cpp:72:10:72:13 | vector.cpp:69:15:69:20 | AST only |
212212
| vector.cpp:75:7:75:8 | vector.cpp:74:17:74:22 | AST only |
213213
| vector.cpp:76:7:76:18 | vector.cpp:74:17:74:22 | AST only |
214+
| vector.cpp:83:7:83:8 | vector.cpp:81:17:81:22 | AST only |
215+
| vector.cpp:84:10:84:14 | vector.cpp:81:17:81:22 | AST only |
216+
| vector.cpp:85:10:85:13 | vector.cpp:81:17:81:22 | AST only |
214217
| vector.cpp:97:7:97:8 | vector.cpp:96:13:96:18 | AST only |
215218
| vector.cpp:98:10:98:11 | vector.cpp:96:13:96:18 | AST only |
216219
| vector.cpp:99:10:99:11 | vector.cpp:96:13:96:18 | AST only |
@@ -246,4 +249,7 @@
246249
| vector.cpp:290:7:290:8 | vector.cpp:289:17:289:30 | AST only |
247250
| vector.cpp:291:10:291:13 | vector.cpp:289:17:289:30 | AST only |
248251
| vector.cpp:292:7:292:18 | vector.cpp:289:17:289:30 | AST only |
252+
| vector.cpp:308:9:308:14 | vector.cpp:303:14:303:19 | AST only |
253+
| vector.cpp:309:7:309:7 | vector.cpp:303:14:303:19 | AST only |
254+
| vector.cpp:311:9:311:14 | vector.cpp:303:14:303:19 | AST only |
249255
| vector.cpp:312:7:312:7 | vector.cpp:303:14:303:19 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ void test_element_taint(int x) {
8080
std::vector<int>::const_iterator it = v7.begin();
8181
v7.insert(it, source());
8282
}
83-
sink(v7); // tainted [NOT DETECTED]
84-
sink(v7.front()); // tainted [NOT DETECTED]
85-
sink(v7.back());
83+
sink(v7); // tainted
84+
sink(v7.front()); // tainted
85+
sink(v7.back()); // [FALSE POSITIVE]
8686

8787
{
8888
const std::vector<int> &v8c = v8;
@@ -305,9 +305,9 @@ void test_vector_insert() {
305305
sink(a.insert(a.end(), b.begin(), b.end()));
306306
sink(a);
307307

308-
sink(c.insert(c.end(), d.begin(), d.end())); // tainted [NOT DETECTED]
309-
sink(c); // tainted [NOT DETECTED]
308+
sink(c.insert(c.end(), d.begin(), d.end())); // tainted
309+
sink(c); // tainted
310310

311-
sink(d.insert(d.end(), a.begin(), a.end())); // tainted [NOT DETECTED]
311+
sink(d.insert(d.end(), a.begin(), a.end())); // tainted
312312
sink(d); // tainted
313313
}

0 commit comments

Comments
 (0)