Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ad9f306

Browse files
geoffw0geoffw0
committed
C++: Model taint flow only when the second component of a pair would be tainted.
1 parent 952cc89 commit ad9f306

6 files changed

Lines changed: 22 additions & 183 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdPair.qll

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,9 @@ class StdPairConstructor extends Constructor, TaintFunction {
2020
}
2121

2222
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
23-
// taint flow from any parameter of a value type to the qualifier
24-
input.isParameterDeref(getAValueTypeParameterIndex()) and
23+
// taint flow from second parameter of a value type to the qualifier
24+
getAValueTypeParameterIndex() = 1 and
25+
input.isParameterDeref(1) and
2526
(
2627
output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
2728
or
@@ -37,8 +38,8 @@ class StdMakePair extends TaintFunction {
3738
StdMakePair() { this.hasQualifiedName("std", "make_pair") }
3839

3940
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
40-
// taint flow from any parameter to the returned object
41-
input.isParameterDeref([0, 1]) and
41+
// taint flow from first parameter to the returned object
42+
input.isParameterDeref(1) and
4243
output.isReturnValue()
4344
}
4445
}

0 commit comments

Comments
 (0)