@@ -51,6 +51,51 @@ class StdMapInsert extends TaintFunction {
5151 }
5252}
5353
54+ /**
55+ * The standard map `emplace` and `emplace_hint` functions.
56+ */
57+ class StdMapEmplace extends TaintFunction {
58+ StdMapEmplace ( ) {
59+ this .hasQualifiedName ( "std" , [ "map" , "unordered_map" ] , [ "emplace" , "emplace_hint" ] )
60+ }
61+
62+ override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
63+ // flow from any parameter to qualifier and return value
64+ // (here we assume taint flow from any constructor parameter to the constructed object)
65+ // (where the return value is a pair, this should really flow just to the first part of it)
66+ input .isParameterDeref ( _) and
67+ (
68+ output .isQualifierObject ( ) or
69+ output .isReturnValue ( )
70+ )
71+ }
72+ }
73+
74+ /**
75+ * The standard map `try_emplace` function.
76+ */
77+ class StdMapTryEmplace extends TaintFunction {
78+ StdMapTryEmplace ( ) { this .hasQualifiedName ( "std" , [ "map" , "unordered_map" ] , "try_emplace" ) }
79+
80+ override predicate hasTaintFlow ( FunctionInput input , FunctionOutput output ) {
81+ // flow from any parameter apart from the key to qualifier and return value
82+ // (here we assume taint flow from any constructor parameter to the constructed object)
83+ // (where the return value is a pair, this should really flow just to the first part of it)
84+ exists ( int arg |
85+ (
86+ getUnspecifiedType ( ) instanceof Iterator and arg != 1
87+ or
88+ not getUnspecifiedType ( ) instanceof Iterator and arg != 0
89+ ) and
90+ input .isParameterDeref ( arg )
91+ ) and
92+ (
93+ output .isQualifierObject ( ) or
94+ output .isReturnValue ( )
95+ )
96+ }
97+ }
98+
5499/**
55100 * The standard map `swap` functions.
56101 */
0 commit comments