Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c17a36e

Browse files
geoffw0geoffw0
committed
C++: Add more test cases for taint through qualifiers.
1 parent 92d57ab commit c17a36e

3 files changed

Lines changed: 41 additions & 20 deletions

File tree

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,22 @@
22
| tests.cpp:115:5:115:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
33
| tests.cpp:117:5:117:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
44
| tests.cpp:117:5:117:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
5-
| tests.cpp:180:7:180:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
6-
| tests.cpp:180:7:180:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
7-
| tests.cpp:180:7:180:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
8-
| tests.cpp:181:6:181:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
9-
| tests.cpp:181:6:181:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
10-
| tests.cpp:209:7:209:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
11-
| tests.cpp:209:7:209:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
12-
| tests.cpp:305:5:305:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
13-
| tests.cpp:305:5:305:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
14-
| tests.cpp:305:5:305:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
15-
| tests.cpp:305:5:305:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
16-
| tests.cpp:305:5:305:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
17-
| tests.cpp:307:6:307:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
18-
| tests.cpp:307:6:307:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
19-
| tests.cpp:307:6:307:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
20-
| tests.cpp:307:6:307:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
21-
| tests.cpp:307:6:307:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
22-
| tests.cpp:307:6:307:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
23-
| tests.cpp:307:6:307:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
5+
| tests.cpp:183:7:183:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
6+
| tests.cpp:183:7:183:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
7+
| tests.cpp:183:7:183:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
8+
| tests.cpp:184:6:184:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
9+
| tests.cpp:184:6:184:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
10+
| tests.cpp:212:7:212:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
11+
| tests.cpp:212:7:212:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
12+
| tests.cpp:323:5:323:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
13+
| tests.cpp:323:5:323:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
14+
| tests.cpp:323:5:323:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
15+
| tests.cpp:323:5:323:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
16+
| tests.cpp:323:5:323:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
17+
| tests.cpp:325:6:325:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
18+
| tests.cpp:325:6:325:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
19+
| tests.cpp:325:6:325:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
20+
| tests.cpp:325:6:325:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
21+
| tests.cpp:325:6:325:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
22+
| tests.cpp:325:6:325:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
23+
| tests.cpp:325:6:325:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ private class TestSources extends SourceModelCsv {
2424
";MyClass;true;memberRemoteMadSourceVar;;;;remote",
2525
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
2626
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
27+
";MyClass;true;qualifierSource;;;Argument[-1];remote",
2728
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
2829
]
2930
}
@@ -44,6 +45,8 @@ private class TestSinks extends SinkModelCsv {
4445
";;false;madSinkVar;;;;test-sink", ";;false;madSinkParam0;;;Parameter[0];test-sink",
4546
";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
4647
";MyClass;true;memberMadSinkVar;;;;test-sink",
48+
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
49+
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
4750
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
4851
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
4952
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,10 +171,13 @@ class MyClass {
171171
int memberRemoteMadSource(); // $ interpretElement
172172
void memberRemoteMadSourceIndirectArg0(int *x); // $ interpretElement
173173
int memberRemoteMadSourceVar; // $ interpretElement
174+
void qualifierSource(); // $ interpretElement
174175

175176
// sinks
176177
void memberMadSinkArg0(int x); // $ interpretElement
177178
int memberMadSinkVar; // $ interpretElement
179+
void qualifierSink(); // $ interpretElement
180+
void qualifierArg0Sink(int x); // $ interpretElement
178181

179182
// summaries
180183
void madArg0ToSelf(int x); // $ interpretElement
@@ -213,7 +216,7 @@ namespace MyNamespace {
213216
MyNamespace::MyClass source3();
214217

215218
void test_class_members() {
216-
MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7;
219+
MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9;
217220
MyClass *ptr, *mc4_ptr;
218221
MyDerivedClass mdc;
219222
MyNamespace::MyClass mnc, mnc2;
@@ -293,6 +296,21 @@ void test_class_members() {
293296

294297
mc7.madArg0ToField(source());
295298
sink(mc7.madFieldToReturn()); // $ MISSING: ir
299+
300+
// test taint through qualifier
301+
302+
sink(mc8);
303+
mc8.qualifierArg0Sink(0);
304+
mc8.qualifierArg0Sink(source()); // $ ir
305+
306+
mc9 = source2();
307+
mc9.qualifierSink(); // $ ir
308+
mc9.qualifierArg0Sink(0); // $ ir
309+
310+
mc8.qualifierSource();
311+
sink(mc8); // $ ir
312+
mc8.qualifierSink(); // $ ir
313+
mc9.qualifierArg0Sink(0); // $ ir
296314
}
297315

298316
// --- MAD cases involving function pointers ---

0 commit comments

Comments
 (0)