C++: Add sscanf and fscanf model implementations.

MathiasVP · MathiasVP · commit c747914ef2f8 · 2021-02-01T12:54:59.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -25,3 +25,4 @@ private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
 private import implementations.SmartPointer
+private import implementations.Sscanf
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Sscanf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Sscanf.qll
@@ -0,0 +1,88 @@
+/**
+ * Provides implementation classes modeling `sscanf`, `fscanf` and various similar
+ * functions. See `semmle.code.cpp.models.Models` for usage information.
+ */
+
+import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * The standard function `sscanf`, `fscanf` and its assorted variants
+ */
+private class Sscanf extends ArrayFunction, TaintFunction, AliasFunction, SideEffectFunction {
+  Sscanf() {
+    this.hasGlobalOrStdName([
+        "sscanf", // sscanf(src_stream, format, args...)
+        "swscanf", // swscanf(src, format, args...)
+        "fscanf", // fscanf(src_stream, format, args...)
+        "fwscanf" // fwscanf(src_stream, format, args...)
+      ]) or
+    this.hasGlobalName([
+        "_sscanf_l", // _sscanf_l(src, format, locale, args...)
+        "_swscanf_l", // _swscanf_l(src, format, locale, args...)
+        "_snscanf", // _snscanf(src, length, format, args...)
+        "_snscanf_l", // _snscanf_l(src, length, format, locale, args...)
+        "_snwscanf", // _snwscanf(src, length, format, args...)
+        "_snwscanf_l", // _snwscanf_l(src, length, format, locale, args...)
+        "_fscanf_l", // _fscanf_l(src_stream, format, locale, args...)
+        "_fwscanf_l" // _fwscanf_l(src_stream, format, locale, args...)
+      ])
+  }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) {
+    bufParam = [0, getFormatPosition()]
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = [0, getFormatPosition()] }
+
+  private int getLengthPosition() {
+    this.getName().matches("\\_sn%") and
+    result = 1
+  }
+
+  private int getLocalePosition() {
+    this.getName().matches("%\\_l") and
+    (if exists(getLengthPosition()) then result = getLengthPosition() + 2 else result = 2)
+  }
+
+  private int getFormatPosition() { if exists(getLengthPosition()) then result = 2 else result = 1 }
+
+  private int getArgsStartPosition() {
+    exists(int nLength, int nLocale |
+      (if exists(getLocalePosition()) then nLocale = 1 else nLocale = 0) and
+      (if exists(getLengthPosition()) then nLength = 1 else nLength = 0) and
+      result = 2 + nLocale + nLength
+    )
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(0) and
+    output.isParameterDeref(any(int i | i >= getArgsStartPosition()))
+  }
+
+  override predicate parameterNeverEscapes(int index) {
+    index = [0 .. max(getACallToThisFunction().getNumberOfArguments())]
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i >= getArgsStartPosition() and
+    buffer = true and
+    mustWrite = true
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    buffer = true and
+    i = [0, getFormatPosition(), getLocalePosition()]
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp
@@ -123,7 +123,7 @@ void test1()
 	{
 		int i = 0;
 		sink(sscanf(string::source(), "%i", &i));
-		sink(i); // $ MISSING: ast,ir
+		sink(i); // $ ast,ir
 	}
 	{
 		char buffer[256] = {0};
@@ -133,7 +133,7 @@ void test1()
 	{
 		char buffer[256] = {0};
 		sink(sscanf(string::source(), "%s", &buffer));
-		sink(buffer); // $ MISSING: ast,ir
+		sink(buffer); // $ ast,ir
 	}
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -378,23 +378,27 @@
 | format.cpp:114:37:114:50 | call to source | format.cpp:114:18:114:23 | ref arg buffer | TAINT |
 | format.cpp:119:10:119:11 | 0 | format.cpp:120:29:120:29 | i |  |
 | format.cpp:119:10:119:11 | 0 | format.cpp:121:8:121:8 | i |  |
+| format.cpp:120:15:120:19 | 123 | format.cpp:120:28:120:29 | ref arg & ... | TAINT |
 | format.cpp:120:28:120:29 | ref arg & ... | format.cpp:120:29:120:29 | i [inner post update] |  |
 | format.cpp:120:28:120:29 | ref arg & ... | format.cpp:121:8:121:8 | i |  |
 | format.cpp:120:29:120:29 | i | format.cpp:120:28:120:29 | & ... |  |
 | format.cpp:124:10:124:11 | 0 | format.cpp:125:40:125:40 | i |  |
 | format.cpp:124:10:124:11 | 0 | format.cpp:126:8:126:8 | i |  |
+| format.cpp:125:15:125:28 | call to source | format.cpp:125:39:125:40 | ref arg & ... | TAINT |
 | format.cpp:125:39:125:40 | ref arg & ... | format.cpp:125:40:125:40 | i [inner post update] |  |
 | format.cpp:125:39:125:40 | ref arg & ... | format.cpp:126:8:126:8 | i |  |
 | format.cpp:125:40:125:40 | i | format.cpp:125:39:125:40 | & ... |  |
 | format.cpp:129:21:129:24 | {...} | format.cpp:130:32:130:37 | buffer |  |
 | format.cpp:129:21:129:24 | {...} | format.cpp:131:8:131:13 | buffer |  |
 | format.cpp:129:23:129:23 | 0 | format.cpp:129:21:129:24 | {...} | TAINT |
+| format.cpp:130:15:130:22 | Hello. | format.cpp:130:31:130:37 | ref arg & ... | TAINT |
 | format.cpp:130:31:130:37 | ref arg & ... | format.cpp:130:32:130:37 | buffer [inner post update] |  |
 | format.cpp:130:31:130:37 | ref arg & ... | format.cpp:131:8:131:13 | buffer |  |
 | format.cpp:130:32:130:37 | buffer | format.cpp:130:31:130:37 | & ... |  |
 | format.cpp:134:21:134:24 | {...} | format.cpp:135:40:135:45 | buffer |  |
 | format.cpp:134:21:134:24 | {...} | format.cpp:136:8:136:13 | buffer |  |
 | format.cpp:134:23:134:23 | 0 | format.cpp:134:21:134:24 | {...} | TAINT |
+| format.cpp:135:15:135:28 | call to source | format.cpp:135:39:135:45 | ref arg & ... | TAINT |
 | format.cpp:135:39:135:45 | ref arg & ... | format.cpp:135:40:135:45 | buffer [inner post update] |  |
 | format.cpp:135:39:135:45 | ref arg & ... | format.cpp:136:8:136:13 | buffer |  |
 | format.cpp:135:40:135:45 | buffer | format.cpp:135:39:135:45 | & ... |  |

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ void test1()`
`123`	`123`	`{`
`124`	`124`	`int i = 0;`
`125`	`125`	`sink(sscanf(string::source(), "%i", &i));`
`126`		`- sink(i); // $ MISSING: ast,ir`
	`126`	`+ sink(i); // $ ast,ir`
`127`	`127`	`}`
`128`	`128`	`{`
`129`	`129`	`char buffer[256] = {0};`
`@@ -133,7 +133,7 @@ void test1()`
`133`	`133`	`{`
`134`	`134`	`char buffer[256] = {0};`
`135`	`135`	`sink(sscanf(string::source(), "%s", &buffer));`
`136`		`- sink(buffer); // $ MISSING: ast,ir`
	`136`	`+ sink(buffer); // $ ast,ir`
`137`	`137`	`}`
`138`	`138`	`}`
`139`	`139`