Merge pull request #5081 from MathiasVP/indirection-in-dataflow-models

geoffw0 · web-flow · commit d41ea6c799ff · 2021-02-04T11:55:34.000Z
C++: Add more indirection flow in dataflow models
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -740,27 +740,6 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
       )
     )
   )
-  or
-  impliedModelFlow(opFrom, iTo)
-}
-
-/**
- * When a `DataFlowFunction` specifies dataflow from a parameter `p` to the return value there should
- * also be dataflow from the parameter dereference (i.e., `*p`) to the return value dereference.
- */
-private predicate impliedModelFlow(Operand opFrom, Instruction iTo) {
-  exists(
-    CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut,
-    int index
-  |
-    call.getStaticCallTarget() = func and
-    func.hasDataFlow(modelIn, modelOut)
-  |
-    modelIn.isParameterOrQualifierAddress(index) and
-    modelOut.isReturnValue() and
-    opFrom = getSideEffectFor(call, index).(ReadSideEffectInstruction).getSideEffectOperand() and
-    iTo = call // TODO: Add write side effects for return values
-  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/IdentityFunction.qll
@@ -32,5 +32,7 @@ private class IdentityFunction extends DataFlowFunction, SideEffectFunction, Ali
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     // These functions simply return the argument value.
     input.isParameter(0) and output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
@@ -109,6 +109,8 @@ private class IteratorCrementOperator extends Operator, DataFlowFunction {
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input = iteratorInput and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 }
 
@@ -159,6 +161,8 @@ private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunctio
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -201,6 +205,9 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
     or
     input.isReturnValueDeref() and
     output.isQualifierObject()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([1 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and
     (
       output.isQualifierObject() or
       output.isReturnValue()
@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and
     output.isQualifierObject()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -293,6 +293,9 @@ private class StdIStreamIn extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -319,6 +322,9 @@ private class StdIStreamInNonMember extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -361,6 +367,9 @@ private class StdIStreamRead extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -397,6 +406,9 @@ private class StdIStreamPutBack extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -430,6 +442,9 @@ private class StdIStreamGetLine extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -453,6 +468,9 @@ private class StdGetLine extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -486,6 +504,9 @@ private class StdOStreamOut extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -522,6 +543,9 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
     // flow from first parameter to return value
     input.isParameter(0) and
     output.isReturnValue()
+    or
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -605,6 +629,9 @@ private class StdStreamFunction extends DataFlowFunction, TaintFunction {
     // returns reference to `*this`
     input.isQualifierAddress() and
     output.isReturnValue()
+    or
+    input.isQualifierObject() and
+    output.isReturnValueDeref()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/vector.cpp
@@ -491,8 +491,8 @@ void test_vector_emplace() {
 	std::vector<int> v1(10), v2(10);
 
 	v1.emplace_back(source());
-	sink(v1); // $ ast MISSING: ir
+	sink(v1); // $ ast,ir
 
 	v2.emplace(v2.begin(), source());
-	sink(v2); // $ ast MISSING: ir
+	sink(v2); // $ ast,ir
 }

Original file line number	Diff line number	Diff line change
`@@ -32,5 +32,7 @@ private class IdentityFunction extends DataFlowFunction, SideEffectFunction, Ali`
`32`	`32`	`override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {`
`33`	`33`	`// These functions simply return the argument value.`
`34`	`34`	`input.isParameter(0) and output.isReturnValue()`
	`35`	`+ or`
	`36`	`+ input.isParameterDeref(0) and output.isReturnValueDeref()`
`35`	`37`	`}`
`36`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,8 @@ private class IteratorCrementOperator extends Operator, DataFlowFunction {`
`109`	`109`	`override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {`
`110`	`110`	`input = iteratorInput and`
`111`	`111`	`output.isReturnValue()`
	`112`	`+ or`
	`113`	`+ input.isParameterDeref(0) and output.isReturnValueDeref()`
`112`	`114`	`}`
`113`	`115`	`}`
`114`	`116`
`@@ -159,6 +161,8 @@ private class IteratorAssignArithmeticOperator extends Operator, DataFlowFunctio`
`159`	`161`	`override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {`
`160`	`162`	`input.isParameter(0) and`
`161`	`163`	`output.isReturnValue()`
	`164`	`+ or`
	`165`	`+ input.isParameterDeref(0) and output.isReturnValueDeref()`
`162`	`166`	`}`
`163`	`167`
`164`	`168`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`@@ -201,6 +205,9 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc`
`201`	`205`	`or`
`202`	`206`	`input.isReturnValueDeref() and`
`203`	`207`	`output.isQualifierObject()`
	`208`	`+ or`
	`209`	`+ input.isQualifierObject() and`
	`210`	`+ output.isReturnValueDeref()`
`204`	`211`	`}`
`205`	`212`
`206`	`213`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ class StdVectorEmplace extends TaintFunction {`
`193`	`193`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`194`	`194`	`// flow from any parameter except the position iterator to qualifier and return value`
`195`	`195`	`// (here we assume taint flow from any constructor parameter to the constructed object)`
`196`		`- input.isParameter([1 .. getNumberOfParameters() - 1]) and`
	`196`	`+ input.isParameterDeref([1 .. getNumberOfParameters() - 1]) and`
`197`	`197`	`(`
`198`	`198`	`output.isQualifierObject() or`
`199`	`199`	`output.isReturnValue()`
`@@ -210,7 +210,7 @@ class StdVectorEmplaceBack extends TaintFunction {`
`210`	`210`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`211`	`211`	`// flow from any parameter to qualifier`
`212`	`212`	`// (here we assume taint flow from any constructor parameter to the constructed object)`
`213`		`- input.isParameter([0 .. getNumberOfParameters() - 1]) and`
	`213`	`+ input.isParameterDeref([0 .. getNumberOfParameters() - 1]) and`
`214`	`214`	`output.isQualifierObject()`
`215`	`215`	`}`
`216`	`216`	`}`
Original file line number	Diff line number	Diff line change
`@@ -491,8 +491,8 @@ void test_vector_emplace() {`
`491`	`491`	`std::vector<int> v1(10), v2(10);`
`492`	`492`
`493`	`493`	`v1.emplace_back(source());`
`494`		`- sink(v1); // $ ast MISSING: ir`
	`494`	`+ sink(v1); // $ ast,ir`
`495`	`495`
`496`	`496`	`v2.emplace(v2.begin(), source());`
`497`		`- sink(v2); // $ ast MISSING: ir`
	`497`	`+ sink(v2); // $ ast,ir`
`498`	`498`	`}`