C++: Add taint model for std::vector::emplace/_back.

criemen · criemen · commit e7e5754270cf · 2020-11-04T16:20:01.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -206,3 +206,34 @@ class StdSequenceContainerAt extends TaintFunction {
     output.isQualifierObject()
   }
 }
+
+/**
+ * The standard vector `emplace` function.
+ */
+class StdVectorEmplace extends TaintFunction {
+  StdVectorEmplace() { this.hasQualifiedName("std", "vector", "emplace") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any parameter except the position iterator to qualifier and return value
+    // (here we assume taint flow from any constructor parameter to the constructed object)
+    input.isParameter([1 .. getNumberOfParameters() - 1]) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValue()
+    )
+  }
+}
+
+/**
+ * The standard vector `emplace_back` function.
+ */
+class StdVectorEmplaceBack extends TaintFunction {
+  StdVectorEmplaceBack() { this.hasQualifiedName("std", "vector", "emplace_back") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any parameter to qualifier
+    // (here we assume taint flow from any constructor parameter to the constructed object)
+    input.isParameter([0 .. getNumberOfParameters() - 1]) and
+    output.isQualifierObject()
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -7240,6 +7240,7 @@
 | vector.cpp:491:30:491:32 | call to vector | vector.cpp:498:1:498:1 | v2 |  |
 | vector.cpp:493:2:493:3 | ref arg v1 | vector.cpp:494:7:494:8 | v1 |  |
 | vector.cpp:493:2:493:3 | ref arg v1 | vector.cpp:498:1:498:1 | v1 |  |
+| vector.cpp:493:18:493:23 | call to source | vector.cpp:493:2:493:3 | ref arg v1 | TAINT |
 | vector.cpp:494:7:494:8 | ref arg v1 | vector.cpp:498:1:498:1 | v1 |  |
 | vector.cpp:496:2:496:3 | ref arg v2 | vector.cpp:497:7:497:8 | v2 |  |
 | vector.cpp:496:2:496:3 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
@@ -7248,4 +7249,6 @@
 | vector.cpp:496:13:496:14 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
 | vector.cpp:496:13:496:14 | v2 | vector.cpp:496:16:496:20 | call to begin | TAINT |
 | vector.cpp:496:16:496:20 | call to begin | vector.cpp:496:13:496:22 | call to iterator | TAINT |
+| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:2:496:3 | ref arg v2 | TAINT |
+| vector.cpp:496:25:496:30 | call to source | vector.cpp:496:5:496:11 | call to emplace | TAINT |
 | vector.cpp:497:7:497:8 | ref arg v2 | vector.cpp:498:1:498:1 | v2 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -668,3 +668,5 @@
 | vector.cpp:482:8:482:10 | src | vector.cpp:478:21:478:37 | call to source |
 | vector.cpp:485:8:485:10 | src | vector.cpp:478:21:478:37 | call to source |
 | vector.cpp:486:8:486:9 | cs | vector.cpp:478:21:478:37 | call to source |
+| vector.cpp:494:7:494:8 | v1 | vector.cpp:493:18:493:23 | call to source |
+| vector.cpp:497:7:497:8 | v2 | vector.cpp:496:25:496:30 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -266,3 +266,5 @@
 | vector.cpp:450:8:450:10 | vector.cpp:449:11:449:16 | AST only |
 | vector.cpp:473:8:473:8 | vector.cpp:468:11:468:16 | AST only |
 | vector.cpp:486:8:486:9 | vector.cpp:478:21:478:37 | AST only |
+| vector.cpp:494:7:494:8 | vector.cpp:493:18:493:23 | AST only |
+| vector.cpp:497:7:497:8 | vector.cpp:496:25:496:30 | AST only |
