Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ef9a7c8

Browse files
geoffw0geoffw0
committed
C++: Model map::merge.
1 parent b7ab89c commit ef9a7c8

5 files changed

Lines changed: 36 additions & 4 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/implementations/StdMap.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,22 @@ class StdMapSwap extends TaintFunction {
112112
}
113113
}
114114

115+
/**
116+
* The standard map `merge` functions.
117+
*/
118+
class StdMapMerge extends TaintFunction {
119+
StdMapMerge() { this.hasQualifiedName("std", ["map", "unordered_map"], "merge") }
120+
121+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
122+
// container1.merge(container2)
123+
input.isQualifierObject() and
124+
output.isParameterDeref(0)
125+
or
126+
input.isParameterDeref(0) and
127+
output.isQualifierObject()
128+
}
129+
}
130+
115131
/**
116132
* The standard map functions `at` and `operator[]`.
117133
*/

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1027,12 +1027,16 @@
10271027
| map.cpp:211:7:211:9 | m20 | map.cpp:211:7:211:9 | call to map | |
10281028
| map.cpp:212:7:212:9 | m21 | map.cpp:212:7:212:9 | call to map | |
10291029
| map.cpp:213:7:213:9 | m22 | map.cpp:213:7:213:9 | call to map | |
1030+
| map.cpp:214:2:214:4 | m19 | map.cpp:214:12:214:14 | ref arg m20 | TAINT |
10301031
| map.cpp:214:2:214:4 | ref arg m19 | map.cpp:216:7:216:9 | m19 | |
10311032
| map.cpp:214:2:214:4 | ref arg m19 | map.cpp:252:1:252:1 | m19 | |
1033+
| map.cpp:214:12:214:14 | m20 | map.cpp:214:2:214:4 | ref arg m19 | TAINT |
10321034
| map.cpp:214:12:214:14 | ref arg m20 | map.cpp:217:7:217:9 | m20 | |
10331035
| map.cpp:214:12:214:14 | ref arg m20 | map.cpp:252:1:252:1 | m20 | |
1036+
| map.cpp:215:2:215:4 | m21 | map.cpp:215:12:215:14 | ref arg m22 | TAINT |
10341037
| map.cpp:215:2:215:4 | ref arg m21 | map.cpp:218:7:218:9 | m21 | |
10351038
| map.cpp:215:2:215:4 | ref arg m21 | map.cpp:252:1:252:1 | m21 | |
1039+
| map.cpp:215:12:215:14 | m22 | map.cpp:215:2:215:4 | ref arg m21 | TAINT |
10361040
| map.cpp:215:12:215:14 | ref arg m22 | map.cpp:219:7:219:9 | m22 | |
10371041
| map.cpp:215:12:215:14 | ref arg m22 | map.cpp:252:1:252:1 | m22 | |
10381042
| map.cpp:216:7:216:9 | m19 | map.cpp:216:7:216:9 | call to map | |
@@ -1686,12 +1690,16 @@
16861690
| map.cpp:360:7:360:9 | m20 | map.cpp:360:7:360:9 | call to unordered_map | |
16871691
| map.cpp:361:7:361:9 | m21 | map.cpp:361:7:361:9 | call to unordered_map | |
16881692
| map.cpp:362:7:362:9 | m22 | map.cpp:362:7:362:9 | call to unordered_map | |
1693+
| map.cpp:363:2:363:4 | m19 | map.cpp:363:12:363:14 | ref arg m20 | TAINT |
16891694
| map.cpp:363:2:363:4 | ref arg m19 | map.cpp:365:7:365:9 | m19 | |
16901695
| map.cpp:363:2:363:4 | ref arg m19 | map.cpp:418:1:418:1 | m19 | |
1696+
| map.cpp:363:12:363:14 | m20 | map.cpp:363:2:363:4 | ref arg m19 | TAINT |
16911697
| map.cpp:363:12:363:14 | ref arg m20 | map.cpp:366:7:366:9 | m20 | |
16921698
| map.cpp:363:12:363:14 | ref arg m20 | map.cpp:418:1:418:1 | m20 | |
1699+
| map.cpp:364:2:364:4 | m21 | map.cpp:364:12:364:14 | ref arg m22 | TAINT |
16931700
| map.cpp:364:2:364:4 | ref arg m21 | map.cpp:367:7:367:9 | m21 | |
16941701
| map.cpp:364:2:364:4 | ref arg m21 | map.cpp:418:1:418:1 | m21 | |
1702+
| map.cpp:364:12:364:14 | m22 | map.cpp:364:2:364:4 | ref arg m21 | TAINT |
16951703
| map.cpp:364:12:364:14 | ref arg m22 | map.cpp:368:7:368:9 | m22 | |
16961704
| map.cpp:364:12:364:14 | ref arg m22 | map.cpp:418:1:418:1 | m22 | |
16971705
| map.cpp:365:7:365:9 | m19 | map.cpp:365:7:365:9 | call to unordered_map | |

cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -214,8 +214,8 @@ void test_map()
214214
m19.merge(m20);
215215
m21.merge(m22);
216216
sink(m19); // tainted
217-
sink(m20); // tainted [NOT DETECTED]
218-
sink(m21); // tainted [NOT DETECTED]
217+
sink(m20); // tainted
218+
sink(m21); // tainted
219219
sink(m22); // tainted
220220

221221
// erase, clear
@@ -363,8 +363,8 @@ void test_unordered_map()
363363
m19.merge(m20);
364364
m21.merge(m22);
365365
sink(m19); // tainted
366-
sink(m20); // tainted [NOT DETECTED]
367-
sink(m21); // tainted [NOT DETECTED]
366+
sink(m20); // tainted
367+
sink(m21); // tainted
368368
sink(m22); // tainted
369369

370370
// erase, clear

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,8 @@
8383
| map.cpp:210:7:210:9 | call to map | map.cpp:206:49:206:54 | call to source |
8484
| map.cpp:213:7:213:9 | call to map | map.cpp:209:49:209:54 | call to source |
8585
| map.cpp:216:7:216:9 | call to map | map.cpp:206:49:206:54 | call to source |
86+
| map.cpp:217:7:217:9 | call to map | map.cpp:206:49:206:54 | call to source |
87+
| map.cpp:218:7:218:9 | call to map | map.cpp:209:49:209:54 | call to source |
8688
| map.cpp:219:7:219:9 | call to map | map.cpp:209:49:209:54 | call to source |
8789
| map.cpp:225:7:225:9 | call to map | map.cpp:223:49:223:54 | call to source |
8890
| map.cpp:225:7:225:9 | call to map | map.cpp:224:49:224:54 | call to source |
@@ -132,6 +134,8 @@
132134
| map.cpp:359:7:359:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
133135
| map.cpp:362:7:362:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
134136
| map.cpp:365:7:365:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
137+
| map.cpp:366:7:366:9 | call to unordered_map | map.cpp:355:49:355:54 | call to source |
138+
| map.cpp:367:7:367:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
135139
| map.cpp:368:7:368:9 | call to unordered_map | map.cpp:358:49:358:54 | call to source |
136140
| map.cpp:374:7:374:9 | call to unordered_map | map.cpp:372:49:372:54 | call to source |
137141
| map.cpp:374:7:374:9 | call to unordered_map | map.cpp:373:49:373:54 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,8 @@
5858
| map.cpp:210:7:210:9 | map.cpp:206:49:206:54 | AST only |
5959
| map.cpp:213:7:213:9 | map.cpp:209:49:209:54 | AST only |
6060
| map.cpp:216:7:216:9 | map.cpp:206:49:206:54 | AST only |
61+
| map.cpp:217:7:217:9 | map.cpp:206:49:206:54 | AST only |
62+
| map.cpp:218:7:218:9 | map.cpp:209:49:209:54 | AST only |
6163
| map.cpp:219:7:219:9 | map.cpp:209:49:209:54 | AST only |
6264
| map.cpp:225:7:225:9 | map.cpp:223:49:223:54 | AST only |
6365
| map.cpp:225:7:225:9 | map.cpp:224:49:224:54 | AST only |
@@ -101,6 +103,8 @@
101103
| map.cpp:359:7:359:9 | map.cpp:355:49:355:54 | AST only |
102104
| map.cpp:362:7:362:9 | map.cpp:358:49:358:54 | AST only |
103105
| map.cpp:365:7:365:9 | map.cpp:355:49:355:54 | AST only |
106+
| map.cpp:366:7:366:9 | map.cpp:355:49:355:54 | AST only |
107+
| map.cpp:367:7:367:9 | map.cpp:358:49:358:54 | AST only |
104108
| map.cpp:368:7:368:9 | map.cpp:358:49:358:54 | AST only |
105109
| map.cpp:374:7:374:9 | map.cpp:372:49:372:54 | AST only |
106110
| map.cpp:374:7:374:9 | map.cpp:373:49:373:54 | AST only |

0 commit comments

Comments
 (0)