Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f52b6e0

Browse files
geoffw0geoffw0
committed
C++: Add more test cases for taint through qualifier fields.
1 parent 6019a38 commit f52b6e0

3 files changed

Lines changed: 35 additions & 21 deletions

File tree

cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,22 @@
22
| tests.cpp:126:5:126:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
33
| tests.cpp:129:5:129:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
44
| tests.cpp:129:5:129:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
5-
| tests.cpp:218:7:218:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
6-
| tests.cpp:218:7:218:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
7-
| tests.cpp:218:7:218:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
8-
| tests.cpp:219:6:219:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
9-
| tests.cpp:219:6:219:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
10-
| tests.cpp:247:7:247:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
11-
| tests.cpp:247:7:247:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
12-
| tests.cpp:358:5:358:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
13-
| tests.cpp:358:5:358:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
14-
| tests.cpp:358:5:358:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
15-
| tests.cpp:358:5:358:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
16-
| tests.cpp:358:5:358:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
17-
| tests.cpp:360:6:360:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
18-
| tests.cpp:360:6:360:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
19-
| tests.cpp:360:6:360:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
20-
| tests.cpp:360:6:360:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
21-
| tests.cpp:360:6:360:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
22-
| tests.cpp:360:6:360:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
23-
| tests.cpp:360:6:360:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
5+
| tests.cpp:220:7:220:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
6+
| tests.cpp:220:7:220:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
7+
| tests.cpp:220:7:220:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
8+
| tests.cpp:221:6:221:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
9+
| tests.cpp:221:6:221:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
10+
| tests.cpp:249:7:249:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
11+
| tests.cpp:249:7:249:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
12+
| tests.cpp:370:5:370:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
13+
| tests.cpp:370:5:370:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
14+
| tests.cpp:370:5:370:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
15+
| tests.cpp:370:5:370:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
16+
| tests.cpp:370:5:370:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
17+
| tests.cpp:372:6:372:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
18+
| tests.cpp:372:6:372:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
19+
| tests.cpp:372:6:372:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
20+
| tests.cpp:372:6:372:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
21+
| tests.cpp:372:6:372:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
22+
| tests.cpp:372:6:372:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
23+
| tests.cpp:372:6:372:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |

cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ private class TestSources extends SourceModelCsv {
2727
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
2828
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
2929
";MyClass;true;qualifierSource;;;Argument[-1];remote",
30+
";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
3031
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
3132
]
3233
}
@@ -52,6 +53,7 @@ private class TestSinks extends SinkModelCsv {
5253
";MyClass;true;memberMadSinkVar;;;;test-sink",
5354
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
5455
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
56+
";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
5557
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
5658
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
5759
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -207,12 +207,14 @@ class MyClass {
207207
void memberRemoteMadSourceIndirectArg0(int *x); // $ interpretElement
208208
int memberRemoteMadSourceVar; // $ interpretElement
209209
void qualifierSource(); // $ interpretElement
210+
void qualifierFieldSource(); // $ interpretElement
210211

211212
// sinks
212213
void memberMadSinkArg0(int x); // $ interpretElement
213214
int memberMadSinkVar; // $ interpretElement
214215
void qualifierSink(); // $ interpretElement
215216
void qualifierArg0Sink(int x); // $ interpretElement
217+
void qualifierFieldSink(); // $ interpretElement
216218

217219
// summaries
218220
void madArg0ToSelf(int x); // $ interpretElement
@@ -251,7 +253,7 @@ namespace MyNamespace {
251253
MyNamespace::MyClass source3();
252254

253255
void test_class_members() {
254-
MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9;
256+
MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9, mc10, mc11;
255257
MyClass *ptr, *mc4_ptr;
256258
MyDerivedClass mdc;
257259
MyNamespace::MyClass mnc, mnc2;
@@ -332,7 +334,7 @@ void test_class_members() {
332334
mc7.madArg0ToField(source());
333335
sink(mc7.madFieldToReturn()); // $ MISSING: ir
334336

335-
// test taint through qualifier
337+
// test taint involving qualifier
336338

337339
sink(mc8);
338340
mc8.qualifierArg0Sink(0);
@@ -346,6 +348,16 @@ void test_class_members() {
346348
sink(mc8); // $ ir
347349
mc8.qualifierSink(); // $ ir
348350
mc9.qualifierArg0Sink(0); // $ ir
351+
352+
// test taint involving qualifier field
353+
354+
sink(mc10.val);
355+
mc10.qualifierFieldSource();
356+
sink(mc10.val); // $ MISSING: ir
357+
358+
mc11.val = source();
359+
sink(mc11.val); // $ ir
360+
mc11.qualifierFieldSink(); // $ MISSING: ir
349361
}
350362

351363
// --- MAD cases involving function pointers ---

0 commit comments

Comments
 (0)