Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f649939

Browse files
geoffw0geoffw0
committed
C++: Allow flow through (previously missing) summary taint steps.
1 parent 2e5f7dc commit f649939

2 files changed

Lines changed: 8 additions & 4 deletions

File tree

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ private import semmle.code.cpp.models.interfaces.SideEffect
66
private import DataFlowUtil
77
private import DataFlowPrivate
88
private import SsaInternals as Ssa
9+
private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
910

1011
/**
1112
* Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
@@ -37,6 +38,9 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
3738
)
3839
or
3940
any(Ssa::Indirection ind).isAdditionalTaintStep(nodeFrom, nodeTo)
41+
or
42+
// models-as-data summarized flow
43+
FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(nodeFrom, nodeTo, _)
4044
}
4145

4246
/**

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ void test_summaries() {
129129
int a, b, c;
130130

131131
sink(madArg0ToReturn(0));
132-
sink(madArg0ToReturn(source())); // $ MISSING: ir
132+
sink(madArg0ToReturn(source())); // $ ir
133133
sink(notASummary(source()));
134134
sink(madArg0ToReturnValueFlow(0));
135135
sink(madArg0ToReturnValueFlow(source())); // $ ir
@@ -158,7 +158,7 @@ void test_summaries() {
158158

159159
// test source + sinks + summaries together
160160

161-
madSinkArg0(madArg0ToReturn(remoteMadSource())); // $ MISSING: ir
161+
madSinkArg0(madArg0ToReturn(remoteMadSource())); // $ ir
162162
madSinkArg0(madArg0ToReturnValueFlow(remoteMadSource())); // $ ir
163163
madSinkArg0(madArg0IndirectToReturn(remoteMadSourceIndirect())); // $ MISSING: ir*/
164164
}
@@ -256,13 +256,13 @@ void test_class_members() {
256256
mc3.madArg0ToField(source());
257257
sink(mc3.val); // $ MISSING: ir
258258

259-
sink(source2().madSelfToReturn()); // $ MISSING: ir
259+
sink(source2().madSelfToReturn()); // $ ir
260260
sink(source2().notASummary());
261261

262262
mc4.val = source();
263263
sink(mc4.madFieldToReturn()); // $ MISSING: ir
264264

265-
sink(source3().namespaceMadSelfToReturn()); // $ MISSING: ir
265+
sink(source3().namespaceMadSelfToReturn()); // $ ir
266266

267267
// test class member sources + sinks + summaries together
268268

0 commit comments

Comments
 (0)