Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f73ff98

Browse files
author
Robert Marsh
committed
C++: improve cast and ptr handling in taint test
1 parent 86404af commit f73ff98

3 files changed

Lines changed: 22 additions & 45 deletions

File tree

cpp/ql/test/library-tests/dataflow/taint-tests/IRTaintTestCommon.qll

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
import cpp
2+
import semmle.code.cpp.ir.IR
23
import semmle.code.cpp.ir.dataflow.TaintTracking
34

45
/** Common data flow configuration to be used by tests. */
56
class TestAllocationConfig extends TaintTracking::Configuration {
67
TestAllocationConfig() { this = "TestAllocationConfig" }
78

89
override predicate isSource(DataFlow::Node source) {
9-
source.asExpr().(FunctionCall).getTarget().getName() = "source"
10+
source.(DataFlow::ExprNode).getConvertedExpr().(FunctionCall).getTarget().getName() = "source"
1011
or
1112
source.asParameter().getName().matches("source%")
1213
or
@@ -17,8 +18,20 @@ class TestAllocationConfig extends TaintTracking::Configuration {
1718
override predicate isSink(DataFlow::Node sink) {
1819
exists(FunctionCall call |
1920
call.getTarget().getName() = "sink" and
20-
sink.asExpr() = call.getAnArgument()
21+
sink.(DataFlow::ExprNode).getConvertedExpr() = call.getAnArgument()
22+
or
23+
call.getTarget().getName() = "sink" and
24+
sink.(DataFlow::ExprNode).asExpr() = call.getAnArgument() and
25+
sink.(DataFlow::ExprNode).getConvertedExpr() instanceof ReferenceDereferenceExpr
2126
)
27+
or
28+
sink
29+
.asInstruction()
30+
.(ReadSideEffectInstruction)
31+
.getPrimaryInstruction()
32+
.(CallInstruction)
33+
.getStaticCallTarget()
34+
.hasName("sink")
2235
}
2336

2437
override predicate isSanitizer(DataFlow::Node barrier) {

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,7 @@
3636
| movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
3737
| movableclass.cpp:65:11:65:21 | movableclass.cpp:65:13:65:18 | IR only |
3838
| smart_pointer.cpp:12:10:12:10 | smart_pointer.cpp:11:52:11:57 | AST only |
39-
| smart_pointer.cpp:13:10:13:10 | smart_pointer.cpp:11:52:11:57 | AST only |
4039
| smart_pointer.cpp:24:10:24:10 | smart_pointer.cpp:23:52:23:57 | AST only |
41-
| smart_pointer.cpp:25:10:25:10 | smart_pointer.cpp:23:52:23:57 | AST only |
4240
| smart_pointer.cpp:52:12:52:14 | smart_pointer.cpp:51:52:51:57 | AST only |
4341
| smart_pointer.cpp:57:12:57:14 | smart_pointer.cpp:56:52:56:57 | AST only |
4442
| standalone_iterators.cpp:40:10:40:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
@@ -52,15 +50,12 @@
5250
| string.cpp:38:13:38:17 | string.cpp:14:10:14:15 | AST only |
5351
| string.cpp:42:13:42:17 | string.cpp:14:10:14:15 | AST only |
5452
| string.cpp:45:13:45:17 | string.cpp:14:10:14:15 | AST only |
55-
| string.cpp:55:7:55:8 | string.cpp:50:19:50:26 | IR only |
5653
| string.cpp:56:7:56:8 | string.cpp:50:19:50:24 | AST only |
5754
| string.cpp:69:7:69:8 | string.cpp:61:19:61:24 | AST only |
5855
| string.cpp:70:7:70:8 | string.cpp:61:19:61:24 | AST only |
5956
| string.cpp:92:8:92:9 | string.cpp:87:18:87:23 | AST only |
6057
| string.cpp:93:8:93:9 | string.cpp:88:20:88:25 | AST only |
61-
| string.cpp:94:8:94:9 | string.cpp:90:8:90:13 | AST only |
6258
| string.cpp:113:8:113:9 | string.cpp:109:32:109:37 | AST only |
63-
| string.cpp:114:8:114:9 | string.cpp:111:20:111:25 | AST only |
6459
| string.cpp:121:8:121:8 | string.cpp:119:16:119:21 | AST only |
6560
| string.cpp:125:8:125:8 | string.cpp:119:16:119:21 | AST only |
6661
| string.cpp:129:8:129:8 | string.cpp:119:16:119:21 | AST only |
@@ -159,19 +154,11 @@
159154
| string.cpp:555:8:555:8 | string.cpp:549:27:549:32 | AST only |
160155
| string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
161156
| string.cpp:557:8:557:8 | string.cpp:551:18:551:23 | AST only |
162-
| stringstream.cpp:32:11:32:11 | stringstream.cpp:32:14:32:21 | IR only |
163157
| stringstream.cpp:32:11:32:22 | stringstream.cpp:32:14:32:19 | IR only |
164-
| stringstream.cpp:32:11:32:22 | stringstream.cpp:32:14:32:21 | IR only |
165-
| stringstream.cpp:33:20:33:20 | stringstream.cpp:33:23:33:30 | IR only |
166158
| stringstream.cpp:33:20:33:31 | stringstream.cpp:33:23:33:28 | IR only |
167-
| stringstream.cpp:33:20:33:31 | stringstream.cpp:33:23:33:30 | IR only |
168-
| stringstream.cpp:34:23:34:23 | stringstream.cpp:34:14:34:21 | IR only |
169159
| stringstream.cpp:34:23:34:31 | stringstream.cpp:34:14:34:19 | IR only |
170-
| stringstream.cpp:34:23:34:31 | stringstream.cpp:34:14:34:21 | IR only |
171160
| stringstream.cpp:35:11:35:11 | stringstream.cpp:29:16:29:21 | AST only |
172-
| stringstream.cpp:38:7:38:9 | stringstream.cpp:32:14:32:19 | AST only |
173161
| stringstream.cpp:39:7:39:9 | stringstream.cpp:33:23:33:28 | AST only |
174-
| stringstream.cpp:40:7:40:9 | stringstream.cpp:34:14:34:19 | AST only |
175162
| stringstream.cpp:41:7:41:9 | stringstream.cpp:29:16:29:21 | AST only |
176163
| stringstream.cpp:43:11:43:13 | stringstream.cpp:32:14:32:19 | AST only |
177164
| stringstream.cpp:44:11:44:13 | stringstream.cpp:33:23:33:28 | AST only |
@@ -196,9 +183,7 @@
196183
| stringstream.cpp:107:7:107:9 | stringstream.cpp:100:31:100:36 | AST only |
197184
| stringstream.cpp:121:7:121:9 | stringstream.cpp:113:24:113:29 | AST only |
198185
| stringstream.cpp:123:7:123:9 | stringstream.cpp:115:24:115:29 | AST only |
199-
| stringstream.cpp:143:11:143:11 | stringstream.cpp:143:14:143:21 | IR only |
200186
| stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:19 | IR only |
201-
| stringstream.cpp:143:11:143:22 | stringstream.cpp:143:14:143:21 | IR only |
202187
| swap1.cpp:78:12:78:16 | swap1.cpp:69:23:69:23 | AST only |
203188
| swap1.cpp:87:13:87:17 | swap1.cpp:82:16:82:21 | AST only |
204189
| swap1.cpp:88:13:88:17 | swap1.cpp:81:27:81:28 | AST only |
@@ -216,7 +201,6 @@
216201
| taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
217202
| taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |
218203
| taint.cpp:137:7:137:9 | taint.cpp:120:11:120:16 | AST only |
219-
| taint.cpp:173:8:173:13 | taint.cpp:164:19:164:24 | AST only |
220204
| taint.cpp:195:7:195:7 | taint.cpp:192:23:192:28 | AST only |
221205
| taint.cpp:195:7:195:7 | taint.cpp:193:6:193:6 | AST only |
222206
| taint.cpp:236:3:236:6 | taint.cpp:223:10:223:15 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected

Lines changed: 7 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@
2424
| copyableclass.cpp:65:8:65:9 | s1 | copyableclass.cpp:60:40:60:45 | call to source |
2525
| copyableclass.cpp:66:8:66:9 | s2 | copyableclass.cpp:63:24:63:29 | call to source |
2626
| copyableclass.cpp:67:11:67:21 | (reference dereference) | copyableclass.cpp:67:13:67:18 | call to source |
27-
| format.cpp:157:7:157:22 | (int)... | format.cpp:147:12:147:25 | call to source |
2827
| format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
2928
| format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
3029
| movableclass.cpp:44:8:44:9 | s1 | movableclass.cpp:39:21:39:26 | call to source |
@@ -34,42 +33,22 @@
3433
| movableclass.cpp:55:8:55:9 | s2 | movableclass.cpp:52:23:52:28 | call to source |
3534
| movableclass.cpp:64:8:64:9 | s2 | movableclass.cpp:23:55:23:60 | call to source |
3635
| movableclass.cpp:65:11:65:21 | (reference dereference) | movableclass.cpp:65:13:65:18 | call to source |
37-
| string.cpp:28:7:28:7 | (const char *)... | string.cpp:24:12:24:17 | call to source |
36+
| smart_pointer.cpp:13:10:13:10 | Argument 0 indirection | smart_pointer.cpp:11:52:11:57 | call to source |
37+
| smart_pointer.cpp:25:10:25:10 | Argument 0 indirection | smart_pointer.cpp:23:52:23:57 | call to source |
3838
| string.cpp:28:7:28:7 | a | string.cpp:24:12:24:17 | call to source |
3939
| string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:24 | call to source |
40-
| string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:26 | (const char *)... |
40+
| string.cpp:94:8:94:9 | Argument 0 indirection | string.cpp:90:8:90:13 | call to source |
41+
| string.cpp:114:8:114:9 | Argument 0 indirection | string.cpp:111:20:111:25 | call to source |
4142
| stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:19 | call to source |
42-
| stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:21 | (const char *)... |
43-
| stringstream.cpp:32:11:32:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:32:14:32:19 | call to source |
44-
| stringstream.cpp:32:11:32:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:32:14:32:21 | (const char *)... |
4543
| stringstream.cpp:32:11:32:22 | (reference dereference) | stringstream.cpp:32:14:32:19 | call to source |
46-
| stringstream.cpp:32:11:32:22 | (reference dereference) | stringstream.cpp:32:14:32:21 | (const char *)... |
47-
| stringstream.cpp:32:11:32:22 | (reference to) | stringstream.cpp:32:14:32:19 | call to source |
48-
| stringstream.cpp:32:11:32:22 | (reference to) | stringstream.cpp:32:14:32:21 | (const char *)... |
4944
| stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:28 | call to source |
50-
| stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:30 | (const char *)... |
51-
| stringstream.cpp:33:20:33:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:33:23:33:28 | call to source |
52-
| stringstream.cpp:33:20:33:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:33:23:33:30 | (const char *)... |
5345
| stringstream.cpp:33:20:33:31 | (reference dereference) | stringstream.cpp:33:23:33:28 | call to source |
54-
| stringstream.cpp:33:20:33:31 | (reference dereference) | stringstream.cpp:33:23:33:30 | (const char *)... |
55-
| stringstream.cpp:33:20:33:31 | (reference to) | stringstream.cpp:33:23:33:28 | call to source |
56-
| stringstream.cpp:33:20:33:31 | (reference to) | stringstream.cpp:33:23:33:30 | (const char *)... |
5746
| stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:19 | call to source |
58-
| stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:21 | (const char *)... |
59-
| stringstream.cpp:34:23:34:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:34:14:34:19 | call to source |
60-
| stringstream.cpp:34:23:34:31 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:34:14:34:21 | (const char *)... |
6147
| stringstream.cpp:34:23:34:31 | (reference dereference) | stringstream.cpp:34:14:34:19 | call to source |
62-
| stringstream.cpp:34:23:34:31 | (reference dereference) | stringstream.cpp:34:14:34:21 | (const char *)... |
63-
| stringstream.cpp:34:23:34:31 | (reference to) | stringstream.cpp:34:14:34:19 | call to source |
64-
| stringstream.cpp:34:23:34:31 | (reference to) | stringstream.cpp:34:14:34:21 | (const char *)... |
48+
| stringstream.cpp:38:7:38:9 | Argument 0 indirection | stringstream.cpp:32:14:32:19 | call to source |
49+
| stringstream.cpp:40:7:40:9 | Argument 0 indirection | stringstream.cpp:34:14:34:19 | call to source |
6550
| stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:19 | call to source |
66-
| stringstream.cpp:143:11:143:11 | call to operator<< | stringstream.cpp:143:14:143:21 | (const char *)... |
67-
| stringstream.cpp:143:11:143:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:143:14:143:19 | call to source |
68-
| stringstream.cpp:143:11:143:22 | (const basic_ostream<char, char_traits<char>>)... | stringstream.cpp:143:14:143:21 | (const char *)... |
6951
| stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:19 | call to source |
70-
| stringstream.cpp:143:11:143:22 | (reference dereference) | stringstream.cpp:143:14:143:21 | (const char *)... |
71-
| stringstream.cpp:143:11:143:22 | (reference to) | stringstream.cpp:143:14:143:19 | call to source |
72-
| stringstream.cpp:143:11:143:22 | (reference to) | stringstream.cpp:143:14:143:21 | (const char *)... |
7352
| structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
7453
| structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
7554
| structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
@@ -127,6 +106,7 @@
127106
| taint.cpp:151:7:151:12 | call to select | taint.cpp:151:20:151:25 | call to source |
128107
| taint.cpp:167:8:167:13 | call to source | taint.cpp:167:8:167:13 | call to source |
129108
| taint.cpp:168:8:168:14 | tainted | taint.cpp:164:19:164:24 | call to source |
109+
| taint.cpp:173:8:173:13 | Argument 0 indirection | taint.cpp:164:19:164:24 | call to source |
130110
| taint.cpp:181:8:181:9 | * ... | taint.cpp:185:11:185:16 | call to source |
131111
| taint.cpp:210:7:210:7 | x | taint.cpp:207:6:207:11 | call to source |
132112
| taint.cpp:215:7:215:7 | x | taint.cpp:207:6:207:11 | call to source |

0 commit comments

Comments
 (0)