C++: General taint flow through constructors.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/MemberFunction.qll

@@ -4,6 +4,8 @@
  */
 
 import cpp
+import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * A C++ function declared as a member of a class [N4140 9.3]. This includes
@@ -162,7 +164,7 @@ class ConstMemberFunction extends MemberFunction {
  * };
  * ```
  */
-class Constructor extends MemberFunction {
+class Constructor extends MemberFunction, TaintFunction {
   Constructor() { functions(underlyingElement(this), _, 2) }
 
   override string getCanonicalQLClass() { result = "Constructor" }
@@ -192,6 +194,12 @@ class Constructor extends MemberFunction {
   ConstructorInit getInitializer(int i) {
     exprparents(unresolveElement(result), i, underlyingElement(this))
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from any constructor argument to the returned object
+    input.isParameter(_) and
+    output.isReturnValue()
+  }
 }
 
 /**

cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass.cpp

@@ -36,9 +36,9 @@ void test_copyableclass()
 		MyCopyableClass s4;
 		s4 = source();
 
-		sink(s1); // tainted [NOT DETECTED]
-		sink(s2); // tainted [NOT DETECTED]
-		sink(s3); // tainted [NOT DETECTED]
+		sink(s1); // tainted
+		sink(s2); // tainted
+		sink(s3); // tainted
 		sink(s4); // tainted [NOT DETECTED]
 	}
 
@@ -61,7 +61,7 @@ void test_copyableclass()
 		MyCopyableClass s3;
 		s2 = MyCopyableClass(source());
 
-		sink(s1); // tainted [NOT DETECTED]
+		sink(s1); // tainted
 		sink(s2); // tainted [NOT DETECTED]
 		sink(s3 = source()); // tainted [NOT DETECTED]
 	}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -40,8 +40,8 @@ void test_copyableclass()
 		MyMovableClass s3;
 		s3 = source();
 
-		sink(s1); // tainted [NOT DETECTED]
-		sink(s2); // tainted [NOT DETECTED]
+		sink(s1); // tainted
+		sink(s2); // tainted
 		sink(s3); // tainted [NOT DETECTED]
 	}
 
@@ -50,7 +50,7 @@ void test_copyableclass()
 		MyMovableClass s2;
 		s2 = MyMovableClass(source());
 
-		sink(s1); // tainted [NOT DETECTED]
+		sink(s1); // tainted
 		sink(s2); // tainted [NOT DETECTED]
 	}
 
@@ -60,7 +60,7 @@ void test_copyableclass()
 		MyMovableClass s3;
 
 		sink(s1);
-		sink(s2); // tainted [NOT DETECTED]
+		sink(s2); // tainted
 		sink(s3 = source()); // tainted [NOT DETECTED]
 	}
 }

cpp/ql/test/library-tests/dataflow/taint-tests/movableclass.cpp

@@ -31,10 +31,10 @@ void test_structlikeclass()
 		StructLikeClass s4;
 		s4 = source();
 
-		sink(s1); // tainted [NOT DETECTED]
-		sink(s2); // tainted [NOT DETECTED]
-		sink(s3); // tainted [NOT DETECTED]
-		sink(s4); // tainted [NOT DETECTED]
+		sink(s1); // tainted
+		sink(s2); // tainted
+		sink(s3); // tainted
+		sink(s4); // tainted
 	}
 
 	{
@@ -56,8 +56,8 @@ void test_structlikeclass()
 		StructLikeClass s3;
 		s2 = StructLikeClass(source());
 
-		sink(s1); // tainted [NOT DETECTED]
-		sink(s2); // tainted [NOT DETECTED]
-		sink(s3 = source()); // tainted [NOT DETECTED]
+		sink(s1); // tainted
+		sink(s2); // tainted
+		sink(s3 = source()); // tainted
 	}
 }

cpp/ql/test/library-tests/dataflow/taint-tests/structlikeclass.cpp

@@ -1,3 +1,7 @@
+| copyableclass.cpp:39:8:39:9 | s1 | copyableclass.cpp:33:22:33:27 | call to source |
+| copyableclass.cpp:40:8:40:9 | s2 | copyableclass.cpp:34:24:34:29 | call to source |
+| copyableclass.cpp:41:8:41:9 | s3 | copyableclass.cpp:33:22:33:27 | call to source |
+| copyableclass.cpp:64:8:64:9 | s1 | copyableclass.cpp:59:40:59:45 | call to source |
 | format.cpp:57:8:57:13 | buffer | format.cpp:56:36:56:49 | call to source |
 | format.cpp:62:8:62:13 | buffer | format.cpp:61:30:61:43 | call to source |
 | format.cpp:67:8:67:13 | buffer | format.cpp:66:52:66:65 | call to source |
@@ -10,8 +14,30 @@
 | format.cpp:110:8:110:14 | wbuffer | format.cpp:109:38:109:52 | call to source |
 | format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
 | format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
+| movableclass.cpp:43:8:43:9 | s1 | movableclass.cpp:38:21:38:26 | call to source |
+| movableclass.cpp:44:8:44:9 | s2 | movableclass.cpp:39:23:39:28 | call to source |
+| movableclass.cpp:53:8:53:9 | s1 | movableclass.cpp:49:38:49:43 | call to source |
+| movableclass.cpp:63:8:63:9 | s2 | movableclass.cpp:22:55:22:60 | call to source |
 | stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
+| stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
+| stl.cpp:75:9:75:13 | call to c_str | stl.cpp:69:16:69:21 | call to source |
+| stl.cpp:125:13:125:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
+| stl.cpp:129:13:129:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
+| stl.cpp:132:13:132:17 | call to c_str | stl.cpp:117:10:117:15 | call to source |
+| stl.cpp:154:8:154:9 | s1 | stl.cpp:149:18:149:23 | call to source |
+| stl.cpp:155:8:155:9 | s2 | stl.cpp:150:20:150:25 | call to source |
+| stl.cpp:156:8:156:9 | s3 | stl.cpp:152:8:152:13 | call to source |
+| stl.cpp:175:8:175:9 | s1 | stl.cpp:171:32:171:37 | call to source |
+| stl.cpp:176:8:176:9 | s2 | stl.cpp:173:20:173:25 | call to source |
+| structlikeclass.cpp:34:8:34:9 | s1 | structlikeclass.cpp:28:22:28:27 | call to source |
+| structlikeclass.cpp:35:8:35:9 | s2 | structlikeclass.cpp:29:24:29:29 | call to source |
+| structlikeclass.cpp:36:8:36:9 | s3 | structlikeclass.cpp:28:22:28:27 | call to source |
+| structlikeclass.cpp:37:8:37:9 | s4 | structlikeclass.cpp:32:8:32:13 | call to source |
+| structlikeclass.cpp:59:8:59:9 | s1 | structlikeclass.cpp:54:40:54:45 | call to source |
+| structlikeclass.cpp:60:8:60:9 | s2 | structlikeclass.cpp:57:24:57:29 | call to source |
+| structlikeclass.cpp:61:8:61:20 | ... = ... | structlikeclass.cpp:61:13:61:18 | call to source |
 | swap1.cpp:60:12:60:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
+| swap1.cpp:65:12:65:16 | data1 | swap1.cpp:56:23:56:23 | x |
 | swap1.cpp:65:12:65:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
 | swap1.cpp:66:12:66:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
 | swap1.cpp:70:13:70:17 | data1 | swap1.cpp:69:16:69:21 | call to source |
@@ -26,6 +52,7 @@
 | swap1.cpp:102:18:102:22 | data1 | swap1.cpp:95:23:95:31 | move_from |
 | swap1.cpp:102:18:102:22 | data1 | swap1.cpp:96:23:96:28 | call to source |
 | swap2.cpp:60:12:60:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
+| swap2.cpp:65:12:65:16 | data1 | swap2.cpp:56:23:56:23 | x |
 | swap2.cpp:65:12:65:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
 | swap2.cpp:66:12:66:16 | data1 | swap2.cpp:58:15:58:20 | call to source |
 | swap2.cpp:70:13:70:17 | data1 | swap2.cpp:69:16:69:21 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -1,3 +1,7 @@
+| copyableclass.cpp:39:8:39:9 | copyableclass.cpp:33:22:33:27 | AST only |
+| copyableclass.cpp:40:8:40:9 | copyableclass.cpp:34:24:34:29 | AST only |
+| copyableclass.cpp:41:8:41:9 | copyableclass.cpp:33:22:33:27 | AST only |
+| copyableclass.cpp:64:8:64:9 | copyableclass.cpp:59:40:59:45 | AST only |
 | format.cpp:57:8:57:13 | format.cpp:56:36:56:49 | AST only |
 | format.cpp:62:8:62:13 | format.cpp:61:30:61:43 | AST only |
 | format.cpp:67:8:67:13 | format.cpp:66:52:66:65 | AST only |
@@ -8,10 +12,30 @@
 | format.cpp:100:8:100:13 | format.cpp:99:30:99:43 | AST only |
 | format.cpp:105:8:105:13 | format.cpp:104:31:104:45 | AST only |
 | format.cpp:110:8:110:14 | format.cpp:109:38:109:52 | AST only |
+| movableclass.cpp:43:8:43:9 | movableclass.cpp:38:21:38:26 | AST only |
+| movableclass.cpp:44:8:44:9 | movableclass.cpp:39:23:39:28 | AST only |
+| movableclass.cpp:53:8:53:9 | movableclass.cpp:49:38:49:43 | AST only |
+| movableclass.cpp:63:8:63:9 | movableclass.cpp:22:55:22:60 | AST only |
+| stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
+| stl.cpp:75:9:75:13 | stl.cpp:69:16:69:21 | AST only |
+| stl.cpp:125:13:125:17 | stl.cpp:117:10:117:15 | AST only |
+| stl.cpp:129:13:129:17 | stl.cpp:117:10:117:15 | AST only |
+| stl.cpp:132:13:132:17 | stl.cpp:117:10:117:15 | AST only |
+| stl.cpp:154:8:154:9 | stl.cpp:149:18:149:23 | AST only |
+| stl.cpp:155:8:155:9 | stl.cpp:150:20:150:25 | AST only |
+| stl.cpp:156:8:156:9 | stl.cpp:152:8:152:13 | AST only |
+| stl.cpp:175:8:175:9 | stl.cpp:171:32:171:37 | AST only |
+| stl.cpp:176:8:176:9 | stl.cpp:173:20:173:25 | AST only |
+| structlikeclass.cpp:34:8:34:9 | structlikeclass.cpp:28:22:28:27 | AST only |
+| structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:24:29:29 | AST only |
+| structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:28:22:28:27 | AST only |
+| structlikeclass.cpp:59:8:59:9 | structlikeclass.cpp:54:40:54:45 | AST only |
+| swap1.cpp:65:12:65:16 | swap1.cpp:56:23:56:23 | AST only |
 | swap1.cpp:74:13:74:17 | swap1.cpp:69:16:69:21 | AST only |
 | swap1.cpp:75:13:75:17 | swap1.cpp:68:27:68:28 | AST only |
 | swap1.cpp:89:12:89:16 | swap1.cpp:80:23:80:23 | AST only |
 | swap1.cpp:102:18:102:22 | swap1.cpp:95:23:95:31 | AST only |
+| swap2.cpp:65:12:65:16 | swap2.cpp:56:23:56:23 | AST only |
 | swap2.cpp:74:13:74:17 | swap2.cpp:69:16:69:21 | AST only |
 | swap2.cpp:75:13:75:17 | swap2.cpp:68:27:68:28 | AST only |
 | swap2.cpp:89:12:89:16 | swap2.cpp:80:23:80:23 | AST only |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -3,6 +3,9 @@
 | format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
 | stl.cpp:71:7:71:7 | (const char *)... | stl.cpp:67:12:67:17 | call to source |
 | stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
+| structlikeclass.cpp:37:8:37:9 | s4 | structlikeclass.cpp:32:8:32:13 | call to source |
+| structlikeclass.cpp:60:8:60:9 | s2 | structlikeclass.cpp:57:24:57:29 | call to source |
+| structlikeclass.cpp:61:8:61:20 | ... = ... | structlikeclass.cpp:61:13:61:18 | call to source |
 | swap1.cpp:60:12:60:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
 | swap1.cpp:65:12:65:16 | data1 | swap1.cpp:58:15:58:20 | call to source |
 | swap1.cpp:66:12:66:16 | data1 | swap1.cpp:58:15:58:20 | call to source |