C++: Add flow through assignment operators.

geoffw0 · geoffw0 · commit 833f5b0cf3cb · 2020-06-17T15:47:37.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/MemberFunction.qll b/cpp/ql/src/semmle/code/cpp/MemberFunction.qll
@@ -467,7 +467,7 @@ class ConversionOperator extends MemberFunction, ImplicitConversionFunction {
  * takes exactly one parameter of type `T`, `T&`, `const T&`, `volatile
  * T&`, or `const volatile T&`.
  */
-class CopyAssignmentOperator extends Operator {
+class CopyAssignmentOperator extends Operator,TaintFunction {
   CopyAssignmentOperator() {
     hasName("operator=") and
     (
@@ -482,6 +482,17 @@ class CopyAssignmentOperator extends Operator {
   }
 
   override string getCanonicalQLClass() { result = "CopyAssignmentOperator" }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from argument to self
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+    or
+    // taint flow from argument to return value
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    // TODO: it would be more accurate to model copy assignment as data flow
+  }
 }
 
 /**
@@ -499,7 +510,7 @@ class CopyAssignmentOperator extends Operator {
  * takes exactly one parameter of type `T&&`, `const T&&`, `volatile T&&`,
  * or `const volatile T&&`.
  */
-class MoveAssignmentOperator extends Operator {
+class MoveAssignmentOperator extends Operator, TaintFunction {
   MoveAssignmentOperator() {
     hasName("operator=") and
     hasMoveSignature(this) and
@@ -508,4 +519,15 @@ class MoveAssignmentOperator extends Operator {
   }
 
   override string getCanonicalQLClass() { result = "MoveAssignmentOperator" }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // taint flow from argument to self
+    input.isParameterDeref(0) and
+    output.isQualifierObject()
+    or
+    // taint flow from argument to return value
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    // TODO: it would be more accurate to model move assignment as data flow
+  }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/copyableclass.cpp
@@ -39,7 +39,7 @@ void test_copyableclass()
 		sink(s1); // tainted
 		sink(s2); // tainted
 		sink(s3); // tainted
-		sink(s4); // tainted [NOT DETECTED]
+		sink(s4); // tainted
 	}
 
 	{
@@ -62,7 +62,7 @@ void test_copyableclass()
 		s2 = MyCopyableClass(source());
 
 		sink(s1); // tainted
-		sink(s2); // tainted [NOT DETECTED]
-		sink(s3 = source()); // tainted [NOT DETECTED]
+		sink(s2); // tainted
+		sink(s3 = source()); // tainted
 	}
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -22,6 +22,8 @@
 | copyableclass.cpp:23:19:23:20 | call to MyCopyableClass | copyableclass.cpp:29:8:29:9 | s4 |  |
 | copyableclass.cpp:24:3:24:4 | ref arg s4 | copyableclass.cpp:29:8:29:9 | s4 |  |
 | copyableclass.cpp:24:8:24:8 | 1 | copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | TAINT |
+| copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | copyableclass.cpp:24:3:24:4 | ref arg s4 | TAINT |
+| copyableclass.cpp:24:8:24:8 | call to MyCopyableClass | copyableclass.cpp:24:6:24:6 | call to operator= | TAINT |
 | copyableclass.cpp:33:22:33:27 | call to source | copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | TAINT |
 | copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | copyableclass.cpp:35:22:35:23 | s1 |  |
 | copyableclass.cpp:33:22:33:30 | call to MyCopyableClass | copyableclass.cpp:39:8:39:9 | s1 |  |
@@ -33,6 +35,8 @@
 | copyableclass.cpp:36:19:36:20 | call to MyCopyableClass | copyableclass.cpp:42:8:42:9 | s4 |  |
 | copyableclass.cpp:37:3:37:4 | ref arg s4 | copyableclass.cpp:42:8:42:9 | s4 |  |
 | copyableclass.cpp:37:8:37:13 | call to source | copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | TAINT |
+| copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | copyableclass.cpp:37:3:37:4 | ref arg s4 | TAINT |
+| copyableclass.cpp:37:8:37:15 | call to MyCopyableClass | copyableclass.cpp:37:6:37:6 | call to operator= | TAINT |
 | copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:47:24:47:25 | s1 |  |
 | copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:48:22:48:23 | s1 |  |
 | copyableclass.cpp:46:19:46:20 | call to MyCopyableClass | copyableclass.cpp:50:8:50:9 | s1 |  |
@@ -44,14 +48,20 @@
 | copyableclass.cpp:49:19:49:20 | call to MyCopyableClass | copyableclass.cpp:50:3:50:4 | s4 |  |
 | copyableclass.cpp:49:19:49:20 | call to MyCopyableClass | copyableclass.cpp:55:8:55:9 | s4 |  |
 | copyableclass.cpp:50:3:50:4 | ref arg s4 | copyableclass.cpp:55:8:55:9 | s4 |  |
+| copyableclass.cpp:50:8:50:9 | s1 | copyableclass.cpp:50:3:50:4 | ref arg s4 | TAINT |
+| copyableclass.cpp:50:8:50:9 | s1 | copyableclass.cpp:50:6:50:6 | call to operator= | TAINT |
 | copyableclass.cpp:59:23:59:48 | call to MyCopyableClass | copyableclass.cpp:64:8:64:9 | s1 |  |
 | copyableclass.cpp:59:40:59:45 | call to source | copyableclass.cpp:59:23:59:48 | call to MyCopyableClass | TAINT |
 | copyableclass.cpp:60:19:60:20 | call to MyCopyableClass | copyableclass.cpp:62:3:62:4 | s2 |  |
 | copyableclass.cpp:60:19:60:20 | call to MyCopyableClass | copyableclass.cpp:65:8:65:9 | s2 |  |
 | copyableclass.cpp:61:19:61:20 | call to MyCopyableClass | copyableclass.cpp:66:8:66:9 | s3 |  |
 | copyableclass.cpp:62:3:62:4 | ref arg s2 | copyableclass.cpp:65:8:65:9 | s2 |  |
+| copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | copyableclass.cpp:62:3:62:4 | ref arg s2 | TAINT |
+| copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | copyableclass.cpp:62:6:62:6 | call to operator= | TAINT |
 | copyableclass.cpp:62:24:62:29 | call to source | copyableclass.cpp:62:8:62:32 | call to MyCopyableClass | TAINT |
 | copyableclass.cpp:66:13:66:18 | call to source | copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | TAINT |
+| copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | copyableclass.cpp:66:8:66:9 | ref arg s3 | TAINT |
+| copyableclass.cpp:66:13:66:20 | call to MyCopyableClass | copyableclass.cpp:66:11:66:11 | call to operator= | TAINT |
 | file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 |  |
 | file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 |  |
 | file://:0:0:0:0 | p#0 | file://:0:0:0:0 | p#0 |  |
@@ -217,6 +227,8 @@
 | movableclass.cpp:29:18:29:19 | call to MyMovableClass | movableclass.cpp:34:8:34:9 | s3 |  |
 | movableclass.cpp:30:3:30:4 | ref arg s3 | movableclass.cpp:34:8:34:9 | s3 |  |
 | movableclass.cpp:30:8:30:8 | 1 | movableclass.cpp:30:8:30:8 | call to MyMovableClass | TAINT |
+| movableclass.cpp:30:8:30:8 | call to MyMovableClass | movableclass.cpp:30:3:30:4 | ref arg s3 | TAINT |
+| movableclass.cpp:30:8:30:8 | call to MyMovableClass | movableclass.cpp:30:6:30:6 | call to operator= | TAINT |
 | movableclass.cpp:38:21:38:26 | call to source | movableclass.cpp:38:21:38:29 | call to MyMovableClass | TAINT |
 | movableclass.cpp:38:21:38:29 | call to MyMovableClass | movableclass.cpp:43:8:43:9 | s1 |  |
 | movableclass.cpp:39:22:39:30 | call to MyMovableClass | movableclass.cpp:44:8:44:9 | s2 |  |
@@ -225,18 +237,24 @@
 | movableclass.cpp:40:18:40:19 | call to MyMovableClass | movableclass.cpp:45:8:45:9 | s3 |  |
 | movableclass.cpp:41:3:41:4 | ref arg s3 | movableclass.cpp:45:8:45:9 | s3 |  |
 | movableclass.cpp:41:8:41:13 | call to source | movableclass.cpp:41:8:41:15 | call to MyMovableClass | TAINT |
+| movableclass.cpp:41:8:41:15 | call to MyMovableClass | movableclass.cpp:41:3:41:4 | ref arg s3 | TAINT |
+| movableclass.cpp:41:8:41:15 | call to MyMovableClass | movableclass.cpp:41:6:41:6 | call to operator= | TAINT |
 | movableclass.cpp:49:22:49:46 | call to MyMovableClass | movableclass.cpp:53:8:53:9 | s1 |  |
 | movableclass.cpp:49:38:49:43 | call to source | movableclass.cpp:49:22:49:46 | call to MyMovableClass | TAINT |
 | movableclass.cpp:50:18:50:19 | call to MyMovableClass | movableclass.cpp:51:3:51:4 | s2 |  |
 | movableclass.cpp:50:18:50:19 | call to MyMovableClass | movableclass.cpp:54:8:54:9 | s2 |  |
 | movableclass.cpp:51:3:51:4 | ref arg s2 | movableclass.cpp:54:8:54:9 | s2 |  |
+| movableclass.cpp:51:8:51:31 | call to MyMovableClass | movableclass.cpp:51:3:51:4 | ref arg s2 | TAINT |
+| movableclass.cpp:51:8:51:31 | call to MyMovableClass | movableclass.cpp:51:6:51:6 | call to operator= | TAINT |
 | movableclass.cpp:51:23:51:28 | call to source | movableclass.cpp:51:8:51:31 | call to MyMovableClass | TAINT |
 | movableclass.cpp:58:21:58:32 | call to getUnTainted | movableclass.cpp:58:21:58:35 | call to MyMovableClass |  |
 | movableclass.cpp:58:21:58:35 | call to MyMovableClass | movableclass.cpp:62:8:62:9 | s1 |  |
 | movableclass.cpp:59:21:59:30 | call to getTainted | movableclass.cpp:59:21:59:33 | call to MyMovableClass |  |
 | movableclass.cpp:59:21:59:33 | call to MyMovableClass | movableclass.cpp:63:8:63:9 | s2 |  |
 | movableclass.cpp:60:18:60:19 | call to MyMovableClass | movableclass.cpp:64:8:64:9 | s3 |  |
 | movableclass.cpp:64:13:64:18 | call to source | movableclass.cpp:64:13:64:20 | call to MyMovableClass | TAINT |
+| movableclass.cpp:64:13:64:20 | call to MyMovableClass | movableclass.cpp:64:8:64:9 | ref arg s3 | TAINT |
+| movableclass.cpp:64:13:64:20 | call to MyMovableClass | movableclass.cpp:64:11:64:11 | call to operator= | TAINT |
 | stl.cpp:67:12:67:17 | call to source | stl.cpp:71:7:71:7 | a |  |
 | stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string | TAINT |
 | stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:72:7:72:7 | b |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/movableclass.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/movableclass.cpp
@@ -42,7 +42,7 @@ void test_copyableclass()
 
 		sink(s1); // tainted
 		sink(s2); // tainted
-		sink(s3); // tainted [NOT DETECTED]
+		sink(s3); // tainted
 	}
 
 	{
@@ -51,7 +51,7 @@ void test_copyableclass()
 		s2 = MyMovableClass(source());
 
 		sink(s1); // tainted
-		sink(s2); // tainted [NOT DETECTED]
+		sink(s2); // tainted
 	}
 
 	{
@@ -61,6 +61,6 @@ void test_copyableclass()
 
 		sink(s1);
 		sink(s2); // tainted
-		sink(s3 = source()); // tainted [NOT DETECTED]
+		sink(s3 = source()); // tainted
 	}
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -1,7 +1,10 @@
 | copyableclass.cpp:39:8:39:9 | s1 | copyableclass.cpp:33:22:33:27 | call to source |
 | copyableclass.cpp:40:8:40:9 | s2 | copyableclass.cpp:34:24:34:29 | call to source |
 | copyableclass.cpp:41:8:41:9 | s3 | copyableclass.cpp:33:22:33:27 | call to source |
+| copyableclass.cpp:42:8:42:9 | s4 | copyableclass.cpp:37:8:37:13 | call to source |
 | copyableclass.cpp:64:8:64:9 | s1 | copyableclass.cpp:59:40:59:45 | call to source |
+| copyableclass.cpp:65:8:65:9 | s2 | copyableclass.cpp:62:24:62:29 | call to source |
+| copyableclass.cpp:66:11:66:11 | call to operator= | copyableclass.cpp:66:13:66:18 | call to source |
 | format.cpp:57:8:57:13 | buffer | format.cpp:56:36:56:49 | call to source |
 | format.cpp:62:8:62:13 | buffer | format.cpp:61:30:61:43 | call to source |
 | format.cpp:67:8:67:13 | buffer | format.cpp:66:52:66:65 | call to source |
@@ -16,8 +19,11 @@
 | format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
 | movableclass.cpp:43:8:43:9 | s1 | movableclass.cpp:38:21:38:26 | call to source |
 | movableclass.cpp:44:8:44:9 | s2 | movableclass.cpp:39:23:39:28 | call to source |
+| movableclass.cpp:45:8:45:9 | s3 | movableclass.cpp:41:8:41:13 | call to source |
 | movableclass.cpp:53:8:53:9 | s1 | movableclass.cpp:49:38:49:43 | call to source |
+| movableclass.cpp:54:8:54:9 | s2 | movableclass.cpp:51:23:51:28 | call to source |
 | movableclass.cpp:63:8:63:9 | s2 | movableclass.cpp:22:55:22:60 | call to source |
+| movableclass.cpp:64:11:64:11 | call to operator= | movableclass.cpp:64:13:64:18 | call to source |
 | stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
 | stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
 | stl.cpp:75:9:75:13 | call to c_str | stl.cpp:69:16:69:21 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -1,7 +1,10 @@
 | copyableclass.cpp:39:8:39:9 | copyableclass.cpp:33:22:33:27 | AST only |
 | copyableclass.cpp:40:8:40:9 | copyableclass.cpp:34:24:34:29 | AST only |
 | copyableclass.cpp:41:8:41:9 | copyableclass.cpp:33:22:33:27 | AST only |
+| copyableclass.cpp:42:8:42:9 | copyableclass.cpp:37:8:37:13 | AST only |
 | copyableclass.cpp:64:8:64:9 | copyableclass.cpp:59:40:59:45 | AST only |
+| copyableclass.cpp:65:8:65:9 | copyableclass.cpp:62:24:62:29 | AST only |
+| copyableclass.cpp:66:11:66:11 | copyableclass.cpp:66:13:66:18 | AST only |
 | format.cpp:57:8:57:13 | format.cpp:56:36:56:49 | AST only |
 | format.cpp:62:8:62:13 | format.cpp:61:30:61:43 | AST only |
 | format.cpp:67:8:67:13 | format.cpp:66:52:66:65 | AST only |
@@ -14,8 +17,11 @@
 | format.cpp:110:8:110:14 | format.cpp:109:38:109:52 | AST only |
 | movableclass.cpp:43:8:43:9 | movableclass.cpp:38:21:38:26 | AST only |
 | movableclass.cpp:44:8:44:9 | movableclass.cpp:39:23:39:28 | AST only |
+| movableclass.cpp:45:8:45:9 | movableclass.cpp:41:8:41:13 | AST only |
 | movableclass.cpp:53:8:53:9 | movableclass.cpp:49:38:49:43 | AST only |
+| movableclass.cpp:54:8:54:9 | movableclass.cpp:51:23:51:28 | AST only |
 | movableclass.cpp:63:8:63:9 | movableclass.cpp:22:55:22:60 | AST only |
+| movableclass.cpp:64:11:64:11 | movableclass.cpp:64:13:64:18 | AST only |
 | stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
 | stl.cpp:75:9:75:13 | stl.cpp:69:16:69:21 | AST only |
 | stl.cpp:125:13:125:17 | stl.cpp:117:10:117:15 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ void test_copyableclass()`
`39`	`39`	`sink(s1); // tainted`
`40`	`40`	`sink(s2); // tainted`
`41`	`41`	`sink(s3); // tainted`
`42`		`- sink(s4); // tainted [NOT DETECTED]`
	`42`	`+ sink(s4); // tainted`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`{`
`@@ -62,7 +62,7 @@ void test_copyableclass()`
`62`	`62`	`s2 = MyCopyableClass(source());`
`63`	`63`
`64`	`64`	`sink(s1); // tainted`
`65`		`- sink(s2); // tainted [NOT DETECTED]`
`66`		`- sink(s3 = source()); // tainted [NOT DETECTED]`
	`65`	`+ sink(s2); // tainted`
	`66`	`+ sink(s3 = source()); // tainted`
`67`	`67`	`}`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ void test_copyableclass()`
`42`	`42`
`43`	`43`	`sink(s1); // tainted`
`44`	`44`	`sink(s2); // tainted`
`45`		`- sink(s3); // tainted [NOT DETECTED]`
	`45`	`+ sink(s3); // tainted`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`{`
`@@ -51,7 +51,7 @@ void test_copyableclass()`
`51`	`51`	`s2 = MyMovableClass(source());`
`52`	`52`
`53`	`53`	`sink(s1); // tainted`
`54`		`- sink(s2); // tainted [NOT DETECTED]`
	`54`	`+ sink(s2); // tainted`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`{`
`@@ -61,6 +61,6 @@ void test_copyableclass()`
`61`	`61`
`62`	`62`	`sink(s1);`
`63`	`63`	`sink(s2); // tainted`
`64`		`- sink(s3 = source()); // tainted [NOT DETECTED]`
	`64`	`+ sink(s3 = source()); // tainted`
`65`	`65`	`}`
`66`	`66`	`}`