From 6f64129b0441c3b3f5cc54a5f2454f034d6f503b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 14:05:13 +0200 Subject: [PATCH 1/7] C++: Add ComPtr tests. --- .../dataflow/taint-tests/atl.cpp | 130 ++++++++++++++++++ .../dataflow/taint-tests/localTaint.expected | 112 +++++++++++++++ .../taint-tests/test_mad-signatures.expected | 12 ++ 3 files changed, 254 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index e26416a0e68c..8337e384b3d6 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -1241,4 +1241,134 @@ namespace ATL { sink(static_cast::PCXSTR>(b)); // $ ir sink(static_cast::PXSTR>(b)); // $ ir } +} + +namespace Microsoft { + namespace WRL { + template + class ComPtr; + + struct GUID; + + typedef GUID IID; + + typedef IID *REFIID; + + class IUnknown; + + class WeakRef; + + template + class ComPtr + { + public: + using InterfaceType = T; + + ComPtr(); + ComPtr(const ComPtr &); + ComPtr(&&other); + + template + ComPtr(U *); + + ~ComPtr(); + + template + HRESULT As(ComPtr *p) const; + + HRESULT AsWeak(WeakRef *); + + void Attach(InterfaceType *); + + HRESULT CopyTo(InterfaceType **); + + HRESULT CopyTo(REFIID, void **) const; + + template + HRESULT CopyTo(U **) const; + + T *Detach(); + + T *Get() const; + + T *const *GetAddressOf() const; + T **GetAddressOf(); + + T **ReleaseAndGetAddressOf(); + + unsigned long Reset(); + + void Swap(ComPtr &&r); + + void Swap(ComPtr &r); + }; + + } +} + +namespace std { + template T&& move(T& t) noexcept; // simplified signature +} + +void test_constructor() +{ + Microsoft::WRL::ComPtr p0; + sink(*p0.Get()); // clean + + int x = source(); + Microsoft::WRL::ComPtr p1(new int(x)); + sink(*p1.Get()); // $ MISSING: ast,ir + sink(*p1.Detach()); // $ MISSING: ast,ir + + Microsoft::WRL::ComPtr p2(p1); + sink(*p2.Get()); // $ MISSING: ast,ir + + Microsoft::WRL::ComPtr p3(std::move(p1)); + sink(*p3.Get()); // $ MISSING: ast,ir +} + +void test_As() +{ + int x = source(); + Microsoft::WRL::ComPtr p1(new int(x)); + Microsoft::WRL::ComPtr p2; + p1.As(&p2); + sink(*p2.Get()); // $ MISSING: ast,ir +} + +void test_CopyTo() +{ + int x = source(); + Microsoft::WRL::ComPtr p1(new int(x)); + int *raw = nullptr; + p1.CopyTo(&raw); + sink(*raw); // $ MISSING: ast,ir + + Microsoft::WRL::ComPtr p2; + p1.CopyTo(nullptr, (void**)&raw); + sink(*raw); // $ MISSING: ast,ir +} + +void test_Swap() +{ + int x = source(); + Microsoft::WRL::ComPtr p1(new int(x)); + Microsoft::WRL::ComPtr p2; + p1.Swap(p2); + sink(*p2.Get()); // $ MISSING: ast,ir + sink(*p1.Get()); // clean +} + +void test_GetAddressOf() +{ + int x = source(); + Microsoft::WRL::ComPtr p1(new int(x)); + sink(**p1.GetAddressOf()); // $ MISSING: ast,ir + + const Microsoft::WRL::ComPtr p2(new int(x)); + sink(**p2.GetAddressOf()); // $ MISSING: ast,ir + + Microsoft::WRL::ComPtr p3(new int(x)); + int **pp = p3.ReleaseAndGetAddressOf(); + sink(**pp); // $ MISSING: ast,ir } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 76eaebb52cdf..a7320e3fa458 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -1278,6 +1278,118 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1241:46:1241:46 | b | | | atl.cpp:1240:22:1240:30 | call to CStrBufT | atl.cpp:1242:45:1242:45 | b | | | atl.cpp:1241:46:1241:46 | ref arg b | atl.cpp:1242:45:1242:45 | b | | +| atl.cpp:1315:31:1315:32 | call to ComPtr | atl.cpp:1316:9:1316:10 | p0 | | +| atl.cpp:1315:31:1315:32 | call to ComPtr | atl.cpp:1328:1:1328:1 | p0 | | +| atl.cpp:1316:9:1316:10 | ref arg p0 | atl.cpp:1328:1:1328:1 | p0 | | +| atl.cpp:1316:12:1316:14 | call to Get | atl.cpp:1316:8:1316:16 | * ... | TAINT | +| atl.cpp:1318:11:1318:21 | call to source | atl.cpp:1319:42:1319:42 | x | | +| atl.cpp:1319:34:1319:43 | new | atl.cpp:1319:34:1319:44 | call to ComPtr | TAINT | +| atl.cpp:1319:34:1319:44 | call to ComPtr | atl.cpp:1320:9:1320:10 | p1 | | +| atl.cpp:1319:34:1319:44 | call to ComPtr | atl.cpp:1321:9:1321:10 | p1 | | +| atl.cpp:1319:34:1319:44 | call to ComPtr | atl.cpp:1323:34:1323:35 | p1 | | +| atl.cpp:1319:34:1319:44 | call to ComPtr | atl.cpp:1326:44:1326:45 | p1 | | +| atl.cpp:1319:34:1319:44 | call to ComPtr | atl.cpp:1328:1:1328:1 | p1 | | +| atl.cpp:1319:42:1319:42 | x | atl.cpp:1319:34:1319:43 | new | | +| atl.cpp:1320:9:1320:10 | ref arg p1 | atl.cpp:1321:9:1321:10 | p1 | | +| atl.cpp:1320:9:1320:10 | ref arg p1 | atl.cpp:1323:34:1323:35 | p1 | | +| atl.cpp:1320:9:1320:10 | ref arg p1 | atl.cpp:1326:44:1326:45 | p1 | | +| atl.cpp:1320:9:1320:10 | ref arg p1 | atl.cpp:1328:1:1328:1 | p1 | | +| atl.cpp:1320:12:1320:14 | call to Get | atl.cpp:1320:8:1320:16 | * ... | TAINT | +| atl.cpp:1321:9:1321:10 | ref arg p1 | atl.cpp:1323:34:1323:35 | p1 | | +| atl.cpp:1321:9:1321:10 | ref arg p1 | atl.cpp:1326:44:1326:45 | p1 | | +| atl.cpp:1321:9:1321:10 | ref arg p1 | atl.cpp:1328:1:1328:1 | p1 | | +| atl.cpp:1321:12:1321:17 | call to Detach | atl.cpp:1321:8:1321:19 | * ... | TAINT | +| atl.cpp:1323:34:1323:35 | p1 | atl.cpp:1323:34:1323:36 | call to ComPtr | | +| atl.cpp:1323:34:1323:36 | call to ComPtr | atl.cpp:1324:9:1324:10 | p2 | | +| atl.cpp:1323:34:1323:36 | call to ComPtr | atl.cpp:1328:1:1328:1 | p2 | | +| atl.cpp:1324:9:1324:10 | ref arg p2 | atl.cpp:1328:1:1328:1 | p2 | | +| atl.cpp:1324:12:1324:14 | call to Get | atl.cpp:1324:8:1324:16 | * ... | TAINT | +| atl.cpp:1326:34:1326:42 | call to move | atl.cpp:1326:34:1326:47 | call to ComPtr | TAINT | +| atl.cpp:1326:34:1326:47 | call to ComPtr | atl.cpp:1327:9:1327:10 | p3 | | +| atl.cpp:1326:34:1326:47 | call to ComPtr | atl.cpp:1328:1:1328:1 | p3 | | +| atl.cpp:1326:44:1326:45 | p1 | atl.cpp:1326:34:1326:42 | call to move | TAINT | +| atl.cpp:1326:44:1326:45 | p1 | atl.cpp:1326:34:1326:47 | call to ComPtr | | +| atl.cpp:1327:9:1327:10 | ref arg p3 | atl.cpp:1328:1:1328:1 | p3 | | +| atl.cpp:1327:12:1327:14 | call to Get | atl.cpp:1327:8:1327:16 | * ... | TAINT | +| atl.cpp:1332:11:1332:21 | call to source | atl.cpp:1333:42:1333:42 | x | | +| atl.cpp:1333:34:1333:43 | new | atl.cpp:1333:34:1333:44 | call to ComPtr | TAINT | +| atl.cpp:1333:34:1333:44 | call to ComPtr | atl.cpp:1335:3:1335:4 | p1 | | +| atl.cpp:1333:34:1333:44 | call to ComPtr | atl.cpp:1337:1:1337:1 | p1 | | +| atl.cpp:1333:42:1333:42 | x | atl.cpp:1333:34:1333:43 | new | | +| atl.cpp:1334:31:1334:32 | call to ComPtr | atl.cpp:1335:10:1335:11 | p2 | | +| atl.cpp:1334:31:1334:32 | call to ComPtr | atl.cpp:1336:9:1336:10 | p2 | | +| atl.cpp:1334:31:1334:32 | call to ComPtr | atl.cpp:1337:1:1337:1 | p2 | | +| atl.cpp:1335:9:1335:11 | ref arg & ... | atl.cpp:1335:10:1335:11 | p2 [inner post update] | | +| atl.cpp:1335:9:1335:11 | ref arg & ... | atl.cpp:1336:9:1336:10 | p2 | | +| atl.cpp:1335:9:1335:11 | ref arg & ... | atl.cpp:1337:1:1337:1 | p2 | | +| atl.cpp:1335:10:1335:11 | p2 | atl.cpp:1335:9:1335:11 | & ... | | +| atl.cpp:1336:9:1336:10 | ref arg p2 | atl.cpp:1337:1:1337:1 | p2 | | +| atl.cpp:1336:12:1336:14 | call to Get | atl.cpp:1336:8:1336:16 | * ... | TAINT | +| atl.cpp:1341:11:1341:21 | call to source | atl.cpp:1342:42:1342:42 | x | | +| atl.cpp:1342:34:1342:43 | new | atl.cpp:1342:34:1342:44 | call to ComPtr | TAINT | +| atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1344:3:1344:4 | p1 | | +| atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1348:3:1348:4 | p1 | | +| atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1350:1:1350:1 | p1 | | +| atl.cpp:1342:42:1342:42 | x | atl.cpp:1342:34:1342:43 | new | | +| atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1344:14:1344:16 | raw | | +| atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1345:9:1345:11 | raw | | +| atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1348:31:1348:33 | raw | | +| atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1349:9:1349:11 | raw | | +| atl.cpp:1344:3:1344:4 | ref arg p1 | atl.cpp:1348:3:1348:4 | p1 | | +| atl.cpp:1344:3:1344:4 | ref arg p1 | atl.cpp:1350:1:1350:1 | p1 | | +| atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1344:14:1344:16 | raw [inner post update] | | +| atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1345:9:1345:11 | raw | | +| atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1348:31:1348:33 | raw | | +| atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1349:9:1349:11 | raw | | +| atl.cpp:1344:14:1344:16 | raw | atl.cpp:1344:13:1344:16 | & ... | | +| atl.cpp:1345:9:1345:11 | raw | atl.cpp:1345:8:1345:11 | * ... | TAINT | +| atl.cpp:1347:31:1347:32 | call to ComPtr | atl.cpp:1350:1:1350:1 | p2 | | +| atl.cpp:1348:30:1348:33 | ref arg & ... | atl.cpp:1348:31:1348:33 | raw [inner post update] | | +| atl.cpp:1348:30:1348:33 | ref arg & ... | atl.cpp:1349:9:1349:11 | raw | | +| atl.cpp:1348:31:1348:33 | raw | atl.cpp:1348:30:1348:33 | & ... | | +| atl.cpp:1349:9:1349:11 | raw | atl.cpp:1349:8:1349:11 | * ... | TAINT | +| atl.cpp:1354:11:1354:21 | call to source | atl.cpp:1355:42:1355:42 | x | | +| atl.cpp:1355:34:1355:43 | new | atl.cpp:1355:34:1355:44 | call to ComPtr | TAINT | +| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1357:3:1357:4 | p1 | | +| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1359:9:1359:10 | p1 | | +| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1360:1:1360:1 | p1 | | +| atl.cpp:1355:42:1355:42 | x | atl.cpp:1355:34:1355:43 | new | | +| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1357:11:1357:12 | p2 | | +| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1358:9:1358:10 | p2 | | +| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1360:1:1360:1 | p2 | | +| atl.cpp:1357:3:1357:4 | ref arg p1 | atl.cpp:1359:9:1359:10 | p1 | | +| atl.cpp:1357:3:1357:4 | ref arg p1 | atl.cpp:1360:1:1360:1 | p1 | | +| atl.cpp:1357:11:1357:12 | ref arg p2 | atl.cpp:1358:9:1358:10 | p2 | | +| atl.cpp:1357:11:1357:12 | ref arg p2 | atl.cpp:1360:1:1360:1 | p2 | | +| atl.cpp:1358:9:1358:10 | ref arg p2 | atl.cpp:1360:1:1360:1 | p2 | | +| atl.cpp:1358:12:1358:14 | call to Get | atl.cpp:1358:8:1358:16 | * ... | TAINT | +| atl.cpp:1359:9:1359:10 | ref arg p1 | atl.cpp:1360:1:1360:1 | p1 | | +| atl.cpp:1359:12:1359:14 | call to Get | atl.cpp:1359:8:1359:16 | * ... | TAINT | +| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1365:42:1365:42 | x | | +| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1368:48:1368:48 | x | | +| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1371:42:1371:42 | x | | +| atl.cpp:1365:34:1365:43 | new | atl.cpp:1365:34:1365:44 | call to ComPtr | TAINT | +| atl.cpp:1365:34:1365:44 | call to ComPtr | atl.cpp:1366:10:1366:11 | p1 | | +| atl.cpp:1365:34:1365:44 | call to ComPtr | atl.cpp:1374:1:1374:1 | p1 | | +| atl.cpp:1365:42:1365:42 | x | atl.cpp:1365:34:1365:43 | new | | +| atl.cpp:1366:9:1366:26 | * ... | atl.cpp:1366:8:1366:26 | * ... | TAINT | +| atl.cpp:1366:10:1366:11 | ref arg p1 | atl.cpp:1374:1:1374:1 | p1 | | +| atl.cpp:1366:13:1366:24 | call to GetAddressOf | atl.cpp:1366:9:1366:26 | * ... | TAINT | +| atl.cpp:1368:40:1368:49 | new | atl.cpp:1368:40:1368:50 | call to ComPtr | TAINT | +| atl.cpp:1368:40:1368:50 | call to ComPtr | atl.cpp:1369:10:1369:11 | p2 | | +| atl.cpp:1368:40:1368:50 | call to ComPtr | atl.cpp:1374:1:1374:1 | p2 | | +| atl.cpp:1368:48:1368:48 | x | atl.cpp:1368:40:1368:49 | new | | +| atl.cpp:1369:9:1369:26 | * ... | atl.cpp:1369:8:1369:26 | * ... | TAINT | +| atl.cpp:1369:10:1369:11 | ref arg p2 | atl.cpp:1374:1:1374:1 | p2 | | +| atl.cpp:1369:13:1369:24 | call to GetAddressOf | atl.cpp:1369:9:1369:26 | * ... | TAINT | +| atl.cpp:1371:34:1371:43 | new | atl.cpp:1371:34:1371:44 | call to ComPtr | TAINT | +| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1372:14:1372:15 | p3 | | +| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1374:1:1374:1 | p3 | | +| atl.cpp:1371:42:1371:42 | x | atl.cpp:1371:34:1371:43 | new | | +| atl.cpp:1372:14:1372:15 | ref arg p3 | atl.cpp:1374:1:1374:1 | p3 | | +| atl.cpp:1372:17:1372:38 | call to ReleaseAndGetAddressOf | atl.cpp:1373:10:1373:11 | pp | | +| atl.cpp:1373:9:1373:11 | * ... | atl.cpp:1373:8:1373:11 | * ... | TAINT | +| atl.cpp:1373:10:1373:11 | pp | atl.cpp:1373:9:1373:11 | * ... | TAINT | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index f5342ea7694e..b622cbc569f1 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -5567,6 +5567,8 @@ signatureMatches | atl.cpp:1231:5:1231:12 | CStrBufT | (const char *,const char *,unsigned long) | | __ngettext | 2 | | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 1 | | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 2 | +| atl.cpp:1285:13:1285:18 | CopyTo | (Curl_easy *,void **) | | Curl_resolver_init | 1 | +| atl.cpp:1285:13:1285:18 | CopyTo | (size_t,void **) | | __libc_alloc_buffer_allocate | 1 | | bsd.cpp:12:5:12:10 | accept | (CURLM *,curl_socket_t,int *) | | curl_multi_socket | 2 | | bsd.cpp:12:5:12:10 | accept | (Curl_easy *,ssize_t *,int *) | | Curl_GetFTPResponse | 2 | | bsd.cpp:12:5:12:10 | accept | (EVP_CIPHER_CTX *,unsigned char *,int *) | | EVP_CipherFinal | 2 | @@ -46404,6 +46406,16 @@ getParameterTypeName | atl.cpp:1231:5:1231:12 | CStrBufT | 1 | int | | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | DWORD | | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | unsigned long | +| atl.cpp:1268:5:1268:10 | ComPtr | 0 | const ComPtr & | +| atl.cpp:1272:5:1272:10 | ComPtr | 0 | func:0 * | +| atl.cpp:1277:13:1277:14 | As | 0 | ComPtr * | +| atl.cpp:1283:13:1283:18 | CopyTo | 0 | Interfaceclass:0ype ** | +| atl.cpp:1283:13:1283:18 | CopyTo | 0 | class:0 ** | +| atl.cpp:1285:13:1285:18 | CopyTo | 0 | GUID * | +| atl.cpp:1285:13:1285:18 | CopyTo | 0 | REFIID | +| atl.cpp:1285:13:1285:18 | CopyTo | 1 | void ** | +| atl.cpp:1303:10:1303:13 | Swap | 0 | ComPtr & | +| atl.cpp:1310:25:1310:28 | move | 0 | func:0 & | | bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & | | bsd.cpp:6:8:6:8 | operator= | 0 | sockaddr && | | bsd.cpp:12:5:12:10 | accept | 0 | int | From 246ed9d30bf0155f57b6146eff0998ce78904857 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 14:18:12 +0200 Subject: [PATCH 2/7] C++: Add a model for ComPtr. --- cpp/ql/lib/ext/ComPtr.model.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cpp/ql/lib/ext/ComPtr.model.yml diff --git a/cpp/ql/lib/ext/ComPtr.model.yml b/cpp/ql/lib/ext/ComPtr.model.yml new file mode 100644 index 000000000000..126b6310b1f5 --- /dev/null +++ b/cpp/ql/lib/ext/ComPtr.model.yml @@ -0,0 +1,23 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(T *)", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(const ComPtr &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(ComPtr &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "AsIID", "", "", "Argument[-1]", "Argument[*1]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Attach", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(REFIID,void **)", "", "Argument[-1].Element[@]", "Argument[**@1]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Get", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "Swap", "", "", "Argument[*0]", "Argument[-1]", "value", "manual"] From 9e9f6dd11a37c9266e580019c128de7ff044e8b5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 14:18:21 +0200 Subject: [PATCH 3/7] C++: Accept test changes. --- .../external-models/validatemodels.expected | 5 ++++ .../dataflow/taint-tests/atl.cpp | 24 +++++++++---------- .../taint-tests/test_mad-signatures.expected | 11 +++++++++ 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected index aeb2362ef339..e8dc5453df3a 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected @@ -503,6 +503,7 @@ | Dubious signature "(CURLU *,CURLUPart,const char *,unsigned int)" in summary model. | | Dubious signature "(CURLU *,const char *)" in summary model. | | Dubious signature "(CURLU *,const char *,char **,OperationConfig *)" in summary model. | +| Dubious signature "(ComPtr &&)" in summary model. | | Dubious signature "(CompoundDictionary *,const PreparedDictionary *)" in summary model. | | Dubious signature "(Curl_cfilter *)" in summary model. | | Dubious signature "(Curl_cfilter **,Curl_easy *)" in summary model. | @@ -2130,6 +2131,7 @@ | Dubious signature "(RAND_POOL *,unsigned char *)" in summary model. | | Dubious signature "(RAND_POOL *,unsigned int)" in summary model. | | Dubious signature "(RECORD_LAYER *,SSL_CONNECTION *)" in summary model. | +| Dubious signature "(REFIID,void **)" in summary model. | | Dubious signature "(RIO_NOTIFIER *)" in summary model. | | Dubious signature "(RIPEMD160_CTX *,const unsigned char *)" in summary model. | | Dubious signature "(RIPEMD160_CTX *,const void *,size_t)" in summary model. | @@ -2431,6 +2433,8 @@ | Dubious signature "(Strent *)" in summary model. | | Dubious signature "(Strtab *,const char *,size_t)" in summary model. | | Dubious signature "(Strtab *,size_t *)" in summary model. | +| Dubious signature "(T *)" in summary model. | +| Dubious signature "(T **)" in summary model. | | Dubious signature "(TLS_FEATURE *)" in summary model. | | Dubious signature "(TLS_RL_RECORD *,const unsigned char *)" in summary model. | | Dubious signature "(TS_ACCURACY *)" in summary model. | @@ -3155,6 +3159,7 @@ | Dubious signature "(const CT_POLICY_EVAL_CTX *)" in summary model. | | Dubious signature "(const CURLU *)" in summary model. | | Dubious signature "(const CURLU *,CURLUPart,char **,unsigned int)" in summary model. | +| Dubious signature "(const ComPtr &)" in summary model. | | Dubious signature "(const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *)" in summary model. | | Dubious signature "(const Curl_easy *,const connectdata *,int)" in summary model. | | Dubious signature "(const DH *)" in summary model. | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 8337e384b3d6..6f0942ddbdf2 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -1317,14 +1317,14 @@ void test_constructor() int x = source(); Microsoft::WRL::ComPtr p1(new int(x)); - sink(*p1.Get()); // $ MISSING: ast,ir - sink(*p1.Detach()); // $ MISSING: ast,ir + sink(*p1.Get()); // $ ir MISSING: ast + sink(*p1.Detach()); // $ ir MISSING: ast Microsoft::WRL::ComPtr p2(p1); - sink(*p2.Get()); // $ MISSING: ast,ir + sink(*p2.Get()); // $ ir MISSING: ast Microsoft::WRL::ComPtr p3(std::move(p1)); - sink(*p3.Get()); // $ MISSING: ast,ir + sink(*p3.Get()); // $ ir MISSING: ast } void test_As() @@ -1333,7 +1333,7 @@ void test_As() Microsoft::WRL::ComPtr p1(new int(x)); Microsoft::WRL::ComPtr p2; p1.As(&p2); - sink(*p2.Get()); // $ MISSING: ast,ir + sink(*p2.Get()); // $ ir MISSING: ast } void test_CopyTo() @@ -1342,11 +1342,11 @@ void test_CopyTo() Microsoft::WRL::ComPtr p1(new int(x)); int *raw = nullptr; p1.CopyTo(&raw); - sink(*raw); // $ MISSING: ast,ir + sink(*raw); // $ ir MISSING: ast Microsoft::WRL::ComPtr p2; p1.CopyTo(nullptr, (void**)&raw); - sink(*raw); // $ MISSING: ast,ir + sink(*raw); // $ ir MISSING: ast } void test_Swap() @@ -1355,20 +1355,20 @@ void test_Swap() Microsoft::WRL::ComPtr p1(new int(x)); Microsoft::WRL::ComPtr p2; p1.Swap(p2); - sink(*p2.Get()); // $ MISSING: ast,ir - sink(*p1.Get()); // clean + sink(*p2.Get()); // $ ir MISSING: ast + sink(*p1.Get()); // $ SPURIOUS: ir } void test_GetAddressOf() { int x = source(); Microsoft::WRL::ComPtr p1(new int(x)); - sink(**p1.GetAddressOf()); // $ MISSING: ast,ir + sink(**p1.GetAddressOf()); // $ ir MISSING: ast const Microsoft::WRL::ComPtr p2(new int(x)); - sink(**p2.GetAddressOf()); // $ MISSING: ast,ir + sink(**p2.GetAddressOf()); // $ ir MISSING: ast Microsoft::WRL::ComPtr p3(new int(x)); int **pp = p3.ReleaseAndGetAddressOf(); - sink(**pp); // $ MISSING: ast,ir + sink(**pp); // $ ir MISSING: ast } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index b622cbc569f1..9debcb5f639b 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -5567,7 +5567,12 @@ signatureMatches | atl.cpp:1231:5:1231:12 | CStrBufT | (const char *,const char *,unsigned long) | | __ngettext | 2 | | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 1 | | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 2 | +| atl.cpp:1268:5:1268:10 | ComPtr | (const ComPtr &) | ComPtr | ComPtr | 0 | +| atl.cpp:1272:5:1272:10 | ComPtr | (T *) | ComPtr | ComPtr | 0 | +| atl.cpp:1283:13:1283:18 | CopyTo | (T **) | ComPtr | CopyTo | 0 | | atl.cpp:1285:13:1285:18 | CopyTo | (Curl_easy *,void **) | | Curl_resolver_init | 1 | +| atl.cpp:1285:13:1285:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 0 | +| atl.cpp:1285:13:1285:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 1 | | atl.cpp:1285:13:1285:18 | CopyTo | (size_t,void **) | | __libc_alloc_buffer_allocate | 1 | | bsd.cpp:12:5:12:10 | accept | (CURLM *,curl_socket_t,int *) | | curl_multi_socket | 2 | | bsd.cpp:12:5:12:10 | accept | (Curl_easy *,ssize_t *,int *) | | Curl_GetFTPResponse | 2 | @@ -21752,6 +21757,7 @@ getSignatureParameterName | (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 1 | const char * | | (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 2 | char ** | | (CURLU *,const char *,char **,OperationConfig *) | | ipfs_url_rewrite | 3 | OperationConfig * | +| (ComPtr &&) | ComPtr | ComPtr | 0 | ComPtr && | | (CompoundDictionary *,const PreparedDictionary *) | | AttachPreparedDictionary | 0 | CompoundDictionary * | | (CompoundDictionary *,const PreparedDictionary *) | | AttachPreparedDictionary | 1 | const PreparedDictionary * | | (Curl_cfilter *) | | Curl_conn_cf_is_ssl | 0 | Curl_cfilter * | @@ -28582,6 +28588,8 @@ getSignatureParameterName | (RAND_POOL *,unsigned int) | | ossl_rand_pool_bytes_needed | 1 | unsigned int | | (RECORD_LAYER *,SSL_CONNECTION *) | | RECORD_LAYER_init | 0 | RECORD_LAYER * | | (RECORD_LAYER *,SSL_CONNECTION *) | | RECORD_LAYER_init | 1 | SSL_CONNECTION * | +| (REFIID,void **) | ComPtr | CopyTo | 0 | REFIID | +| (REFIID,void **) | ComPtr | CopyTo | 1 | void ** | | (RIO_NOTIFIER *) | | ossl_rio_notifier_cleanup | 0 | RIO_NOTIFIER * | | (RIPEMD160_CTX *,const unsigned char *) | | RIPEMD160_Transform | 0 | RIPEMD160_CTX * | | (RIPEMD160_CTX *,const unsigned char *) | | RIPEMD160_Transform | 1 | const unsigned char * | @@ -30165,6 +30173,8 @@ getSignatureParameterName | (Strtab *,const char *,size_t) | | strtabadd | 2 | size_t | | (Strtab *,size_t *) | | strtabfinalize | 0 | Strtab * | | (Strtab *,size_t *) | | strtabfinalize | 1 | size_t * | +| (T *) | ComPtr | ComPtr | 0 | func:0 * | +| (T **) | ComPtr | CopyTo | 0 | class:0 ** | | (TLS_FEATURE *) | | TLS_FEATURE_free | 0 | TLS_FEATURE * | | (TLS_RL_RECORD *,const unsigned char *) | | ossl_tls_rl_record_set_seq_num | 0 | TLS_RL_RECORD * | | (TLS_RL_RECORD *,const unsigned char *) | | ossl_tls_rl_record_set_seq_num | 1 | const unsigned char * | @@ -33307,6 +33317,7 @@ getSignatureParameterName | (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 1 | CURLUPart | | (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 2 | char ** | | (const CURLU *,CURLUPart,char **,unsigned int) | | curl_url_get | 3 | unsigned int | +| (const ComPtr &) | ComPtr | ComPtr | 0 | const ComPtr & | | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 0 | const Command * | | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 1 | const size_t | | (const Command *,const size_t,const BlockSplit *,const BlockSplit *,const BlockSplit *,const uint8_t *,size_t,size_t,uint8_t,uint8_t,const ContextType *,HistogramLiteral *,HistogramCommand *,HistogramDistance *) | | BrotliBuildHistogramsWithContext | 2 | const BlockSplit * | From 96b698666006d698a9808867c15dd0cf78333097 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 14:35:45 +0200 Subject: [PATCH 4/7] C++: Fix duplicated entries. --- cpp/ql/lib/ext/ComPtr.model.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cpp/ql/lib/ext/ComPtr.model.yml b/cpp/ql/lib/ext/ComPtr.model.yml index 126b6310b1f5..236d4d66f38c 100644 --- a/cpp/ql/lib/ext/ComPtr.model.yml +++ b/cpp/ql/lib/ext/ComPtr.model.yml @@ -7,15 +7,12 @@ extensions: - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(const ComPtr &)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "ComPtr", "(ComPtr &&)", "", "Argument[*0].Element[@]", "Argument[-1].Element[@]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - - ["Microsoft::WRL", "ComPtr", True, "As", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "AsIID", "", "", "Argument[-1]", "Argument[*1]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Attach", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(REFIID,void **)", "", "Argument[-1].Element[@]", "Argument[**@1]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] - - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Get", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "GetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "ReleaseAndGetAddressOf", "", "", "Argument[-1].Element[@]", "ReturnValue[**]", "value", "manual"] From 7c05622a91ed447bada272b144fd959f8473a3ec Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 14:41:00 +0200 Subject: [PATCH 5/7] C++: Add missing type and accept test changes. --- cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 2 +- .../test/library-tests/dataflow/taint-tests/localTaint.expected | 2 ++ .../dataflow/taint-tests/test_mad-signatures.expected | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index 6f0942ddbdf2..fa6d3182b9fb 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -1266,7 +1266,7 @@ namespace Microsoft { ComPtr(); ComPtr(const ComPtr &); - ComPtr(&&other); + ComPtr(ComPtr &&); template ComPtr(U *); diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index a7320e3fa458..e883b91370b4 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -1305,6 +1305,8 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:1324:9:1324:10 | ref arg p2 | atl.cpp:1328:1:1328:1 | p2 | | | atl.cpp:1324:12:1324:14 | call to Get | atl.cpp:1324:8:1324:16 | * ... | TAINT | | atl.cpp:1326:34:1326:42 | call to move | atl.cpp:1326:34:1326:47 | call to ComPtr | TAINT | +| atl.cpp:1326:34:1326:42 | ref arg call to move | atl.cpp:1326:44:1326:45 | p1 [inner post update] | | +| atl.cpp:1326:34:1326:42 | ref arg call to move | atl.cpp:1328:1:1328:1 | p1 | | | atl.cpp:1326:34:1326:47 | call to ComPtr | atl.cpp:1327:9:1327:10 | p3 | | | atl.cpp:1326:34:1326:47 | call to ComPtr | atl.cpp:1328:1:1328:1 | p3 | | | atl.cpp:1326:44:1326:45 | p1 | atl.cpp:1326:34:1326:42 | call to move | TAINT | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 9debcb5f639b..1c26627c349a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -5568,6 +5568,7 @@ signatureMatches | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 1 | | atl.cpp:1231:5:1231:12 | CStrBufT | (unsigned char *,int,unsigned long) | | UTF8_putc | 2 | | atl.cpp:1268:5:1268:10 | ComPtr | (const ComPtr &) | ComPtr | ComPtr | 0 | +| atl.cpp:1269:5:1269:10 | ComPtr | (ComPtr &&) | ComPtr | ComPtr | 0 | | atl.cpp:1272:5:1272:10 | ComPtr | (T *) | ComPtr | ComPtr | 0 | | atl.cpp:1283:13:1283:18 | CopyTo | (T **) | ComPtr | CopyTo | 0 | | atl.cpp:1285:13:1285:18 | CopyTo | (Curl_easy *,void **) | | Curl_resolver_init | 1 | @@ -46418,6 +46419,7 @@ getParameterTypeName | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | DWORD | | atl.cpp:1231:5:1231:12 | CStrBufT | 2 | unsigned long | | atl.cpp:1268:5:1268:10 | ComPtr | 0 | const ComPtr & | +| atl.cpp:1269:5:1269:10 | ComPtr | 0 | ComPtr && | | atl.cpp:1272:5:1272:10 | ComPtr | 0 | func:0 * | | atl.cpp:1277:13:1277:14 | As | 0 | ComPtr * | | atl.cpp:1283:13:1283:18 | CopyTo | 0 | Interfaceclass:0ype ** | From 8c07a3e552983b4102a06558d9647c4d4fe6bdb5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 15:12:52 +0200 Subject: [PATCH 6/7] C++: Add testcase with missing model. --- .../dataflow/taint-tests/atl.cpp | 6 ++ .../dataflow/taint-tests/localTaint.expected | 97 +++++++++++-------- .../taint-tests/test_mad-signatures.expected | 1 + 3 files changed, 61 insertions(+), 43 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index fa6d3182b9fb..a2023d546ab7 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -1347,6 +1347,12 @@ void test_CopyTo() Microsoft::WRL::ComPtr p2; p1.CopyTo(nullptr, (void**)&raw); sink(*raw); // $ ir MISSING: ast + + Microsoft::WRL::ComPtr p3(new int(x)); + + int* raw2 = nullptr; + p3.CopyTo(&raw2); + sink(*raw2); // $ MISSING: ast,ir } void test_Swap() diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index e883b91370b4..f98159676ce9 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -1328,70 +1328,81 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | atl.cpp:1336:9:1336:10 | ref arg p2 | atl.cpp:1337:1:1337:1 | p2 | | | atl.cpp:1336:12:1336:14 | call to Get | atl.cpp:1336:8:1336:16 | * ... | TAINT | | atl.cpp:1341:11:1341:21 | call to source | atl.cpp:1342:42:1342:42 | x | | +| atl.cpp:1341:11:1341:21 | call to source | atl.cpp:1351:42:1351:42 | x | | | atl.cpp:1342:34:1342:43 | new | atl.cpp:1342:34:1342:44 | call to ComPtr | TAINT | | atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1344:3:1344:4 | p1 | | | atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1348:3:1348:4 | p1 | | -| atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1350:1:1350:1 | p1 | | +| atl.cpp:1342:34:1342:44 | call to ComPtr | atl.cpp:1356:1:1356:1 | p1 | | | atl.cpp:1342:42:1342:42 | x | atl.cpp:1342:34:1342:43 | new | | | atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1344:14:1344:16 | raw | | | atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1345:9:1345:11 | raw | | | atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1348:31:1348:33 | raw | | | atl.cpp:1343:14:1343:20 | 0 | atl.cpp:1349:9:1349:11 | raw | | | atl.cpp:1344:3:1344:4 | ref arg p1 | atl.cpp:1348:3:1348:4 | p1 | | -| atl.cpp:1344:3:1344:4 | ref arg p1 | atl.cpp:1350:1:1350:1 | p1 | | +| atl.cpp:1344:3:1344:4 | ref arg p1 | atl.cpp:1356:1:1356:1 | p1 | | | atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1344:14:1344:16 | raw [inner post update] | | | atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1345:9:1345:11 | raw | | | atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1348:31:1348:33 | raw | | | atl.cpp:1344:13:1344:16 | ref arg & ... | atl.cpp:1349:9:1349:11 | raw | | | atl.cpp:1344:14:1344:16 | raw | atl.cpp:1344:13:1344:16 | & ... | | | atl.cpp:1345:9:1345:11 | raw | atl.cpp:1345:8:1345:11 | * ... | TAINT | -| atl.cpp:1347:31:1347:32 | call to ComPtr | atl.cpp:1350:1:1350:1 | p2 | | +| atl.cpp:1347:31:1347:32 | call to ComPtr | atl.cpp:1356:1:1356:1 | p2 | | | atl.cpp:1348:30:1348:33 | ref arg & ... | atl.cpp:1348:31:1348:33 | raw [inner post update] | | | atl.cpp:1348:30:1348:33 | ref arg & ... | atl.cpp:1349:9:1349:11 | raw | | | atl.cpp:1348:31:1348:33 | raw | atl.cpp:1348:30:1348:33 | & ... | | | atl.cpp:1349:9:1349:11 | raw | atl.cpp:1349:8:1349:11 | * ... | TAINT | -| atl.cpp:1354:11:1354:21 | call to source | atl.cpp:1355:42:1355:42 | x | | -| atl.cpp:1355:34:1355:43 | new | atl.cpp:1355:34:1355:44 | call to ComPtr | TAINT | -| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1357:3:1357:4 | p1 | | -| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1359:9:1359:10 | p1 | | -| atl.cpp:1355:34:1355:44 | call to ComPtr | atl.cpp:1360:1:1360:1 | p1 | | -| atl.cpp:1355:42:1355:42 | x | atl.cpp:1355:34:1355:43 | new | | -| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1357:11:1357:12 | p2 | | -| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1358:9:1358:10 | p2 | | -| atl.cpp:1356:31:1356:32 | call to ComPtr | atl.cpp:1360:1:1360:1 | p2 | | -| atl.cpp:1357:3:1357:4 | ref arg p1 | atl.cpp:1359:9:1359:10 | p1 | | -| atl.cpp:1357:3:1357:4 | ref arg p1 | atl.cpp:1360:1:1360:1 | p1 | | -| atl.cpp:1357:11:1357:12 | ref arg p2 | atl.cpp:1358:9:1358:10 | p2 | | -| atl.cpp:1357:11:1357:12 | ref arg p2 | atl.cpp:1360:1:1360:1 | p2 | | -| atl.cpp:1358:9:1358:10 | ref arg p2 | atl.cpp:1360:1:1360:1 | p2 | | -| atl.cpp:1358:12:1358:14 | call to Get | atl.cpp:1358:8:1358:16 | * ... | TAINT | -| atl.cpp:1359:9:1359:10 | ref arg p1 | atl.cpp:1360:1:1360:1 | p1 | | -| atl.cpp:1359:12:1359:14 | call to Get | atl.cpp:1359:8:1359:16 | * ... | TAINT | -| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1365:42:1365:42 | x | | -| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1368:48:1368:48 | x | | -| atl.cpp:1364:11:1364:21 | call to source | atl.cpp:1371:42:1371:42 | x | | -| atl.cpp:1365:34:1365:43 | new | atl.cpp:1365:34:1365:44 | call to ComPtr | TAINT | -| atl.cpp:1365:34:1365:44 | call to ComPtr | atl.cpp:1366:10:1366:11 | p1 | | -| atl.cpp:1365:34:1365:44 | call to ComPtr | atl.cpp:1374:1:1374:1 | p1 | | -| atl.cpp:1365:42:1365:42 | x | atl.cpp:1365:34:1365:43 | new | | -| atl.cpp:1366:9:1366:26 | * ... | atl.cpp:1366:8:1366:26 | * ... | TAINT | -| atl.cpp:1366:10:1366:11 | ref arg p1 | atl.cpp:1374:1:1374:1 | p1 | | -| atl.cpp:1366:13:1366:24 | call to GetAddressOf | atl.cpp:1366:9:1366:26 | * ... | TAINT | -| atl.cpp:1368:40:1368:49 | new | atl.cpp:1368:40:1368:50 | call to ComPtr | TAINT | -| atl.cpp:1368:40:1368:50 | call to ComPtr | atl.cpp:1369:10:1369:11 | p2 | | -| atl.cpp:1368:40:1368:50 | call to ComPtr | atl.cpp:1374:1:1374:1 | p2 | | -| atl.cpp:1368:48:1368:48 | x | atl.cpp:1368:40:1368:49 | new | | -| atl.cpp:1369:9:1369:26 | * ... | atl.cpp:1369:8:1369:26 | * ... | TAINT | -| atl.cpp:1369:10:1369:11 | ref arg p2 | atl.cpp:1374:1:1374:1 | p2 | | -| atl.cpp:1369:13:1369:24 | call to GetAddressOf | atl.cpp:1369:9:1369:26 | * ... | TAINT | +| atl.cpp:1351:34:1351:43 | new | atl.cpp:1351:34:1351:44 | call to ComPtr | TAINT | +| atl.cpp:1351:34:1351:44 | call to ComPtr | atl.cpp:1354:3:1354:4 | p3 | | +| atl.cpp:1351:34:1351:44 | call to ComPtr | atl.cpp:1356:1:1356:1 | p3 | | +| atl.cpp:1351:42:1351:42 | x | atl.cpp:1351:34:1351:43 | new | | +| atl.cpp:1353:15:1353:21 | 0 | atl.cpp:1354:19:1354:22 | raw2 | | +| atl.cpp:1353:15:1353:21 | 0 | atl.cpp:1355:9:1355:12 | raw2 | | +| atl.cpp:1354:18:1354:22 | ref arg & ... | atl.cpp:1354:19:1354:22 | raw2 [inner post update] | | +| atl.cpp:1354:18:1354:22 | ref arg & ... | atl.cpp:1355:9:1355:12 | raw2 | | +| atl.cpp:1354:19:1354:22 | raw2 | atl.cpp:1354:18:1354:22 | & ... | | +| atl.cpp:1355:9:1355:12 | raw2 | atl.cpp:1355:8:1355:12 | * ... | TAINT | +| atl.cpp:1360:11:1360:21 | call to source | atl.cpp:1361:42:1361:42 | x | | +| atl.cpp:1361:34:1361:43 | new | atl.cpp:1361:34:1361:44 | call to ComPtr | TAINT | +| atl.cpp:1361:34:1361:44 | call to ComPtr | atl.cpp:1363:3:1363:4 | p1 | | +| atl.cpp:1361:34:1361:44 | call to ComPtr | atl.cpp:1365:9:1365:10 | p1 | | +| atl.cpp:1361:34:1361:44 | call to ComPtr | atl.cpp:1366:1:1366:1 | p1 | | +| atl.cpp:1361:42:1361:42 | x | atl.cpp:1361:34:1361:43 | new | | +| atl.cpp:1362:31:1362:32 | call to ComPtr | atl.cpp:1363:11:1363:12 | p2 | | +| atl.cpp:1362:31:1362:32 | call to ComPtr | atl.cpp:1364:9:1364:10 | p2 | | +| atl.cpp:1362:31:1362:32 | call to ComPtr | atl.cpp:1366:1:1366:1 | p2 | | +| atl.cpp:1363:3:1363:4 | ref arg p1 | atl.cpp:1365:9:1365:10 | p1 | | +| atl.cpp:1363:3:1363:4 | ref arg p1 | atl.cpp:1366:1:1366:1 | p1 | | +| atl.cpp:1363:11:1363:12 | ref arg p2 | atl.cpp:1364:9:1364:10 | p2 | | +| atl.cpp:1363:11:1363:12 | ref arg p2 | atl.cpp:1366:1:1366:1 | p2 | | +| atl.cpp:1364:9:1364:10 | ref arg p2 | atl.cpp:1366:1:1366:1 | p2 | | +| atl.cpp:1364:12:1364:14 | call to Get | atl.cpp:1364:8:1364:16 | * ... | TAINT | +| atl.cpp:1365:9:1365:10 | ref arg p1 | atl.cpp:1366:1:1366:1 | p1 | | +| atl.cpp:1365:12:1365:14 | call to Get | atl.cpp:1365:8:1365:16 | * ... | TAINT | +| atl.cpp:1370:11:1370:21 | call to source | atl.cpp:1371:42:1371:42 | x | | +| atl.cpp:1370:11:1370:21 | call to source | atl.cpp:1374:48:1374:48 | x | | +| atl.cpp:1370:11:1370:21 | call to source | atl.cpp:1377:42:1377:42 | x | | | atl.cpp:1371:34:1371:43 | new | atl.cpp:1371:34:1371:44 | call to ComPtr | TAINT | -| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1372:14:1372:15 | p3 | | -| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1374:1:1374:1 | p3 | | +| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1372:10:1372:11 | p1 | | +| atl.cpp:1371:34:1371:44 | call to ComPtr | atl.cpp:1380:1:1380:1 | p1 | | | atl.cpp:1371:42:1371:42 | x | atl.cpp:1371:34:1371:43 | new | | -| atl.cpp:1372:14:1372:15 | ref arg p3 | atl.cpp:1374:1:1374:1 | p3 | | -| atl.cpp:1372:17:1372:38 | call to ReleaseAndGetAddressOf | atl.cpp:1373:10:1373:11 | pp | | -| atl.cpp:1373:9:1373:11 | * ... | atl.cpp:1373:8:1373:11 | * ... | TAINT | -| atl.cpp:1373:10:1373:11 | pp | atl.cpp:1373:9:1373:11 | * ... | TAINT | +| atl.cpp:1372:9:1372:26 | * ... | atl.cpp:1372:8:1372:26 | * ... | TAINT | +| atl.cpp:1372:10:1372:11 | ref arg p1 | atl.cpp:1380:1:1380:1 | p1 | | +| atl.cpp:1372:13:1372:24 | call to GetAddressOf | atl.cpp:1372:9:1372:26 | * ... | TAINT | +| atl.cpp:1374:40:1374:49 | new | atl.cpp:1374:40:1374:50 | call to ComPtr | TAINT | +| atl.cpp:1374:40:1374:50 | call to ComPtr | atl.cpp:1375:10:1375:11 | p2 | | +| atl.cpp:1374:40:1374:50 | call to ComPtr | atl.cpp:1380:1:1380:1 | p2 | | +| atl.cpp:1374:48:1374:48 | x | atl.cpp:1374:40:1374:49 | new | | +| atl.cpp:1375:9:1375:26 | * ... | atl.cpp:1375:8:1375:26 | * ... | TAINT | +| atl.cpp:1375:10:1375:11 | ref arg p2 | atl.cpp:1380:1:1380:1 | p2 | | +| atl.cpp:1375:13:1375:24 | call to GetAddressOf | atl.cpp:1375:9:1375:26 | * ... | TAINT | +| atl.cpp:1377:34:1377:43 | new | atl.cpp:1377:34:1377:44 | call to ComPtr | TAINT | +| atl.cpp:1377:34:1377:44 | call to ComPtr | atl.cpp:1378:14:1378:15 | p3 | | +| atl.cpp:1377:34:1377:44 | call to ComPtr | atl.cpp:1380:1:1380:1 | p3 | | +| atl.cpp:1377:42:1377:42 | x | atl.cpp:1377:34:1377:43 | new | | +| atl.cpp:1378:14:1378:15 | ref arg p3 | atl.cpp:1380:1:1380:1 | p3 | | +| atl.cpp:1378:17:1378:38 | call to ReleaseAndGetAddressOf | atl.cpp:1379:10:1379:11 | pp | | +| atl.cpp:1379:9:1379:11 | * ... | atl.cpp:1379:8:1379:11 | * ... | TAINT | +| atl.cpp:1379:10:1379:11 | pp | atl.cpp:1379:9:1379:11 | * ... | TAINT | | bsd.cpp:17:11:17:16 | call to source | bsd.cpp:20:18:20:18 | s | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:20:22:20:25 | addr | | | bsd.cpp:18:12:18:15 | addr | bsd.cpp:23:8:23:11 | addr | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 1c26627c349a..d0c1819ab8de 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -46427,6 +46427,7 @@ getParameterTypeName | atl.cpp:1285:13:1285:18 | CopyTo | 0 | GUID * | | atl.cpp:1285:13:1285:18 | CopyTo | 0 | REFIID | | atl.cpp:1285:13:1285:18 | CopyTo | 1 | void ** | +| atl.cpp:1288:13:1288:18 | CopyTo | 0 | func:0 ** | | atl.cpp:1303:10:1303:13 | Swap | 0 | ComPtr & | | atl.cpp:1310:25:1310:28 | move | 0 | func:0 & | | bsd.cpp:6:8:6:8 | operator= | 0 | const sockaddr & | From bebfe031660f3097d6e209d98a75e05af76c8d54 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 27 Aug 2025 15:15:26 +0200 Subject: [PATCH 7/7] C++: Add missing model and accept test changes. --- cpp/ql/lib/ext/ComPtr.model.yml | 1 + cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp | 2 +- .../dataflow/taint-tests/test_mad-signatures.expected | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/ext/ComPtr.model.yml b/cpp/ql/lib/ext/ComPtr.model.yml index 236d4d66f38c..e6dbc781f957 100644 --- a/cpp/ql/lib/ext/ComPtr.model.yml +++ b/cpp/ql/lib/ext/ComPtr.model.yml @@ -11,6 +11,7 @@ extensions: - ["Microsoft::WRL", "ComPtr", True, "AsWeak", "", "", "Argument[-1]", "Argument[*0]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Attach", "", "", "Argument[*@0]", "Argument[-1].Element[@]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"] + - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(T **)", "", "Argument[-1].Element[@]", "Argument[**@0]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "CopyTo", "(REFIID,void **)", "", "Argument[-1].Element[@]", "Argument[**@1]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Detach", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] - ["Microsoft::WRL", "ComPtr", True, "Get", "", "", "Argument[-1].Element[@]", "ReturnValue[*]", "value", "manual"] diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp index a2023d546ab7..5d6b052448ac 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/atl.cpp @@ -1352,7 +1352,7 @@ void test_CopyTo() int* raw2 = nullptr; p3.CopyTo(&raw2); - sink(*raw2); // $ MISSING: ast,ir + sink(*raw2); // $ ir MISSING: ast } void test_Swap() diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index d0c1819ab8de..361ead807031 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -5575,6 +5575,7 @@ signatureMatches | atl.cpp:1285:13:1285:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 0 | | atl.cpp:1285:13:1285:18 | CopyTo | (REFIID,void **) | ComPtr | CopyTo | 1 | | atl.cpp:1285:13:1285:18 | CopyTo | (size_t,void **) | | __libc_alloc_buffer_allocate | 1 | +| atl.cpp:1288:13:1288:18 | CopyTo | (T **) | ComPtr | CopyTo | 0 | | bsd.cpp:12:5:12:10 | accept | (CURLM *,curl_socket_t,int *) | | curl_multi_socket | 2 | | bsd.cpp:12:5:12:10 | accept | (Curl_easy *,ssize_t *,int *) | | Curl_GetFTPResponse | 2 | | bsd.cpp:12:5:12:10 | accept | (EVP_CIPHER_CTX *,unsigned char *,int *) | | EVP_CipherFinal | 2 | @@ -30175,6 +30176,7 @@ getSignatureParameterName | (Strtab *,size_t *) | | strtabfinalize | 0 | Strtab * | | (Strtab *,size_t *) | | strtabfinalize | 1 | size_t * | | (T *) | ComPtr | ComPtr | 0 | func:0 * | +| (T **) | ComPtr | CopyTo | 0 | func:0 ** | | (T **) | ComPtr | CopyTo | 0 | class:0 ** | | (TLS_FEATURE *) | | TLS_FEATURE_free | 0 | TLS_FEATURE * | | (TLS_RL_RECORD *,const unsigned char *) | | ossl_tls_rl_record_set_seq_num | 0 | TLS_RL_RECORD * |