C++: Add type check to prevent field conflation

jbj · jbj · commit 038bea2f52e3 · 2020-05-13T09:25:24.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -492,8 +492,15 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   // `LoadInstruction` together directly, this rule will break if there's any
   // reassignment of the parameter indirection, including a conditional one that
   // leads to a phi node.
-  iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() =
-    iFrom.(InitializeIndirectionInstruction)
+  exists(InitializeIndirectionInstruction init |
+    iFrom = init and
+    iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = init and
+    // Check that the types match. Otherwise we can get flow from an object to
+    // its fields, which leads to field conflation when there's flow from other
+    // fields to the object elsewhere.
+    init.getParameter().getType().getUnspecifiedType().(DerivedType).getBaseType() =
+      iTo.getResultType().getUnspecifiedType()
+  )
   or
   // Treat all conversions as flow, even conversions between different numeric types.
   iTo.(ConvertInstruction).getUnary() = iFrom
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
@@ -115,15 +115,12 @@
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | defaulttainttracking.cpp:113:9:113:24 | access to array |
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | defaulttainttracking.cpp:114:10:114:10 | x |
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | test_diff.cpp:2:11:2:13 | p#0 |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:10:11:10:13 | p#0 |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:120:11:120:16 | call to getenv |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:120:11:120:26 | (int)... |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:120:11:120:26 | access to array |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:123:23:123:24 | pp |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:124:8:124:9 | pp |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:124:12:124:12 | y |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:130:13:130:14 | & ... |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | test_diff.cpp:2:11:2:13 | p#0 |
 | globals.cpp:5:20:5:25 | call to getenv | globals.cpp:2:17:2:25 | sinkParam |
 | globals.cpp:5:20:5:25 | call to getenv | globals.cpp:5:12:5:16 | local |
 | globals.cpp:5:20:5:25 | call to getenv | globals.cpp:5:20:5:25 | call to getenv |
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
@@ -27,13 +27,10 @@
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | defaulttainttracking.cpp:113:5:113:5 | x | AST only |
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | defaulttainttracking.cpp:114:10:114:10 | x | IR only |
 | defaulttainttracking.cpp:113:9:113:14 | call to getenv | test_diff.cpp:2:11:2:13 | p#0 | IR only |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:10:11:10:13 | p#0 | IR only |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:120:7:120:7 | x | AST only |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:123:23:123:24 | pp | IR only |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:124:8:124:9 | pp | IR only |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:124:12:124:12 | y | IR only |
 | defaulttainttracking.cpp:120:11:120:16 | call to getenv | defaulttainttracking.cpp:130:13:130:14 | & ... | IR only |
-| defaulttainttracking.cpp:120:11:120:16 | call to getenv | test_diff.cpp:2:11:2:13 | p#0 | IR only |
 | globals.cpp:13:15:13:20 | call to getenv | globals.cpp:13:5:13:11 | global1 | AST only |
 | globals.cpp:23:15:23:20 | call to getenv | globals.cpp:23:5:23:11 | global2 | AST only |
 | test_diff.cpp:104:12:104:15 | argv | test_diff.cpp:104:11:104:20 | (...) | IR only |
