C++: Switch to taint flow as suggested in the old PR.

geoffw0 · geoffw0 · commit 73171682b77d · 2020-04-02T19:49:41.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strings.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strings.qll
@@ -1,15 +1,14 @@
-import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.Taint
 
 /**
  * The `std::basic_string` constructor(s).
  */
-class StringConstructor extends DataFlowFunction {
+class StringConstructor extends TaintFunction {
   StringConstructor() {
     this.hasQualifiedName("std", "basic_string", "basic_string")
   }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any constructor argument to return value
     input.isInParameter(_) and
     output.isOutReturnValue()
@@ -19,12 +18,12 @@ class StringConstructor extends DataFlowFunction {
 /**
  * The standard function `std::string.c_str`.
  */
-class StringCStr extends DataFlowFunction {
+class StringCStr extends TaintFunction {
   StringCStr() {
     this.hasQualifiedName("std", "basic_string", "c_str")
   }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isInQualifier() and
     output.isOutReturnValue()
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -106,12 +106,14 @@
 | format.cpp:131:39:131:45 | ref arg & ... | format.cpp:132:8:132:13 | buffer |  |
 | format.cpp:131:40:131:45 | buffer | format.cpp:131:39:131:45 | & ... |  |
 | stl.cpp:67:12:67:17 | call to source | stl.cpp:71:7:71:7 | a |  |
-| stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string |  |
+| stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string | TAINT |
 | stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:72:7:72:7 | b |  |
 | stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:74:7:74:7 | b |  |
-| stl.cpp:69:16:69:21 | call to source | stl.cpp:69:16:69:24 | call to basic_string |  |
+| stl.cpp:69:16:69:21 | call to source | stl.cpp:69:16:69:24 | call to basic_string | TAINT |
 | stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:73:7:73:7 | c |  |
 | stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:75:7:75:7 | c |  |
+| stl.cpp:74:7:74:7 | b | stl.cpp:74:9:74:13 | call to c_str | TAINT |
+| stl.cpp:75:7:75:7 | c | stl.cpp:75:9:75:13 | call to c_str | TAINT |
 | stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:83:2:83:4 | ss1 |  |
 | stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:89:7:89:9 | ss1 |  |
 | stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:94:7:94:9 | ss1 |  |
@@ -127,7 +129,7 @@
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:87:2:87:4 | ss5 |  |
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:93:7:93:9 | ss5 |  |
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:98:7:98:9 | ss5 |  |
-| stl.cpp:81:16:81:21 | call to source | stl.cpp:81:16:81:24 | call to basic_string |  |
+| stl.cpp:81:16:81:21 | call to source | stl.cpp:81:16:81:24 | call to basic_string | TAINT |
 | stl.cpp:81:16:81:24 | call to basic_string | stl.cpp:87:9:87:9 | t |  |
 | stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:89:7:89:9 | ss1 |  |
 | stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:94:7:94:9 | ss1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
@@ -72,7 +72,7 @@ void test_string()
 	sink(b);
 	sink(c); // tainted
 	sink(b.c_str());
-	sink(c.c_str()); // tainted [NOT DETECTED]
+	sink(c.c_str()); // tainted
 }
 
 void test_stringstream()
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -10,6 +10,7 @@
 | format.cpp:106:8:106:14 | wbuffer | format.cpp:105:38:105:52 | call to source |
 | stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
 | stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
+| stl.cpp:75:9:75:13 | call to c_str | stl.cpp:69:16:69:21 | call to source |
 | taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
 | taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
 | taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -9,6 +9,7 @@
 | format.cpp:101:8:101:13 | format.cpp:100:31:100:45 | AST only |
 | format.cpp:106:8:106:14 | format.cpp:105:38:105:52 | AST only |
 | stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
+| stl.cpp:75:9:75:13 | stl.cpp:69:16:69:21 | AST only |
 | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ void test_string()`
`72`	`72`	`sink(b);`
`73`	`73`	`sink(c); // tainted`
`74`	`74`	`sink(b.c_str());`
`75`		`- sink(c.c_str()); // tainted [NOT DETECTED]`
	`75`	`+ sink(c.c_str()); // tainted`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`void test_stringstream()`