C++: Taint through std::string append.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -12,3 +12,19 @@ class StdStringCStr extends TaintFunction {
     output.isReturnValue()
   }
 }
+
+/**
+ * The `std::string` function `append`.
+ */
+class StdStringAppend extends TaintFunction {
+  StdStringAppend() { this.hasQualifiedName("std", "basic_string", "append") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to string itself (qualifier) and return value
+    input.isParameterDeref(0) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -546,13 +546,19 @@
 | stl.cpp:351:8:351:9 | s3 | stl.cpp:352:3:352:4 | s8 |  |
 | stl.cpp:351:8:351:9 | s3 | stl.cpp:353:8:353:9 | s8 |  |
 | stl.cpp:352:3:352:4 | ref arg s8 | stl.cpp:353:8:353:9 | s8 |  |
+| stl.cpp:352:13:352:14 | s4 | stl.cpp:352:3:352:4 | ref arg s8 | TAINT |
+| stl.cpp:352:13:352:14 | s4 | stl.cpp:352:6:352:11 | call to append | TAINT |
 | stl.cpp:355:8:355:9 | s3 | stl.cpp:355:3:355:9 | ... = ... |  |
 | stl.cpp:355:8:355:9 | s3 | stl.cpp:356:3:356:4 | s9 |  |
 | stl.cpp:355:8:355:9 | s3 | stl.cpp:357:3:357:4 | s9 |  |
 | stl.cpp:355:8:355:9 | s3 | stl.cpp:358:8:358:9 | s9 |  |
 | stl.cpp:356:3:356:4 | ref arg s9 | stl.cpp:357:3:357:4 | s9 |  |
 | stl.cpp:356:3:356:4 | ref arg s9 | stl.cpp:358:8:358:9 | s9 |  |
+| stl.cpp:356:13:356:18 | call to source | stl.cpp:356:3:356:4 | ref arg s9 | TAINT |
+| stl.cpp:356:13:356:18 | call to source | stl.cpp:356:6:356:11 | call to append | TAINT |
 | stl.cpp:357:3:357:4 | ref arg s9 | stl.cpp:358:8:358:9 | s9 |  |
+| stl.cpp:357:13:357:15 |   | stl.cpp:357:3:357:4 | ref arg s9 | TAINT |
+| stl.cpp:357:13:357:15 |   | stl.cpp:357:6:357:11 | call to append | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | Unknown literal | structlikeclass.cpp:5:7:5:7 | constructor init of field v | TAINT |
 | structlikeclass.cpp:5:7:5:7 | this | structlikeclass.cpp:5:7:5:7 | constructor init of field v [pre-this] |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp

@@ -350,11 +350,11 @@ void test_string_append() {
 
 		s8 = s3;
 		s8.append(s4);
-		sink(s8); // tainted [NOT DETECTED]
+		sink(s8); // tainted
 
 		s9 = s3;
 		s9.append(source());
 		s9.append(" ");
-		sink(s9); // tainted [NOT DETECTED]
+		sink(s9); // tainted
 	}
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -53,6 +53,8 @@
 | stl.cpp:303:8:303:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:311:8:311:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:316:8:316:8 | x | stl.cpp:296:43:296:49 | source1 |
+| stl.cpp:353:8:353:9 | s8 | stl.cpp:336:18:336:23 | call to source |
+| stl.cpp:358:8:358:9 | s9 | stl.cpp:356:13:356:18 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -50,6 +50,8 @@
 | stl.cpp:303:8:303:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:311:8:311:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:316:8:316:8 | stl.cpp:296:43:296:49 | AST only |
+| stl.cpp:353:8:353:9 | stl.cpp:336:18:336:23 | AST only |
+| stl.cpp:358:8:358:9 | stl.cpp:356:13:356:18 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |