C++: Add models for std::string (as in old PR).

geoffw0 · geoffw0 · commit b14b52d0ac8a · 2020-04-02T19:49:41.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -12,4 +12,5 @@ private import implementations.Strcat
 private import implementations.Strcpy
 private import implementations.Strdup
 private import implementations.Strftime
+private import implementations.Strings
 private import implementations.Swap
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strings.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strings.qll
@@ -0,0 +1,32 @@
+import semmle.code.cpp.models.interfaces.DataFlow
+import semmle.code.cpp.models.interfaces.Taint
+
+/**
+ * The `std::basic_string` constructor(s).
+ */
+class StringConstructor extends DataFlowFunction {
+  StringConstructor() {
+    this.hasQualifiedName("std", "basic_string", "basic_string")
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from any constructor argument to return value
+    input.isInParameter(_) and
+    output.isOutReturnValue()
+  }
+}
+
+/**
+ * The standard function `std::string.c_str`.
+ */
+class StringCStr extends DataFlowFunction {
+  StringCStr() {
+    this.hasQualifiedName("std", "basic_string", "c_str")
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    // flow from string itself (qualifier) to return value
+    input.isInQualifier() and
+    output.isOutReturnValue()
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -106,8 +106,10 @@
 | format.cpp:131:39:131:45 | ref arg & ... | format.cpp:132:8:132:13 | buffer |  |
 | format.cpp:131:40:131:45 | buffer | format.cpp:131:39:131:45 | & ... |  |
 | stl.cpp:67:12:67:17 | call to source | stl.cpp:71:7:71:7 | a |  |
+| stl.cpp:68:16:68:20 | 123 | stl.cpp:68:16:68:21 | call to basic_string |  |
 | stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:72:7:72:7 | b |  |
 | stl.cpp:68:16:68:21 | call to basic_string | stl.cpp:74:7:74:7 | b |  |
+| stl.cpp:69:16:69:21 | call to source | stl.cpp:69:16:69:24 | call to basic_string |  |
 | stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:73:7:73:7 | c |  |
 | stl.cpp:69:16:69:24 | call to basic_string | stl.cpp:75:7:75:7 | c |  |
 | stl.cpp:80:20:80:22 | call to basic_stringstream | stl.cpp:83:2:83:4 | ss1 |  |
@@ -125,6 +127,7 @@
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:87:2:87:4 | ss5 |  |
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:93:7:93:9 | ss5 |  |
 | stl.cpp:80:40:80:42 | call to basic_stringstream | stl.cpp:98:7:98:9 | ss5 |  |
+| stl.cpp:81:16:81:21 | call to source | stl.cpp:81:16:81:24 | call to basic_string |  |
 | stl.cpp:81:16:81:24 | call to basic_string | stl.cpp:87:9:87:9 | t |  |
 | stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:89:7:89:9 | ss1 |  |
 | stl.cpp:83:2:83:4 | ref arg ss1 | stl.cpp:94:7:94:9 | ss1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
@@ -70,7 +70,7 @@ void test_string()
 
 	sink(a); // tainted
 	sink(b);
-	sink(c); // tainted [NOT DETECTED]
+	sink(c); // tainted
 	sink(b.c_str());
 	sink(c.c_str()); // tainted [NOT DETECTED]
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -9,6 +9,7 @@
 | format.cpp:101:8:101:13 | buffer | format.cpp:100:31:100:45 | call to source |
 | format.cpp:106:8:106:14 | wbuffer | format.cpp:105:38:105:52 | call to source |
 | stl.cpp:71:7:71:7 | a | stl.cpp:67:12:67:17 | call to source |
+| stl.cpp:73:7:73:7 | c | stl.cpp:69:16:69:21 | call to source |
 | taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
 | taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
 | taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -8,6 +8,7 @@
 | format.cpp:96:8:96:13 | format.cpp:95:30:95:43 | AST only |
 | format.cpp:101:8:101:13 | format.cpp:100:31:100:45 | AST only |
 | format.cpp:106:8:106:14 | format.cpp:105:38:105:52 | AST only |
+| stl.cpp:73:7:73:7 | stl.cpp:69:16:69:21 | AST only |
 | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ void test_string()`
`70`	`70`
`71`	`71`	`sink(a); // tainted`
`72`	`72`	`sink(b);`
`73`		`- sink(c); // tainted [NOT DETECTED]`
	`73`	`+ sink(c); // tainted`
`74`	`74`	`sink(b.c_str());`
`75`	`75`	`sink(c.c_str()); // tainted [NOT DETECTED]`
`76`	`76`	`}`