C++: Taint through std::string operator+.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -1,5 +1,12 @@
 import semmle.code.cpp.models.interfaces.Taint
 
+/**
+ * The `std::basic_string` template class.
+ */
+class StdBasicString extends TemplateClass {
+  StdBasicString() { this.hasQualifiedName("std", "basic_string") }
+}
+
 /**
  * The standard function `std::string.c_str`.
  */
@@ -13,6 +20,25 @@ class StdStringCStr extends TaintFunction {
   }
 }
 
+/**
+ * The `std::string` function `operator+`.
+ */
+class StdStringPlus extends TaintFunction {
+  StdStringPlus() {
+    this.hasQualifiedName("std", "operator+") and
+    this.getParameter(0).getType().getUnspecifiedType().(ReferenceType).getBaseType() = any(StdBasicString s).getAnInstantiation()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameters to return value
+    (
+      input.isParameterDeref(0) or
+      input.isParameterDeref(1)
+    ) and
+    output.isReturnValueDeref()
+  }
+}
+
 /**
  * The `std::string` function `append`.
  */

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -519,6 +519,18 @@
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:327:8:327:9 | s2 |  |
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:328:8:328:9 | s2 |  |
 | stl.cpp:323:18:323:26 | call to basic_string | stl.cpp:328:13:328:14 | s2 |  |
+| stl.cpp:325:8:325:9 | s1 | stl.cpp:325:11:325:11 | call to operator+ | TAINT |
+| stl.cpp:325:13:325:14 | s1 | stl.cpp:325:11:325:11 | call to operator+ | TAINT |
+| stl.cpp:326:8:326:9 | s1 | stl.cpp:326:11:326:11 | call to operator+ | TAINT |
+| stl.cpp:326:13:326:14 | s2 | stl.cpp:326:11:326:11 | call to operator+ | TAINT |
+| stl.cpp:327:8:327:9 | s2 | stl.cpp:327:11:327:11 | call to operator+ | TAINT |
+| stl.cpp:327:13:327:14 | s1 | stl.cpp:327:11:327:11 | call to operator+ | TAINT |
+| stl.cpp:328:8:328:9 | s2 | stl.cpp:328:11:328:11 | call to operator+ | TAINT |
+| stl.cpp:328:13:328:14 | s2 | stl.cpp:328:11:328:11 | call to operator+ | TAINT |
+| stl.cpp:330:8:330:9 | s1 | stl.cpp:330:11:330:11 | call to operator+ | TAINT |
+| stl.cpp:330:13:330:20 |  world | stl.cpp:330:11:330:11 | call to operator+ | TAINT |
+| stl.cpp:331:8:331:9 | s1 | stl.cpp:331:11:331:11 | call to operator+ | TAINT |
+| stl.cpp:331:13:331:18 | call to source | stl.cpp:331:11:331:11 | call to operator+ | TAINT |
 | stl.cpp:335:18:335:22 | abc | stl.cpp:335:18:335:23 | call to basic_string | TAINT |
 | stl.cpp:335:18:335:23 | call to basic_string | stl.cpp:339:8:339:9 | s3 |  |
 | stl.cpp:335:18:335:23 | call to basic_string | stl.cpp:342:8:342:9 | s3 |  |
@@ -529,8 +541,10 @@
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:339:13:339:14 | s4 |  |
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:343:9:343:10 | s4 |  |
 | stl.cpp:336:18:336:26 | call to basic_string | stl.cpp:352:13:352:14 | s4 |  |
+| stl.cpp:339:8:339:9 | s3 | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
 | stl.cpp:339:11:339:11 | call to operator+ | stl.cpp:339:3:339:14 | ... = ... |  |
 | stl.cpp:339:11:339:11 | call to operator+ | stl.cpp:340:8:340:9 | s5 |  |
+| stl.cpp:339:13:339:14 | s4 | stl.cpp:339:11:339:11 | call to operator+ | TAINT |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:342:3:342:9 | ... = ... |  |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:343:3:343:4 | s6 |  |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:344:8:344:9 | s6 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp

@@ -323,12 +323,12 @@ void test_string_append() {
 		std::string s2(source());
 
 		sink(s1 + s1);
-		sink(s1 + s2); // tainted [NOT DETECTED]
-		sink(s2 + s1); // tainted [NOT DETECTED]
-		sink(s2 + s2); // tainted [NOT DETECTED]
+		sink(s1 + s2); // tainted
+		sink(s2 + s1); // tainted
+		sink(s2 + s2); // tainted
 
 		sink(s1 + " world");
-		sink(s1 + source()); // tainted [NOT DETECTED]
+		sink(s1 + source()); // tainted
 	}
 
 	{
@@ -337,7 +337,7 @@ void test_string_append() {
 		std::string s5, s6, s7, s8, s9;
 
 		s5 = s3 + s4;
-		sink(s5); // tainted [NOT DETECTED]
+		sink(s5); // tainted
 
 		s6 = s3;
 		s6 += s4;

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -53,6 +53,11 @@
 | stl.cpp:303:8:303:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:311:8:311:8 | x | stl.cpp:296:43:296:49 | source1 |
 | stl.cpp:316:8:316:8 | x | stl.cpp:296:43:296:49 | source1 |
+| stl.cpp:326:11:326:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:327:11:327:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:328:11:328:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
+| stl.cpp:331:11:331:11 | call to operator+ | stl.cpp:331:13:331:18 | call to source |
+| stl.cpp:340:8:340:9 | s5 | stl.cpp:336:18:336:23 | call to source |
 | stl.cpp:353:8:353:9 | s8 | stl.cpp:336:18:336:23 | call to source |
 | stl.cpp:358:8:358:9 | s9 | stl.cpp:356:13:356:18 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -50,6 +50,11 @@
 | stl.cpp:303:8:303:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:311:8:311:8 | stl.cpp:296:43:296:49 | AST only |
 | stl.cpp:316:8:316:8 | stl.cpp:296:43:296:49 | AST only |
+| stl.cpp:326:11:326:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:327:11:327:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:328:11:328:11 | stl.cpp:323:18:323:23 | AST only |
+| stl.cpp:331:11:331:11 | stl.cpp:331:13:331:18 | AST only |
+| stl.cpp:340:8:340:9 | stl.cpp:336:18:336:23 | AST only |
 | stl.cpp:353:8:353:9 | stl.cpp:336:18:336:23 | AST only |
 | stl.cpp:358:8:358:9 | stl.cpp:356:13:356:18 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |