Merge pull request github#4045 from geoffw0/plus

rdmarsh2 · web-flow · commit ed06604b464f · 2020-08-13T16:59:47.000-04:00
C++: Model more of std::string in models.
diff --git a/change-notes/1.26/analysis-cpp.md b/change-notes/1.26/analysis-cpp.md
@@ -18,5 +18,6 @@ The following changes in version 1.26 affect C/C++ analysis in all applications.
 
 ## Changes to libraries
 
+* The models library now models more taint flows through `std::string`.
 * The `SimpleRangeAnalysis` library now supports multiplications of the form
   `e1 * e2` when `e1` and `e2` are unsigned.
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
@@ -1,5 +1,12 @@
 import semmle.code.cpp.models.interfaces.Taint
 
+/**
+ * The `std::basic_string` template class.
+ */
+class StdBasicString extends TemplateClass {
+  StdBasicString() { this.hasQualifiedName("std", "basic_string") }
+}
+
 /**
  * The standard function `std::string.c_str`.
  */
@@ -12,3 +19,51 @@ class StdStringCStr extends TaintFunction {
     output.isReturnValue()
   }
 }
+
+/**
+ * The `std::string` function `operator+`.
+ */
+class StdStringPlus extends TaintFunction {
+  StdStringPlus() {
+    this.hasQualifiedName("std", "operator+") and
+    this.getUnspecifiedType() = any(StdBasicString s).getAnInstantiation()
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameters to return value
+    (
+      input.isParameterDeref(0) or
+      input.isParameterDeref(1)
+    ) and
+    output.isReturnValue()
+  }
+}
+
+/**
+ * The `std::string` functions `operator+=` and `append`.
+ */
+class StdStringAppend extends TaintFunction {
+  StdStringAppend() {
+    this.hasQualifiedName("std", "basic_string", "operator+=") or
+    this.hasQualifiedName("std", "basic_string", "append")
+  }
+
+  /**
+   * Gets the index of a parameter to this function that is a string (or
+   * character).
+   */
+  int getAStringParameter() {
+    getParameter(result).getType() instanceof PointerType or
+    getParameter(result).getType() instanceof ReferenceType or
+    getParameter(result).getType() = getDeclaringType().getTemplateArgument(0) // i.e. `std::basic_string::CharT`
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // flow from parameter to string itself (qualifier) and return value
+    input.isParameterDeref(getAStringParameter()) and
+    (
+      output.isQualifierObject() or
+      output.isReturnValueDeref()
+    )
+  }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp
@@ -30,11 +30,14 @@ namespace std
 	template <class T> class allocator {
 	public:
 		allocator() throw();
+		typedef size_t size_type;
 	};
 	
 	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
 	class basic_string {
 	public:
+		typedef typename Allocator::size_type size_type;
+
 		explicit basic_string(const Allocator& a = Allocator());
 		basic_string(const charT* s, const Allocator& a = Allocator());
 
@@ -49,8 +52,17 @@ namespace std
 		const_iterator end() const;
 		const_iterator cbegin() const;
 		const_iterator cend() const;
+
+		template<class T> basic_string& operator+=(const T& t);
+		basic_string& operator+=(const charT* s);
+		basic_string& append(const basic_string& str);
+		basic_string& append(const charT* s);
+		basic_string& append(size_type n, charT c);
 	};
 
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
+
 	typedef basic_string<char> string;
 
 	template <class charT, class traits = char_traits<charT> >
@@ -308,3 +320,58 @@ void test_range_based_for_loop_vector(int source1) {
 		sink(x); // tainted [NOT DETECTED by IR]
 	}
 }
+
+namespace ns_char
+{
+	char source();
+}
+
+void test_string_append() {
+	{
+		std::string s1("hello");
+		std::string s2(source());
+
+		sink(s1 + s1);
+		sink(s1 + s2); // tainted
+		sink(s2 + s1); // tainted
+		sink(s2 + s2); // tainted
+	
+		sink(s1 + " world");
+		sink(s1 + source()); // tainted
+	}
+
+	{
+		std::string s3("abc");
+		std::string s4(source());
+		std::string s5, s6, s7, s8, s9;
+
+		s5 = s3 + s4;
+		sink(s5); // tainted
+
+		s6 = s3;
+		s6 += s4;
+		sink(s6); // tainted
+
+		s7 = s3;
+		s7 += source();
+		s7 += " ";
+		sink(s7); // tainted
+
+		s8 = s3;
+		s8.append(s4);
+		sink(s8); // tainted
+
+		s9 = s3;
+		s9.append(source());
+		s9.append(" ");
+		sink(s9); // tainted
+	}
+
+	{
+		std::string s10("abc");
+		char c = ns_char::source();
+
+		s10.append(1, c);
+		sink(s10); // tainted
+	}
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -32,27 +32,37 @@
 | movableclass.cpp:55:8:55:9 | s2 | movableclass.cpp:52:23:52:28 | call to source |
 | movableclass.cpp:64:8:64:9 | s2 | movableclass.cpp:23:55:23:60 | call to source |
 | movableclass.cpp:65:11:65:11 | call to operator= | movableclass.cpp:65:13:65:18 | call to source |
-| stl.cpp:101:7:101:7 | a | stl.cpp:97:12:97:17 | call to source |
-| stl.cpp:103:7:103:7 | c | stl.cpp:99:16:99:21 | call to source |
-| stl.cpp:105:9:105:13 | call to c_str | stl.cpp:99:16:99:21 | call to source |
-| stl.cpp:155:13:155:17 | call to c_str | stl.cpp:147:10:147:15 | call to source |
-| stl.cpp:159:13:159:17 | call to c_str | stl.cpp:147:10:147:15 | call to source |
-| stl.cpp:162:13:162:17 | call to c_str | stl.cpp:147:10:147:15 | call to source |
-| stl.cpp:172:7:172:8 | cs | stl.cpp:167:19:167:24 | call to source |
-| stl.cpp:173:7:173:8 | ss | stl.cpp:167:19:167:24 | call to source |
-| stl.cpp:186:7:186:8 | cs | stl.cpp:178:19:178:24 | call to source |
-| stl.cpp:187:7:187:8 | ss | stl.cpp:178:19:178:24 | call to source |
-| stl.cpp:209:8:209:9 | s1 | stl.cpp:204:18:204:23 | call to source |
-| stl.cpp:210:8:210:9 | s2 | stl.cpp:205:20:205:25 | call to source |
-| stl.cpp:211:8:211:9 | s3 | stl.cpp:207:8:207:13 | call to source |
-| stl.cpp:230:8:230:9 | s1 | stl.cpp:226:32:226:37 | call to source |
-| stl.cpp:231:8:231:9 | s2 | stl.cpp:228:20:228:25 | call to source |
-| stl.cpp:240:8:240:8 | c | stl.cpp:238:16:238:21 | call to source |
-| stl.cpp:248:8:248:8 | c | stl.cpp:238:16:238:21 | call to source |
-| stl.cpp:253:8:253:8 | c | stl.cpp:251:28:251:33 | call to source |
-| stl.cpp:295:8:295:8 | x | stl.cpp:288:43:288:49 | source1 |
-| stl.cpp:303:8:303:8 | x | stl.cpp:288:43:288:49 | source1 |
-| stl.cpp:308:8:308:8 | x | stl.cpp:288:43:288:49 | source1 |
+| stl.cpp:113:7:113:7 | a | stl.cpp:109:12:109:17 | call to source |
+| stl.cpp:115:7:115:7 | c | stl.cpp:111:16:111:21 | call to source |
+| stl.cpp:117:9:117:13 | call to c_str | stl.cpp:111:16:111:21 | call to source |
+| stl.cpp:167:13:167:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
+| stl.cpp:171:13:171:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
+| stl.cpp:174:13:174:17 | call to c_str | stl.cpp:159:10:159:15 | call to source |
+| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:24 | call to source |
+| stl.cpp:185:7:185:8 | ss | stl.cpp:179:19:179:24 | call to source |
+| stl.cpp:198:7:198:8 | cs | stl.cpp:190:19:190:24 | call to source |
+| stl.cpp:199:7:199:8 | ss | stl.cpp:190:19:190:24 | call to source |
+| stl.cpp:221:8:221:9 | s1 | stl.cpp:216:18:216:23 | call to source |
+| stl.cpp:222:8:222:9 | s2 | stl.cpp:217:20:217:25 | call to source |
+| stl.cpp:223:8:223:9 | s3 | stl.cpp:219:8:219:13 | call to source |
+| stl.cpp:242:8:242:9 | s1 | stl.cpp:238:32:238:37 | call to source |
+| stl.cpp:243:8:243:9 | s2 | stl.cpp:240:20:240:25 | call to source |
+| stl.cpp:252:8:252:8 | c | stl.cpp:250:16:250:21 | call to source |
+| stl.cpp:260:8:260:8 | c | stl.cpp:250:16:250:21 | call to source |
+| stl.cpp:265:8:265:8 | c | stl.cpp:263:28:263:33 | call to source |
+| stl.cpp:307:8:307:8 | x | stl.cpp:300:43:300:49 | source1 |
+| stl.cpp:315:8:315:8 | x | stl.cpp:300:43:300:49 | source1 |
+| stl.cpp:320:8:320:8 | x | stl.cpp:300:43:300:49 | source1 |
+| stl.cpp:335:11:335:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
+| stl.cpp:336:11:336:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
+| stl.cpp:337:11:337:11 | call to operator+ | stl.cpp:332:18:332:23 | call to source |
+| stl.cpp:340:11:340:11 | call to operator+ | stl.cpp:340:13:340:18 | call to source |
+| stl.cpp:349:8:349:9 | s5 | stl.cpp:345:18:345:23 | call to source |
+| stl.cpp:353:8:353:9 | s6 | stl.cpp:345:18:345:23 | call to source |
+| stl.cpp:358:8:358:9 | s7 | stl.cpp:356:9:356:14 | call to source |
+| stl.cpp:362:8:362:9 | s8 | stl.cpp:345:18:345:23 | call to source |
+| stl.cpp:367:8:367:9 | s9 | stl.cpp:365:13:365:18 | call to source |
+| stl.cpp:375:8:375:10 | s10 | stl.cpp:372:12:372:26 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |
 | structlikeclass.cpp:36:8:36:9 | s2 | structlikeclass.cpp:30:24:30:29 | call to source |
 | structlikeclass.cpp:37:8:37:9 | s3 | structlikeclass.cpp:29:22:29:27 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -30,26 +30,36 @@
 | movableclass.cpp:55:8:55:9 | movableclass.cpp:52:23:52:28 | AST only |
 | movableclass.cpp:64:8:64:9 | movableclass.cpp:23:55:23:60 | AST only |
 | movableclass.cpp:65:11:65:11 | movableclass.cpp:65:13:65:18 | AST only |
-| stl.cpp:103:7:103:7 | stl.cpp:99:16:99:21 | AST only |
-| stl.cpp:105:9:105:13 | stl.cpp:99:16:99:21 | AST only |
-| stl.cpp:155:13:155:17 | stl.cpp:147:10:147:15 | AST only |
-| stl.cpp:159:13:159:17 | stl.cpp:147:10:147:15 | AST only |
-| stl.cpp:162:13:162:17 | stl.cpp:147:10:147:15 | AST only |
-| stl.cpp:172:7:172:8 | stl.cpp:167:19:167:26 | IR only |
-| stl.cpp:173:7:173:8 | stl.cpp:167:19:167:24 | AST only |
-| stl.cpp:186:7:186:8 | stl.cpp:178:19:178:24 | AST only |
-| stl.cpp:187:7:187:8 | stl.cpp:178:19:178:24 | AST only |
-| stl.cpp:209:8:209:9 | stl.cpp:204:18:204:23 | AST only |
-| stl.cpp:210:8:210:9 | stl.cpp:205:20:205:25 | AST only |
-| stl.cpp:211:8:211:9 | stl.cpp:207:8:207:13 | AST only |
-| stl.cpp:230:8:230:9 | stl.cpp:226:32:226:37 | AST only |
-| stl.cpp:231:8:231:9 | stl.cpp:228:20:228:25 | AST only |
-| stl.cpp:240:8:240:8 | stl.cpp:238:16:238:21 | AST only |
-| stl.cpp:248:8:248:8 | stl.cpp:238:16:238:21 | AST only |
-| stl.cpp:253:8:253:8 | stl.cpp:251:28:251:33 | AST only |
-| stl.cpp:295:8:295:8 | stl.cpp:288:43:288:49 | AST only |
-| stl.cpp:303:8:303:8 | stl.cpp:288:43:288:49 | AST only |
-| stl.cpp:308:8:308:8 | stl.cpp:288:43:288:49 | AST only |
+| stl.cpp:115:7:115:7 | stl.cpp:111:16:111:21 | AST only |
+| stl.cpp:117:9:117:13 | stl.cpp:111:16:111:21 | AST only |
+| stl.cpp:167:13:167:17 | stl.cpp:159:10:159:15 | AST only |
+| stl.cpp:171:13:171:17 | stl.cpp:159:10:159:15 | AST only |
+| stl.cpp:174:13:174:17 | stl.cpp:159:10:159:15 | AST only |
+| stl.cpp:184:7:184:8 | stl.cpp:179:19:179:26 | IR only |
+| stl.cpp:185:7:185:8 | stl.cpp:179:19:179:24 | AST only |
+| stl.cpp:198:7:198:8 | stl.cpp:190:19:190:24 | AST only |
+| stl.cpp:199:7:199:8 | stl.cpp:190:19:190:24 | AST only |
+| stl.cpp:221:8:221:9 | stl.cpp:216:18:216:23 | AST only |
+| stl.cpp:222:8:222:9 | stl.cpp:217:20:217:25 | AST only |
+| stl.cpp:223:8:223:9 | stl.cpp:219:8:219:13 | AST only |
+| stl.cpp:242:8:242:9 | stl.cpp:238:32:238:37 | AST only |
+| stl.cpp:243:8:243:9 | stl.cpp:240:20:240:25 | AST only |
+| stl.cpp:252:8:252:8 | stl.cpp:250:16:250:21 | AST only |
+| stl.cpp:260:8:260:8 | stl.cpp:250:16:250:21 | AST only |
+| stl.cpp:265:8:265:8 | stl.cpp:263:28:263:33 | AST only |
+| stl.cpp:307:8:307:8 | stl.cpp:300:43:300:49 | AST only |
+| stl.cpp:315:8:315:8 | stl.cpp:300:43:300:49 | AST only |
+| stl.cpp:320:8:320:8 | stl.cpp:300:43:300:49 | AST only |
+| stl.cpp:335:11:335:11 | stl.cpp:332:18:332:23 | AST only |
+| stl.cpp:336:11:336:11 | stl.cpp:332:18:332:23 | AST only |
+| stl.cpp:337:11:337:11 | stl.cpp:332:18:332:23 | AST only |
+| stl.cpp:340:11:340:11 | stl.cpp:340:13:340:18 | AST only |
+| stl.cpp:349:8:349:9 | stl.cpp:345:18:345:23 | AST only |
+| stl.cpp:353:8:353:9 | stl.cpp:345:18:345:23 | AST only |
+| stl.cpp:358:8:358:9 | stl.cpp:356:9:356:14 | AST only |
+| stl.cpp:362:8:362:9 | stl.cpp:345:18:345:23 | AST only |
+| stl.cpp:367:8:367:9 | stl.cpp:365:13:365:18 | AST only |
+| stl.cpp:375:8:375:10 | stl.cpp:372:12:372:26 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |
 | structlikeclass.cpp:36:8:36:9 | structlikeclass.cpp:30:24:30:29 | AST only |
 | structlikeclass.cpp:37:8:37:9 | structlikeclass.cpp:29:22:29:27 | AST only |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -1,10 +1,10 @@
 | format.cpp:157:7:157:22 | (int)... | format.cpp:147:12:147:25 | call to source |
 | format.cpp:157:7:157:22 | access to array | format.cpp:147:12:147:25 | call to source |
 | format.cpp:158:7:158:27 | ... + ... | format.cpp:148:16:148:30 | call to source |
-| stl.cpp:101:7:101:7 | (const char *)... | stl.cpp:97:12:97:17 | call to source |
-| stl.cpp:101:7:101:7 | a | stl.cpp:97:12:97:17 | call to source |
-| stl.cpp:172:7:172:8 | cs | stl.cpp:167:19:167:24 | call to source |
-| stl.cpp:172:7:172:8 | cs | stl.cpp:167:19:167:26 | (const char *)... |
+| stl.cpp:113:7:113:7 | (const char *)... | stl.cpp:109:12:109:17 | call to source |
+| stl.cpp:113:7:113:7 | a | stl.cpp:109:12:109:17 | call to source |
+| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:24 | call to source |
+| stl.cpp:184:7:184:8 | cs | stl.cpp:179:19:179:26 | (const char *)... |
 | structlikeclass.cpp:38:8:38:9 | s4 | structlikeclass.cpp:33:8:33:13 | call to source |
 | structlikeclass.cpp:61:8:61:9 | s2 | structlikeclass.cpp:58:24:58:29 | call to source |
 | structlikeclass.cpp:62:8:62:20 | ... = ... | structlikeclass.cpp:62:13:62:18 | call to source |
