C++: Taint through std::string operator+=.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll

@@ -40,10 +40,13 @@ class StdStringPlus extends TaintFunction {
 }
 
 /**
- * The `std::string` function `append`.
+ * The `std::string` functions `operator+=` and `append`.
  */
 class StdStringAppend extends TaintFunction {
-  StdStringAppend() { this.hasQualifiedName("std", "basic_string", "append") }
+  StdStringAppend() {
+    this.hasQualifiedName("std", "basic_string", "operator+=") or
+    this.hasQualifiedName("std", "basic_string", "append")
+  }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to string itself (qualifier) and return value

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -549,13 +549,19 @@
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:343:3:343:4 | s6 |  |
 | stl.cpp:342:8:342:9 | s3 | stl.cpp:344:8:344:9 | s6 |  |
 | stl.cpp:343:3:343:4 | ref arg s6 | stl.cpp:344:8:344:9 | s6 |  |
+| stl.cpp:343:9:343:10 | s4 | stl.cpp:343:3:343:4 | ref arg s6 | TAINT |
+| stl.cpp:343:9:343:10 | s4 | stl.cpp:343:6:343:6 | call to operator+= | TAINT |
 | stl.cpp:346:8:346:9 | s3 | stl.cpp:346:3:346:9 | ... = ... |  |
 | stl.cpp:346:8:346:9 | s3 | stl.cpp:347:3:347:4 | s7 |  |
 | stl.cpp:346:8:346:9 | s3 | stl.cpp:348:3:348:4 | s7 |  |
 | stl.cpp:346:8:346:9 | s3 | stl.cpp:349:8:349:9 | s7 |  |
 | stl.cpp:347:3:347:4 | ref arg s7 | stl.cpp:348:3:348:4 | s7 |  |
 | stl.cpp:347:3:347:4 | ref arg s7 | stl.cpp:349:8:349:9 | s7 |  |
+| stl.cpp:347:9:347:14 | call to source | stl.cpp:347:3:347:4 | ref arg s7 | TAINT |
+| stl.cpp:347:9:347:14 | call to source | stl.cpp:347:6:347:6 | call to operator+= | TAINT |
 | stl.cpp:348:3:348:4 | ref arg s7 | stl.cpp:349:8:349:9 | s7 |  |
+| stl.cpp:348:9:348:11 |   | stl.cpp:348:3:348:4 | ref arg s7 | TAINT |
+| stl.cpp:348:9:348:11 |   | stl.cpp:348:6:348:6 | call to operator+= | TAINT |
 | stl.cpp:351:8:351:9 | s3 | stl.cpp:351:3:351:9 | ... = ... |  |
 | stl.cpp:351:8:351:9 | s3 | stl.cpp:352:3:352:4 | s8 |  |
 | stl.cpp:351:8:351:9 | s3 | stl.cpp:353:8:353:9 | s8 |  |

cpp/ql/test/library-tests/dataflow/taint-tests/stl.cpp

@@ -341,12 +341,12 @@ void test_string_append() {
 
 		s6 = s3;
 		s6 += s4;
-		sink(s6); // tainted [NOT DETECTED]
+		sink(s6); // tainted
 
 		s7 = s3;
 		s7 += source();
 		s7 += " ";
-		sink(s7); // tainted [NOT DETECTED]
+		sink(s7); // tainted
 
 		s8 = s3;
 		s8.append(s4);

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -58,6 +58,8 @@
 | stl.cpp:328:11:328:11 | call to operator+ | stl.cpp:323:18:323:23 | call to source |
 | stl.cpp:331:11:331:11 | call to operator+ | stl.cpp:331:13:331:18 | call to source |
 | stl.cpp:340:8:340:9 | s5 | stl.cpp:336:18:336:23 | call to source |
+| stl.cpp:344:8:344:9 | s6 | stl.cpp:336:18:336:23 | call to source |
+| stl.cpp:349:8:349:9 | s7 | stl.cpp:347:9:347:14 | call to source |
 | stl.cpp:353:8:353:9 | s8 | stl.cpp:336:18:336:23 | call to source |
 | stl.cpp:358:8:358:9 | s9 | stl.cpp:356:13:356:18 | call to source |
 | structlikeclass.cpp:35:8:35:9 | s1 | structlikeclass.cpp:29:22:29:27 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -55,6 +55,8 @@
 | stl.cpp:328:11:328:11 | stl.cpp:323:18:323:23 | AST only |
 | stl.cpp:331:11:331:11 | stl.cpp:331:13:331:18 | AST only |
 | stl.cpp:340:8:340:9 | stl.cpp:336:18:336:23 | AST only |
+| stl.cpp:344:8:344:9 | stl.cpp:336:18:336:23 | AST only |
+| stl.cpp:349:8:349:9 | stl.cpp:347:9:347:14 | AST only |
 | stl.cpp:353:8:353:9 | stl.cpp:336:18:336:23 | AST only |
 | stl.cpp:358:8:358:9 | stl.cpp:356:13:356:18 | AST only |
 | structlikeclass.cpp:35:8:35:9 | structlikeclass.cpp:29:22:29:27 | AST only |