C++: Add support for 'data' in the query.

MathiasVP · MathiasVP · commit 2b36ba33f0a2 · 2023-11-28T12:57:59.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@@ -114,9 +114,11 @@ private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
 /**
  * The `std::string` function `data`.
  */
-private class StdStringData extends StdStringTaintFunction {
+class StdStringData extends MemberFunction {
   StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
+}
 
+private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
diff --git a/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql b/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
@@ -22,6 +22,8 @@ import semmle.code.cpp.models.implementations.StdContainer
  * a temporary object.
  */
 predicate isTemporary(Expr e) {
+  e instanceof TemporaryObjectExpr
+  or
   e.isPRValueCategory() and
   e.getUnspecifiedType() instanceof Class and
   not e.hasLValueToRValueConversion()
@@ -92,7 +94,7 @@ from Call c
 where
   outlivesFullExpr(c) and
   not c.isFromUninstantiatedTemplate(_) and
-  c.getTarget() instanceof StdStringCStr and
+  (c.getTarget() instanceof StdStringCStr or c.getTarget() instanceof StdStringData) and
   isTemporary(c.getQualifier().getFullyConverted())
 select c,
   "The underlying string object is destroyed after the call to '" + c.getTarget() + "' returns."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.expected
@@ -5,4 +5,8 @@
 | test.cpp:178:37:178:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
 | test.cpp:181:39:181:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
 | test.cpp:183:37:183:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
-| test.cpp:187:31:187:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:187:34:187:37 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:188:39:188:42 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:189:44:189:47 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:191:29:191:32 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:193:31:193:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp
@@ -184,6 +184,12 @@ const char* test1(bool b1, bool b2) {
 
   char c = std::string("hello").c_str()[0]; // GOOD
 
+  auto s6 = std::string("hello").data(); // BAD
+  auto s7 = b1 ? std::string("hello").data() : ""; // BAD
+  auto s8 = b2 ? "" : std::string("hello").data(); // BAD
+  char* s9;
+  s9 = std::string("hello").data(); // BAD
+
   return std::string("hello").c_str(); // BAD
 }
 
