C++: Fix 'strtok' model.

MathiasVP · MathiasVP · commit 032572b924fb · 2023-10-25T09:39:36.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll
@@ -32,6 +32,8 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and output.isReturnValue()
+    or
+    input.isParameterDeref(0) and output.isReturnValueDeref()
   }
 
   override predicate hasOnlySpecificReadSideEffects() { none() }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -718,6 +718,6 @@ void test_strtok_indirect() {
 	char *source = indirect_source();
 	const char* delim = ",.-;:_";
 	char* tokenized = strtok(source, delim);
-	sink(*tokenized); // $ MISSING: ast,ir
+	sink(*tokenized); // $ ir MISSING: ast
 	sink(*delim);
 }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf`
`32`	`32`
`33`	`33`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`34`	`34`	`input.isParameter(0) and output.isReturnValue()`
	`35`	`+ or`
	`36`	`+ input.isParameterDeref(0) and output.isReturnValueDeref()`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`override predicate hasOnlySpecificReadSideEffects() { none() }`
Original file line number	Diff line number	Diff line change
`@@ -718,6 +718,6 @@ void test_strtok_indirect() {`
`718`	`718`	`char *source = indirect_source();`
`719`	`719`	`const char* delim = ",.-;:_";`
`720`	`720`	`char* tokenized = strtok(source, delim);`
`721`		`- sink(*tokenized); // $ MISSING: ast,ir`
	`721`	`+ sink(*tokenized); // $ ir MISSING: ast`
`722`	`722`	`sink(*delim);`
`723`	`723`	`}`