CPP: Allow flow to return value.

geoffw0 · geoffw0 · commit 1867d580347d · 2020-01-22T16:25:40.000Z
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -140,6 +140,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
     (
       exprOut = call and
       outModel.isReturnValueDeref()
+      or
+      exprOut = call and
+      outModel.isReturnValue()
     ) and
     f.hasTaintFlow(inModel, outModel) and
     (
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -421,7 +421,7 @@ void test_qualifiers()
 	sink(a.getMember());
 	a.setMember(source());
 	sink(a); // tainted
-	sink(a.getMember()); // tainted [NOT DETECTED]
+	sink(a.getMember()); // tainted
 
 	sink(b);
 	sink(b.getMember());
@@ -436,7 +436,7 @@ void test_qualifiers()
 	sink(c->getMember());
 	c->setMember(source());
 	sink(c); // tainted (deref)
-	sink(c->getMember()); // tainted [NOT DETECTED]
+	sink(c->getMember()); // tainted
 
 	delete c;
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -40,7 +40,9 @@
 | taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
 | taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
 | taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
+| taint.cpp:424:9:424:17 | call to getMember | taint.cpp:422:14:422:19 | call to source |
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:438:7:438:7 | c | taint.cpp:437:15:437:20 | call to source |
+| taint.cpp:439:10:439:18 | call to getMember | taint.cpp:437:15:437:20 | call to source |
 | taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
 | taint.cpp:447:9:447:17 | call to getString | taint.cpp:445:14:445:28 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -27,8 +27,10 @@
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
 | taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
+| taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |
 | taint.cpp:429:7:429:7 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:430:9:430:14 | taint.cpp:428:13:428:18 | AST only |
 | taint.cpp:438:7:438:7 | taint.cpp:437:15:437:20 | AST only |
+| taint.cpp:439:10:439:18 | taint.cpp:437:15:437:20 | AST only |
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
 | taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {`
`140`	`140`	`(`
`141`	`141`	`exprOut = call and`
`142`	`142`	`outModel.isReturnValueDeref()`
	`143`	`+ or`
	`144`	`+ exprOut = call and`
	`145`	`+ outModel.isReturnValue()`
`143`	`146`	`) and`
`144`	`147`	`f.hasTaintFlow(inModel, outModel) and`
`145`	`148`	`(`