C++: Test lack of flow through read side effect

jbj · jbj · commit 2aaf41a0d8e4 · 2020-01-22T13:27:10.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Inet.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Inet.qll
@@ -30,7 +30,7 @@ class InetAton extends TaintFunction, ArrayFunction {
   }
 }
 
-class InetAddr extends TaintFunction, ArrayFunction {
+class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {
   InetAddr() { hasGlobalName("inet_addr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -41,6 +41,12 @@ class InetAddr extends TaintFunction, ArrayFunction {
   override predicate hasArrayInput(int bufParam) { bufParam = 0 }
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
+
+  override predicate parameterNeverEscapes(int index) { index = 0 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
 }
 
 class InetNetwork extends TaintFunction, ArrayFunction {
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
@@ -26,3 +26,16 @@ int main(int argc, char *argv[]) {
 
   return 0;
 }
+
+typedef unsigned int inet_addr_retval;
+inet_addr_retval inet_addr(const char *dotted_address);
+void sink(inet_addr_retval);
+
+void test_indirect_arg_to_model() {
+    // This test is non-sensical but carefully arranged so we get data flow into
+    // inet_addr not through the function argument but through its associated
+    // read side effect.
+    void *env_pointer = getenv("VAR"); // env_pointer is tainted, not its data.
+    inet_addr_retval a = inet_addr((const char *)&env_pointer);
+    sink(a);
+}
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
@@ -25,3 +25,7 @@
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:8:22:33 | (const char *)... |
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:20:22:25 | call to getenv |
 | defaulttainttracking.cpp:22:20:22:25 | call to getenv | defaulttainttracking.cpp:22:20:22:32 | (const char *)... |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:38:11:38:21 | env_pointer |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:38:25:38:30 | call to getenv |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:38:25:38:37 | (void *)... |
+| defaulttainttracking.cpp:38:25:38:30 | call to getenv | defaulttainttracking.cpp:39:50:39:61 | & ... |

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ class InetAton extends TaintFunction, ArrayFunction {`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`
`33`		`-class InetAddr extends TaintFunction, ArrayFunction {`
	`33`	`+class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {`
`34`	`34`	`InetAddr() { hasGlobalName("inet_addr") }`
`35`	`35`
`36`	`36`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`@@ -41,6 +41,12 @@ class InetAddr extends TaintFunction, ArrayFunction {`
`41`	`41`	`override predicate hasArrayInput(int bufParam) { bufParam = 0 }`
`42`	`42`
`43`	`43`	`override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }`
	`44`	`+`
	`45`	`+ override predicate parameterNeverEscapes(int index) { index = 0 }`
	`46`	`+`
	`47`	`+ override predicate parameterEscapesOnlyViaReturn(int index) { none() }`
	`48`	`+`
	`49`	`+ override predicate parameterIsAlwaysReturned(int index) { none() }`
`44`	`50`	`}`
`45`	`51`
`46`	`52`	`class InetNetwork extends TaintFunction, ArrayFunction {`