CPP: Support taint flow from qualifiers.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll

@@ -152,7 +152,9 @@ private predicate exprToExprStep(Expr exprIn, Expr exprOut) {
         or
         inModel.isParameter(argInIndex) and
         exprIn = call.getArgument(argInIndex)
-      )
+      ) or
+      inModel.isQualifierObject() and
+      exprIn = call.getQualifier()
     )
   )
 }
@@ -185,7 +187,9 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
         or
         inModel.isParameter(argInIndex) and
         exprIn = call.getArgument(argInIndex)
-      )
+      ) or
+      inModel.isQualifierObject() and
+      exprIn = call.getQualifier()
     )
   )
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -444,5 +444,5 @@ void test_qualifiers()
 	sink(d.getString());
 	d.setString(strings::source());
 	sink(d); // tainted
-	sink(d.getString()); // tainted [NOT DETECTED]
+	sink(d.getString()); // tainted
 }

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -43,3 +43,4 @@
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
 | taint.cpp:438:7:438:7 | c | taint.cpp:437:15:437:20 | call to source |
 | taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
+| taint.cpp:447:9:447:17 | call to getString | taint.cpp:445:14:445:28 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -31,3 +31,4 @@
 | taint.cpp:430:9:430:14 | taint.cpp:428:13:428:18 | AST only |
 | taint.cpp:438:7:438:7 | taint.cpp:437:15:437:20 | AST only |
 | taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
+| taint.cpp:447:9:447:17 | taint.cpp:445:14:445:28 | AST only |