C++: add model-based RemoteFlowSource

Author: Robert Marsh

cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -0,0 +1,18 @@
+/**
+ * Provides a class for modeling functions that return data from potentially untrusted sources. To use
+ * this QL library, create a QL class extending `DataFlowFunction` with a
+ * characteristic predicate that selects the function or set of functions you
+ * are modeling. Within that class, override the predicates provided by
+ * `RemoteFlowFunction` to match the flow within that function.
+ */
+
+import cpp
+import FunctionInputsAndOutputs
+import semmle.code.cpp.models.Models
+
+/**
+ * A library function which returns data read from a network connection.
+ */
+abstract class RemoteFlowFunction extends Function {
+  abstract predicate hasFlowSource(FunctionOutput output);
+}

cpp/ql/src/semmle/code/cpp/security/FlowSources.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides classes representing various flow sources for taint tracking.
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.IR
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/** A data flow source of remote user input. */
+abstract class RemoteFlowSource extends DataFlow::Node {
+}
+
+class FileDescriptorTaintedReturnSource extends RemoteFlowSource {
+  FileDescriptorTaintedReturnSource() {
+    exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output |
+      asInstruction() = instr and
+      instr.getStaticCallTarget() = func and
+      func.hasFlowSource(output) and
+      output.isReturnValue()
+    )
+  }
+}
+
+class FileTaintedParameterSource extends RemoteFlowSource {
+  FileTaintedParameterSource() {
+    exists(RemoteFlowFunction func, ReadSideEffectInstruction instr, FunctionOutput output |
+      asInstruction() = instr and
+      instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
+      func.hasFlowSource(output) and
+      output.isParameterDeref(instr.getIndex())
+    )
+  }
+}
+