C++: Add += and friends to adjustedSink

MathiasVP · MathiasVP · commit bcd84efe8ded · 2020-02-10T15:50:52.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -338,6 +338,9 @@ private Element adjustedSink(DataFlow::Node sink) {
   or
   // Taint `e--` and `e++` when `e` is tainted.
   result.(PostfixCrementOperation).getAnOperand() = sink.asExpr()
+  or
+  // Taint `e1 += e2` when `e1` or `e2` is tainted.
+  result.(AssignArithmeticOperation).getAnOperand() = sink.asExpr()
 }
 
 predicate tainted(Expr source, Element tainted) {

Original file line number	Diff line number	Diff line change
`@@ -338,6 +338,9 @@ private Element adjustedSink(DataFlow::Node sink) {`
`338`	`338`	`or`
`339`	`339`	// Taint `e--` and `e++` when `e` is tainted.
`340`	`340`	`result.(PostfixCrementOperation).getAnOperand() = sink.asExpr()`
	`341`	`+ or`
	`342`	+ // Taint `e1 += e2` when `e1` or `e2` is tainted.
	`343`	`+ result.(AssignArithmeticOperation).getAnOperand() = sink.asExpr()`
`341`	`344`	`}`
`342`	`345`
`343`	`346`	`predicate tainted(Expr source, Element tainted) {`