CPP: 'sometimes copying' is considered data flow.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/models/implementations/Strcpy.qll

@@ -47,20 +47,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    (
-      // These always copy the full value of the input buffer to the output
-      // buffer
-      this.hasName("strcpy") or
-      this.hasName("_mbscpy") or
-      this.hasName("wcscpy")
-    ) and
-    (
-      input.isParameterDeref(1) and
-      output.isParameterDeref(0)
-      or
-      input.isParameterDeref(1) and
-      output.isReturnValueDeref()
-    )
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0)
+    or
+    input.isParameterDeref(1) and
+    output.isReturnValueDeref()
     or
     input.isParameter(0) and
     output.isReturnValue()
@@ -77,10 +68,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction {
       this.hasName("wcsncpy") or
       this.hasName("_wcsncpy_l")
     ) and
-    (
-      input.isParameter(2) or
-      input.isParameterDeref(1)
-    ) and
+    input.isParameter(2) and
     (
       output.isParameterDeref(0) or
       output.isReturnValueDeref()

cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll

@@ -34,8 +34,6 @@ class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    // These always copy the full value of the input buffer to the result
-    // buffer
     input.isParameterDeref(0) and
     output.isReturnValueDeref()
   }
@@ -44,7 +42,7 @@ class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction
 /**
  * A `strndup` style allocation function.
  */
-class StrndupFunction extends AllocationFunction, ArrayFunction, TaintFunction {
+class StrndupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
   StrndupFunction() {
     exists(string name |
       hasGlobalName(name) and
@@ -57,9 +55,7 @@ class StrndupFunction extends AllocationFunction, ArrayFunction, TaintFunction {
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // This function may do only a partial copy of the input buffer to the output
-    // buffer, so it's a taint flow.
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     (
       input.isParameterDeref(0) or
       input.isParameter(1)

cpp/ql/src/semmle/code/cpp/models/interfaces/DataFlow.qll

@@ -12,8 +12,8 @@ import FunctionInputsAndOutputs
 import semmle.code.cpp.models.Models
 
 /**
- * A library function for which a value is copied from a parameter or qualifier
- * to an output buffer, return value, or qualifier.
+ * A library function for which a value is or may be copied from a parameter
+ * or qualifier to an output buffer, return value, or qualifier.
  *
  * Note that this does not include partial copying of values or partial writes
  * to destinations; that is covered by `TaintModel.qll`.

cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll

@@ -16,7 +16,9 @@ import semmle.code.cpp.models.Models
  * from a parameter or qualifier to an output buffer, return value, or qualifier.
  *
  * Note that this does not include direct copying of values; that is covered by
- * DataFlowModel.qll
+ * DataFlowModel.qll. If a value is sometimes copied in full, and sometimes
+ * altered (for example copying a string with `strncpy`), this is also considered
+ * data flow.
  */
 abstract class TaintFunction extends Function {
   abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -338,12 +338,10 @@
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c |  |
 | taint.cpp:371:14:371:19 | source | taint.cpp:371:6:371:12 | call to strndup | TAINT |
-| taint.cpp:371:22:371:24 | 100 | taint.cpp:371:6:371:12 | call to strndup | TAINT |
 | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source |  |
 | taint.cpp:381:6:381:12 | call to strndup | taint.cpp:381:2:381:36 | ... = ... |  |
 | taint.cpp:381:6:381:12 | call to strndup | taint.cpp:382:7:382:7 | a |  |
 | taint.cpp:381:14:381:27 | hello, world | taint.cpp:381:6:381:12 | call to strndup | TAINT |
-| taint.cpp:381:30:381:35 | source | taint.cpp:381:6:381:12 | call to strndup | TAINT |
 | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -39,7 +39,6 @@
 | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
 | taint.cpp:374:7:374:7 | c | taint.cpp:365:24:365:29 | source |
-| taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
 | taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
 | taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
 | taint.cpp:424:9:424:17 | call to getMember | taint.cpp:422:14:422:19 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -26,7 +26,6 @@
 | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:374:7:374:7 | taint.cpp:365:24:365:29 | AST only |
-| taint.cpp:382:7:382:7 | taint.cpp:377:23:377:28 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
 | taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
 | taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |