C++: Avoid using the function to model the flow source'ness of scanf and fscanf.

MathiasVP · MathiasVP · commit dba5c85f16fc · 2026-05-15T11:06:57.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
@@ -10,6 +10,7 @@ import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.FlowSource
+private import semmle.code.cpp.security.FlowSources
 
 /**
  * The `scanf` family of functions.
@@ -72,21 +73,31 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
 /**
  * The standard function `scanf` and its assorted variants
  */
-private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
-  }
+private class ScanfModel extends ScanfFunctionModel instanceof Scanf { }
+
+abstract private class AbstractScanfFlowSource extends DataFlow::Node {
+  ScanfFunctionCall scanf;
+
+  AbstractScanfFlowSource() { this.asDefiningArgument(1) = scanf.getAnOutputArgument() }
+
+  string getSourceType() { result = "value read by " + scanf.getScanfFunction().getName() }
+}
+
+private class ScanfFlowSource extends AbstractScanfFlowSource, LocalFlowSource {
+  ScanfFlowSource() { not scanf.getScanfFunction() instanceof Fscanf }
+
+  final override string getSourceType() { result = AbstractScanfFlowSource.super.getSourceType() }
 }
 
 /**
  * The standard function `fscanf` and its assorted variants
  */
-private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
-  }
+private class FscanfModel extends ScanfFunctionModel instanceof Fscanf { }
+
+private class FScanfFlowSource extends AbstractScanfFlowSource, RemoteFlowSource {
+  FScanfFlowSource() { scanf.getScanfFunction() instanceof Fscanf }
+
+  final override string getSourceType() { result = AbstractScanfFlowSource.super.getSourceType() }
 }
 
 /**
