CPP: Support taint flow to qualifiers.

geoffw0 · geoffw0 · commit e6daf3b7eebe · 2020-01-22T16:16:31.000Z
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -68,9 +68,11 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
   )
   or
   // Taint can flow through modeled functions
+  exprToExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
+  or
   exprToDefinitionByReferenceStep(nodeFrom.asExpr(), nodeTo.asDefiningArgument())
   or
-  exprToExprStep(nodeFrom.asExpr(), nodeTo.asExpr())
+  exprToPartialDefinitionStep(nodeFrom.asExpr(), nodeTo.asPartialDefinition())
 }
 
 /**
@@ -187,3 +189,24 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
     )
   )
 }
+
+private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
+  exists(TaintFunction f, Call call, FunctionInput inModel, FunctionOutput outModel |
+    call.getTarget() = f and
+    (
+      exprOut = call.getQualifier() and
+      outModel.isQualifierObject()
+    ) and
+    f.hasTaintFlow(inModel, outModel) and
+    exists(int argInIndex |
+      inModel.isParameterDeref(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+      or
+      inModel.isParameterDeref(argInIndex) and
+      call.passesByReference(argInIndex, exprIn)
+      or
+      inModel.isParameter(argInIndex) and
+      exprIn = call.getArgument(argInIndex)
+    )
+  )
+}
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -420,7 +420,7 @@ void test_qualifiers()
 	sink(a);
 	sink(a.getMember());
 	a.setMember(source());
-	sink(a); // tainted [NOT DETECTED]
+	sink(a); // tainted
 	sink(a.getMember()); // tainted [NOT DETECTED]
 
 	sink(b);
@@ -435,14 +435,14 @@ void test_qualifiers()
 	sink(c);
 	sink(c->getMember());
 	c->setMember(source());
-	sink(c); // tainted (deref) [NOT DETECTED]
+	sink(c); // tainted (deref)
 	sink(c->getMember()); // tainted [NOT DETECTED]
 
 	delete c;
 
 	sink(d);
 	sink(d.getString());
 	d.setString(strings::source());
-	sink(d); // tainted [NOT DETECTED]
+	sink(d); // tainted
 	sink(d.getString()); // tainted [NOT DETECTED]
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -39,4 +39,7 @@
 | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
 | taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
+| taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
 | taint.cpp:430:9:430:14 | member | taint.cpp:428:13:428:18 | call to source |
+| taint.cpp:438:7:438:7 | c | taint.cpp:437:15:437:20 | call to source |
+| taint.cpp:446:7:446:7 | d | taint.cpp:445:14:445:28 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -26,5 +26,8 @@
 | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
+| taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
 | taint.cpp:429:7:429:7 | taint.cpp:428:13:428:18 | IR only |
 | taint.cpp:430:9:430:14 | taint.cpp:428:13:428:18 | AST only |
+| taint.cpp:438:7:438:7 | taint.cpp:437:15:437:20 | AST only |
+| taint.cpp:446:7:446:7 | taint.cpp:445:14:445:28 | AST only |
