C++: Modify ParameterIndex to account for varargs.

geoffw0 · geoffw0 · commit f02ffcbbd282 · 2020-01-28T14:53:18.000Z
diff --git a/cpp/ql/src/semmle/code/cpp/Parameter.qll b/cpp/ql/src/semmle/code/cpp/Parameter.qll
@@ -163,5 +163,8 @@ class Parameter extends LocalScopeVariable, @parameter {
  * An `int` that is a parameter index for some function.  This is needed for binding in certain cases.
  */
 class ParameterIndex extends int {
-  ParameterIndex() { exists(Parameter p | this = p.getIndex()) }
+  ParameterIndex() {
+    exists(Parameter p | this = p.getIndex()) or
+    exists(Call c | exists(c.getArgument(this))) // permit indexing varargs
+  }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp
@@ -60,12 +60,12 @@ void test1()
 	{
 		char buffer[256] = {0};
 		sink(snprintf(buffer, 256, "%s %s %s", "a", "b", string::source()));
-		sink(buffer); // tainted [NOT DETECTED]
+		sink(buffer); // tainted
 	}
 	{
 		char buffer[256] = {0};
 		sink(snprintf(buffer, 256, "%.*s", 10, string::source()));
-		sink(buffer); // tainted [NOT DETECTED]
+		sink(buffer); // tainted
 	}
 
 	{
@@ -108,7 +108,7 @@ void test1()
 	{
 		char buffer[256] = {0};
 		sink(mysprintf(buffer, 256, "%s", string::source()));
-		sink(buffer); // tainted [NOT DETECTED]
+		sink(buffer); // tainted [NOT DETECTED - implement UserDefinedFormattingFunction.getOutputParameterIndex()]
 	}
 
 	{
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -31,12 +31,15 @@
 | format.cpp:62:17:62:22 | ref arg buffer | format.cpp:63:8:63:13 | buffer |  |
 | format.cpp:62:30:62:39 | %s %s %s | format.cpp:62:17:62:22 | ref arg buffer | TAINT |
 | format.cpp:62:42:62:44 | a | format.cpp:62:17:62:22 | ref arg buffer | TAINT |
+| format.cpp:62:47:62:49 | b | format.cpp:62:17:62:22 | ref arg buffer | TAINT |
+| format.cpp:62:52:62:65 | call to source | format.cpp:62:17:62:22 | ref arg buffer | TAINT |
 | format.cpp:66:21:66:24 | {...} | format.cpp:67:17:67:22 | buffer |  |
 | format.cpp:66:21:66:24 | {...} | format.cpp:68:8:68:13 | buffer |  |
 | format.cpp:66:23:66:23 | 0 | format.cpp:66:21:66:24 | {...} | TAINT |
 | format.cpp:67:17:67:22 | ref arg buffer | format.cpp:68:8:68:13 | buffer |  |
 | format.cpp:67:30:67:35 | %.*s | format.cpp:67:17:67:22 | ref arg buffer | TAINT |
 | format.cpp:67:38:67:39 | 10 | format.cpp:67:17:67:22 | ref arg buffer | TAINT |
+| format.cpp:67:42:67:55 | call to source | format.cpp:67:17:67:22 | ref arg buffer | TAINT |
 | format.cpp:72:21:72:24 | {...} | format.cpp:73:17:73:22 | buffer |  |
 | format.cpp:72:21:72:24 | {...} | format.cpp:74:8:74:13 | buffer |  |
 | format.cpp:72:23:72:23 | 0 | format.cpp:72:21:72:24 | {...} | TAINT |
@@ -55,6 +58,7 @@
 | format.cpp:83:17:83:22 | ref arg buffer | format.cpp:84:8:84:13 | buffer |  |
 | format.cpp:83:30:83:35 | %.*s | format.cpp:83:17:83:22 | ref arg buffer | TAINT |
 | format.cpp:83:38:83:43 | call to source | format.cpp:83:17:83:22 | ref arg buffer | TAINT |
+| format.cpp:83:48:83:55 | Hello. | format.cpp:83:17:83:22 | ref arg buffer | TAINT |
 | format.cpp:88:21:88:24 | {...} | format.cpp:89:17:89:22 | buffer |  |
 | format.cpp:88:21:88:24 | {...} | format.cpp:90:8:90:13 | buffer |  |
 | format.cpp:88:23:88:23 | 0 | format.cpp:88:21:88:24 | {...} | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -1,5 +1,7 @@
 | format.cpp:53:8:53:13 | buffer | format.cpp:52:36:52:49 | call to source |
 | format.cpp:58:8:58:13 | buffer | format.cpp:57:30:57:43 | call to source |
+| format.cpp:63:8:63:13 | buffer | format.cpp:62:52:62:65 | call to source |
+| format.cpp:68:8:68:13 | buffer | format.cpp:67:42:67:55 | call to source |
 | format.cpp:79:8:79:13 | buffer | format.cpp:78:36:78:41 | call to source |
 | format.cpp:84:8:84:13 | buffer | format.cpp:83:38:83:43 | call to source |
 | format.cpp:90:8:90:13 | buffer | format.cpp:89:36:89:49 | call to source |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -1,5 +1,7 @@
 | format.cpp:53:8:53:13 | format.cpp:52:36:52:49 | AST only |
 | format.cpp:58:8:58:13 | format.cpp:57:30:57:43 | AST only |
+| format.cpp:63:8:63:13 | format.cpp:62:52:62:65 | AST only |
+| format.cpp:68:8:68:13 | format.cpp:67:42:67:55 | AST only |
 | format.cpp:79:8:79:13 | format.cpp:78:36:78:41 | AST only |
 | format.cpp:84:8:84:13 | format.cpp:83:38:83:43 | AST only |
 | format.cpp:90:8:90:13 | format.cpp:89:36:89:49 | AST only |

Original file line number	Diff line number	Diff line change
`@@ -60,12 +60,12 @@ void test1()`
`60`	`60`	`{`
`61`	`61`	`char buffer[256] = {0};`
`62`	`62`	`sink(snprintf(buffer, 256, "%s %s %s", "a", "b", string::source()));`
`63`		`- sink(buffer); // tainted [NOT DETECTED]`
	`63`	`+ sink(buffer); // tainted`
`64`	`64`	`}`
`65`	`65`	`{`
`66`	`66`	`char buffer[256] = {0};`
`67`	`67`	`sink(snprintf(buffer, 256, "%.*s", 10, string::source()));`
`68`		`- sink(buffer); // tainted [NOT DETECTED]`
	`68`	`+ sink(buffer); // tainted`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`{`
`@@ -108,7 +108,7 @@ void test1()`
`108`	`108`	`{`
`109`	`109`	`char buffer[256] = {0};`
`110`	`110`	`sink(mysprintf(buffer, 256, "%s", string::source()));`
`111`		`- sink(buffer); // tainted [NOT DETECTED]`
	`111`	`+ sink(buffer); // tainted [NOT DETECTED - implement UserDefinedFormattingFunction.getOutputParameterIndex()]`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`{`