C++: Add conflation into DefaultTaintTracking.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll

@@ -19,6 +19,7 @@ private import semmle.code.cpp.ir.dataflow.TaintTracking
 private import semmle.code.cpp.ir.dataflow.TaintTracking2
 private import semmle.code.cpp.ir.dataflow.TaintTracking3
 private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
 
 /**
  * A predictable instruction is one where an external user can predict
@@ -75,6 +76,20 @@ private DataFlow::Node getNodeForExpr(Expr node) {
   not argv(node.(VariableAccess).getTarget())
 }
 
+private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+  // Flow from `op` to `*op`.
+  exists(Operand operand, int indirectionIndex |
+    nodeHasOperand(nodeFrom, operand, indirectionIndex) and
+    nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
+  )
+  or
+  // Flow from `instr` to `*instr`.
+  exists(Instruction instr, int indirectionIndex |
+    nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
+    nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
+  )
+}
+
 private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
   DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
 
@@ -85,6 +100,10 @@ private class DefaultTaintTrackingCfg extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { nodeIsBarrier(node) }
 
   override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    conflatePointerAndPointee(nodeFrom, nodeTo)
+  }
 }
 
 private class ToGlobalVarTaintTrackingCfg extends TaintTracking::Configuration {
@@ -417,6 +436,8 @@ module TaintedWithPath {
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+      conflatePointerAndPointee(n1, n2)
+      or
       // Steps into and out of global variables
       exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
         writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected

@@ -1,17 +1,2 @@
 WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
 WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
-| defaulttainttracking.cpp:4:33:4:52 | // $ ir MISSING: ast | Missing result:ir= |
-| defaulttainttracking.cpp:5:32:5:42 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:10:37:10:47 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:12:14:12:24 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:174:16:174:26 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:178:14:178:24 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:179:14:179:34 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
-| defaulttainttracking.cpp:198:14:198:34 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
-| stl.cpp:74:11:74:30 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:91:13:91:32 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:92:13:92:32 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:93:13:93:32 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:94:13:94:32 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:144:12:144:31 | // $ ir MISSING: ast | Missing result:ir= |
-| stl.cpp:158:12:158:31 | // $ ir MISSING: ast | Missing result:ir= |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected

@@ -28,7 +28,7 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
-| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
+| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion | IR only |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
@@ -37,8 +37,6 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
-| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | AST only |
-| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | AST only |
 | test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
 | test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
 | test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
@@ -51,5 +49,3 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
-| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | AST only |
-| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | AST only |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected

@@ -22,6 +22,8 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
+| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion |
+| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
@@ -31,6 +33,8 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
+| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
+| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
 | test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
 | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
 | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
@@ -40,3 +44,5 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
+| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
+| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |