C++: Get rid of all the 'StdContainer' taint models.

MathiasVP · MathiasVP · commit c158f8054ea8 · 2024-06-19T13:36:19.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -2,7 +2,7 @@
  * Provides models for C++ containers `std::array`, `std::vector`, `std::deque`, `std::list` and `std::forward_list`.
  */
 
-import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.models.interfaces.Iterator
 
 /**
@@ -63,7 +63,7 @@ private class Vector extends StdSequenceContainer {
  * std::vector<std::string> v(100, potentially_tainted_string);
  * ```
  */
-private class StdSequenceContainerConstructor extends Constructor, TaintFunction {
+private class StdSequenceContainerConstructor extends Constructor {
   StdSequenceContainerConstructor() {
     this.getDeclaringType() instanceof Vector or
     this.getDeclaringType() instanceof Deque or
@@ -84,42 +84,6 @@ private class StdSequenceContainerConstructor extends Constructor, TaintFunction
    * Gets the index of a parameter to this function that is an iterator.
    */
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // taint flow from any parameter of the value type to the returned object
-    (
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    (
-      output.isReturnValue() // TODO: this is only needed for AST data flow, which treats constructors as returning the new object
-      or
-      output.isQualifierObject()
-    )
-  }
-}
-
-/**
- * The standard container function `data`.
- */
-private class StdSequenceContainerData extends TaintFunction {
-  StdSequenceContainerData() {
-    this.getClassAndName("data") instanceof Array or
-    this.getClassAndName("data") instanceof Vector
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from container itself (qualifier) to return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier (for writes to
-    // `data`)
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
 }
 
 /**
@@ -143,35 +107,6 @@ class StdSequenceContainerPush extends MemberFunction {
   }
 }
 
-private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to qualifier
-    input.isParameterDeref(0) and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
-/**
- * The standard container functions `front` and `back`.
- */
-private class StdSequenceContainerFrontBack extends TaintFunction {
-  StdSequenceContainerFrontBack() {
-    this.getClassAndName(["front", "back"]) instanceof Array or
-    this.getClassAndName(["front", "back"]) instanceof Deque or
-    this.getClassAndName("front") instanceof ForwardList or
-    this.getClassAndName(["front", "back"]) instanceof List or
-    this.getClassAndName(["front", "back"]) instanceof Vector
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from object to returned reference
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-  }
-}
-
 /**
  * The standard container functions `insert` and `insert_after`.
  */
@@ -198,58 +133,6 @@ class StdSequenceContainerInsert extends MemberFunction {
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
 }
 
-private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to container itself (qualifier) and return value
-    (
-      input.isQualifierObject() or
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    (
-      output.isQualifierObject() or
-      output.isReturnValue()
-    )
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
-/**
- * The standard container function `assign`.
- */
-private class StdSequenceContainerAssign extends TaintFunction {
-  StdSequenceContainerAssign() {
-    this.getClassAndName("assign") instanceof Deque or
-    this.getClassAndName("assign") instanceof ForwardList or
-    this.getClassAndName("assign") instanceof List or
-    this.getClassAndName("assign") instanceof Vector
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is a reference to the
-   * value type of the container.
-   */
-  int getAValueTypeParameterIndex() {
-    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
-      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
-  }
-
-  /**
-   * Gets the index of a parameter to this function that is an iterator.
-   */
-  int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from parameter to container itself (qualifier)
-    (
-      input.isParameterDeref(this.getAValueTypeParameterIndex()) or
-      input.isParameter(this.getAnIteratorParameterIndex())
-    ) and
-    output.isQualifierObject()
-  }
-}
-
 /**
  * The standard container functions `at` and `operator[]`.
  */
@@ -261,20 +144,6 @@ class StdSequenceContainerAt extends MemberFunction {
   }
 }
 
-private class StdSequenceContainerAtModel extends StdSequenceContainerAt, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from qualifier to referenced return value
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-    or
-    // reverse flow from returned reference to the qualifier
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard `emplace` function.
  */
@@ -297,20 +166,6 @@ class StdSequenceEmplace extends MemberFunction {
   }
 }
 
-private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any parameter except the position iterator to qualifier and return value
-    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameterDeref([1 .. this.getNumberOfParameters() - 1]) and
-    (
-      output.isQualifierObject() or
-      output.isReturnValue()
-    )
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard vector `emplace` function.
  */
@@ -340,17 +195,6 @@ class StdSequenceEmplaceBack extends MemberFunction {
   }
 }
 
-private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    // flow from any parameter to qualifier
-    // (here we assume taint flow from any constructor parameter to the constructed object)
-    input.isParameterDeref([0 .. this.getNumberOfParameters() - 1]) and
-    output.isQualifierObject()
-  }
-
-  override predicate isPartialWrite(FunctionOutput output) { output.isQualifierObject() }
-}
-
 /**
  * The standard vector `emplace_back` function.
  */
