Merge pull request #12079 from rdmarsh2/rdmarsh2/use-use-taint-test-reads

MathiasVP · web-flow · commit 946e301ed626 · 2023-02-08T15:08:00.000Z
C++: allow read steps at the sink in IR taint test
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/arrayassignment.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/arrayassignment.cpp
@@ -53,7 +53,7 @@ void test_myint_member_assignment()
 
 	mi.i = source();
 
-	sink(mi); // $ MISSING: ast,ir
+	sink(mi); // $ ir MISSING: ast
 	sink(mi.get()); // $ ast,ir
 }
 
@@ -63,7 +63,7 @@ void test_myint_method_assignment()
 
 	mi.get() = source();
 
-	sink(mi); // $ MISSING: ast,ir
+	sink(mi); // $ ir MISSING: ast
 	sink(mi.get()); // $ ast,ir
 }
 
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/map.cpp
@@ -28,12 +28,12 @@ void test_pair()
 	b.first = source();
 	sink(b.first); // $ ast,ir
 	sink(b.second);
-	sink(b); // $ MISSING: ast,ir
+	sink(b); // $ ir MISSING: ast
 
 	c.second = source();
 	sink(c.first);
 	sink(c.second); // $ ast,ir
-	sink(c); // $ MISSING: ast,ir
+	sink(c); // $ ir MISSING: ast
 
 	std::pair<char *, char *> d("123", "456");
 	sink(d.first);
@@ -43,7 +43,7 @@ void test_pair()
 	std::pair<char *, char *> e(source(), "456");
 	sink(e.first); // $ ast,ir
 	sink(e.second);
-	sink(e); // $ MISSING: ast,ir
+	sink(e); // $ ir MISSING: ast
 
 	std::pair<char *, char *> f("123", source());
 	sink(f.first);
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -448,9 +448,9 @@ void test_qualifiers()
 	sink(b);
 	sink(b.getMember());
 	b.member = source();
-	sink(b); // $ MISSING: ast,ir
+	sink(b); // $ ir MISSING: ast
 	sink(b.member); // $ ast,ir
-	sink(b.getMember()); // $ MISSING: ast,ir
+	sink(b.getMember()); // $ ir MISSING: ast
 
 	c = new MyClass2(0);
 
@@ -690,7 +690,7 @@ void test_argument_source_field_to_obj() {
 	two_members s;
 	argument_source(s.x);
 
-	sink(s); // $ SPURIOUS: ast
+	sink(s); // $ SPURIOUS: ast,ir
 	sink(s.x); // $ ast,ir
 	sink(s.y); // clean
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
@@ -102,5 +102,11 @@ module IRTest {
     override predicate isSanitizer(DataFlow::Node barrier) {
       barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")
     }
+
+    override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+      // allow arbitrary reads at sinks
+      isSink(node) and
+      c.(DataFlow::FieldContent).getField().getDeclaringType() = node.getType().getUnspecifiedType()
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ void test_myint_member_assignment()`
`53`	`53`
`54`	`54`	`mi.i = source();`
`55`	`55`
`56`		`- sink(mi); // $ MISSING: ast,ir`
	`56`	`+ sink(mi); // $ ir MISSING: ast`
`57`	`57`	`sink(mi.get()); // $ ast,ir`
`58`	`58`	`}`
`59`	`59`
`@@ -63,7 +63,7 @@ void test_myint_method_assignment()`
`63`	`63`
`64`	`64`	`mi.get() = source();`
`65`	`65`
`66`		`- sink(mi); // $ MISSING: ast,ir`
	`66`	`+ sink(mi); // $ ir MISSING: ast`
`67`	`67`	`sink(mi.get()); // $ ast,ir`
`68`	`68`	`}`
`69`	`69`
Original file line number	Diff line number	Diff line change
`@@ -102,5 +102,11 @@ module IRTest {`
`102`	`102`	`override predicate isSanitizer(DataFlow::Node barrier) {`
`103`	`103`	`barrier.asExpr().(VariableAccess).getTarget().hasName("sanitizer")`
`104`	`104`	`}`
	`105`	`+`
	`106`	`+ override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
	`107`	`+ // allow arbitrary reads at sinks`
	`108`	`+ isSink(node) and`
	`109`	`+ c.(DataFlow::FieldContent).getField().getDeclaringType() = node.getType().getUnspecifiedType()`
	`110`	`+ }`
`105`	`111`	`}`
`106`	`112`	`}`