From 0607100310aab0a45cff7e7fec9bc99e97df3280 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 6 Nov 2025 16:54:54 +0000 Subject: [PATCH 1/6] C++: Add tests with missing flow. --- .../dataflow/taint-tests/localTaint.expected | 20 ++ .../dataflow/taint-tests/taint.cpp | 23 ++ .../dataflow/taint-tests/taint.expected | 1 + .../taint-tests/test_mad-signatures.expected | 202 ++++++++++++++++++ 4 files changed, 246 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index e8f0a8e34b25..0f4d67f2695f 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -7988,6 +7988,26 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future | taint.cpp:841:21:841:35 | call to indirect_source | taint.cpp:843:16:843:17 | fp | | | taint.cpp:842:11:842:12 | ref arg fp | taint.cpp:843:16:843:17 | fp | | | taint.cpp:842:15:842:16 | | taint.cpp:842:11:842:12 | ref arg fp | TAINT | +| taint.cpp:851:10:851:15 | call to source | taint.cpp:852:18:852:18 | s | | +| taint.cpp:851:10:851:15 | call to source | taint.cpp:854:18:854:18 | s | | +| taint.cpp:852:10:852:16 | call to toupper | taint.cpp:853:7:853:7 | u | | +| taint.cpp:854:10:854:16 | call to tolower | taint.cpp:855:7:855:7 | l | | +| taint.cpp:861:24:861:27 | size | taint.cpp:866:16:866:19 | size | | +| taint.cpp:862:12:862:26 | call to indirect_source | taint.cpp:866:12:866:12 | s | | +| taint.cpp:863:7:863:9 | out | taint.cpp:864:12:864:14 | out | | +| taint.cpp:864:12:864:14 | out | taint.cpp:866:23:866:23 | p | | +| taint.cpp:864:12:864:14 | out | taint.cpp:867:8:867:8 | p | | +| taint.cpp:865:9:865:16 | size_out | taint.cpp:866:27:866:34 | size_out | | +| taint.cpp:866:11:866:12 | ref arg & ... | taint.cpp:866:12:866:12 | s [inner post update] | | +| taint.cpp:866:12:866:12 | s | taint.cpp:866:11:866:12 | & ... | | +| taint.cpp:866:15:866:19 | ref arg & ... | taint.cpp:866:16:866:19 | size [inner post update] | | +| taint.cpp:866:16:866:19 | size | taint.cpp:866:15:866:19 | & ... | | +| taint.cpp:866:22:866:23 | ref arg & ... | taint.cpp:866:23:866:23 | p [inner post update] | | +| taint.cpp:866:22:866:23 | ref arg & ... | taint.cpp:867:8:867:8 | p | | +| taint.cpp:866:23:866:23 | p | taint.cpp:866:22:866:23 | & ... | | +| taint.cpp:866:26:866:34 | ref arg & ... | taint.cpp:866:27:866:34 | size_out [inner post update] | | +| taint.cpp:866:27:866:34 | size_out | taint.cpp:866:26:866:34 | & ... | | +| taint.cpp:867:8:867:8 | p | taint.cpp:867:7:867:8 | * ... | TAINT | | thread.cpp:10:27:10:27 | s | thread.cpp:10:27:10:27 | s | | | thread.cpp:10:27:10:27 | s | thread.cpp:11:8:11:8 | s | | | thread.cpp:14:26:14:26 | s | thread.cpp:15:8:15:8 | s | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index 0c09665de1cd..bc064a1bda63 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -842,4 +842,27 @@ int f7(void) fprintf(fp, ""); indirect_sink(fp); // $ ir MISSING: ast return 0; +} + +int toupper(int); +int tolower(int); + +void test_toupper_and_tolower() { + int s = source(); + int u = toupper(s); + sink(u); // $ MISSING: ast,ir + int l = tolower(s); + sink(l); // $ MISSING: ast,ir +} + +typedef int iconv_t; +size_t iconv(iconv_t cd, char **, size_t *, char **, size_t *); + +void test_iconv(size_t size) { + char* s = indirect_source(); + char out[10]; + char* p = out; + size_t size_out; + iconv(0, &s, &size, &p, &size_out); + sink(*p); // $ MISSING: ast,ir } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected index 444be2565167..5b2bfbadb7f9 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected @@ -3,3 +3,4 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (tai WARNING: module 'DataFlow' has been deprecated and may be removed in future (taint.ql:61,22-30) WARNING: module 'DataFlow' has been deprecated and may be removed in future (taint.ql:68,25-33) WARNING: module 'TaintTracking' has been deprecated and may be removed in future (taint.ql:73,20-33) +| taint.cpp:867:7:867:8 | * ... | Fixed missing result: ast | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected index 846359fd6b23..bc20cc9b30eb 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected @@ -17746,6 +17746,196 @@ signatureMatches | taint.cpp:837:5:837:11 | fprintf | (char **,const char *,...) | | ___asprintf | 1 | | taint.cpp:837:5:837:11 | fprintf | (char **,const char *,...) | | ___asprintf | 2 | | taint.cpp:837:5:837:11 | fprintf | (curl_httppost **,curl_httppost **,...) | | curl_formadd | 2 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ASN1_STRING_type_new | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ASN1_tag2bit | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ASN1_tag2str | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | EVP_PKEY_asn1_get0 | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | Jim_ReturnCode | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | Jim_SignalId | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | OBJ_nid2ln | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | OBJ_nid2obj | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | OBJ_nid2sn | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | OSSL_STORE_INFO_type_string | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | OSSL_trace_get_category_name | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | PKCS12_init | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | Symbol_Nth | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | X509_PURPOSE_get0 | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | X509_PURPOSE_get_by_id | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | X509_TRUST_get0 | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | X509_TRUST_get_by_id | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | X509_VERIFY_PARAM_get0 | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __btowc | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __current_locale_name | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __fdopendir | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __get_errlist | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __get_errname | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __math_invalid_i | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __math_invalidf_i | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __p_class | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __p_rcode | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __p_type | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __pkey_get | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __sigdescr_np | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | __strerrordesc_np | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | _tolower | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | _toupper | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | btowc | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | c_tolower | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | c_toupper | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | curlx_sitouz | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | evp_pkey_type2name | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | inet6_option_space | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isalnum | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isalpha | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isblank | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | iscntrl | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isdigit | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isgraph | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | islower | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isprint | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ispunct | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isspace | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isupper | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | isxdigit | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ossl_cmp_bodytype_to_string | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ossl_tolower | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | ossl_toupper | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | sigabbrev_np | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | sqlite3_compileoption_get | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | sqlite3_errstr | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | strerrorname_np | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | support_report_failure | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | svcudp_create | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | tls13_alert_code | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | toascii | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | tolower | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | toupper | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uabs | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uv__accept | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uv_err_name | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uv_get_osfhandle | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uv_strerror | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | uv_translate_sys_error | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | | zError | 0 | +| taint.cpp:847:5:847:11 | toupper | (int) | __pthread_cleanup_class | __setdoit | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ASN1_STRING_type_new | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ASN1_tag2bit | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ASN1_tag2str | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | EVP_PKEY_asn1_get0 | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | Jim_ReturnCode | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | Jim_SignalId | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | OBJ_nid2ln | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | OBJ_nid2obj | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | OBJ_nid2sn | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | OSSL_STORE_INFO_type_string | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | OSSL_trace_get_category_name | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | PKCS12_init | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | Symbol_Nth | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | X509_PURPOSE_get0 | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | X509_PURPOSE_get_by_id | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | X509_TRUST_get0 | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | X509_TRUST_get_by_id | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | X509_VERIFY_PARAM_get0 | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __btowc | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __current_locale_name | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __fdopendir | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __get_errlist | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __get_errname | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __math_invalid_i | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __math_invalidf_i | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __p_class | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __p_rcode | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __p_type | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __pkey_get | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __sigdescr_np | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | __strerrordesc_np | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | _tolower | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | _toupper | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | btowc | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | c_tolower | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | c_toupper | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | curlx_sitouz | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | evp_pkey_type2name | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | inet6_option_space | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isalnum | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isalpha | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isblank | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | iscntrl | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isdigit | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isgraph | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | islower | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isprint | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ispunct | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isspace | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isupper | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | isxdigit | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ossl_cmp_bodytype_to_string | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ossl_tolower | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | ossl_toupper | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | sigabbrev_np | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | sqlite3_compileoption_get | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | sqlite3_errstr | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | strerrorname_np | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | support_report_failure | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | svcudp_create | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | tls13_alert_code | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | toascii | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | tolower | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | toupper | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uabs | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uv__accept | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uv_err_name | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uv_get_osfhandle | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uv_strerror | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | uv_translate_sys_error | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | | zError | 0 | +| taint.cpp:848:5:848:11 | tolower | (int) | __pthread_cleanup_class | __setdoit | 0 | +| taint.cpp:859:8:859:12 | iconv | (ASYNC_WAIT_CTX *,int *,size_t *,int *,size_t *) | | ASYNC_WAIT_CTX_get_changed_fds | 4 | +| taint.cpp:859:8:859:12 | iconv | (Curl_easy *,Curl_chunker *,char *,size_t,size_t *) | | Curl_httpchunk_read | 4 | +| taint.cpp:859:8:859:12 | iconv | (Curl_easy *,const void *,size_t,bool,size_t *) | | Curl_xfer_send | 4 | +| taint.cpp:859:8:859:12 | iconv | (Curl_easy *,int,pingpong *,int *,size_t *) | | Curl_pp_readresp | 4 | +| taint.cpp:859:8:859:12 | iconv | (OSSL_RECORD_LAYER *,uint8_t,size_t,size_t,size_t *) | | tls_get_max_records_default | 4 | +| taint.cpp:859:8:859:12 | iconv | (OSSL_RECORD_LAYER *,uint8_t,size_t,size_t,size_t *) | | tls_get_max_records_multiblock | 4 | +| taint.cpp:859:8:859:12 | iconv | (QUIC_SSTREAM *,size_t,OSSL_QUIC_FRAME_STREAM *,OSSL_QTX_IOVEC *,size_t *) | | ossl_quic_sstream_get_stream_frame | 4 | +| taint.cpp:859:8:859:12 | iconv | (QUIC_TSERVER *,uint64_t,const unsigned char *,size_t,size_t *) | | ossl_quic_tserver_write | 4 | +| taint.cpp:859:8:859:12 | iconv | (QUIC_TSERVER *,uint64_t,unsigned char *,size_t,size_t *) | | ossl_quic_tserver_read | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,const void *,size_t,uint64_t,size_t *) | | SSL_write_ex2 | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,const void *,size_t,uint64_t,size_t *) | | ossl_quic_write_flags | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,const void *,size_t,uint64_t,size_t *) | | ssl_write_internal | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,int *,size_t *,int *,size_t *) | | SSL_get_changed_async_fds | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,uint8_t,const void *,size_t,size_t *) | | dtls1_write_app_data_bytes | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL *,uint8_t,const void *,size_t,size_t *) | | ssl3_write_bytes | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL_CONNECTION *,uint8_t,const unsigned char *,size_t,size_t *) | | do_dtls1_write | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL_CONNECTION *,uint8_t,const void *,size_t,size_t *) | | dtls1_write_bytes | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL_CONNECTION *,unsigned char *,unsigned char *,size_t,size_t *) | | ssl3_generate_master_secret | 4 | +| taint.cpp:859:8:859:12 | iconv | (SSL_CTX *,const SSL_CIPHER *,const EVP_MD **,int *,size_t *) | | ssl_cipher_get_evp_md_mac | 4 | +| taint.cpp:859:8:859:12 | iconv | (loaded_l10nfile *,binding *,const char *,int,size_t *) | | _nl_find_msg | 4 | +| taint.cpp:859:8:859:12 | iconv | (unsigned char *,size_t *,size_t,const unsigned char **,size_t *) | | ossl_cipher_fillblock | 4 | +| taint.cpp:859:8:859:12 | iconv | (unsigned char *,size_t *,size_t,const unsigned char **,size_t *) | | ossl_cipher_trailingdata | 4 | +| taint.cpp:859:8:859:12 | iconv | (unsigned long *,unsigned long *,unsigned long *,int,unsigned long *) | | bn_mul_low_recursive | 4 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | BrotliEncoderMaxCompressedSize | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | EVP_PKEY_meth_get0 | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | __libc_malloc | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | __libc_valloc | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | _dl_early_allocate | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | curlx_uztosi | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | curlx_uztosz | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | curlx_uztoui | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | curlx_uztoul | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | malloc | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | ossl_get_extension_type | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | ossl_param_bytes_to_blocks | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | ossl_quic_sstream_new | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | ssl_cert_new | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | support_next_to_fault_allocate | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | support_next_to_fault_allocate_before | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | support_stack_alloc | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (size_t) | | xalloc_sigstack | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (unsigned long) | | BN_num_bits_word | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (unsigned long) | | BUF_MEM_new_ex | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (unsigned long) | | curlx_ultouc | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (unsigned long) | | curlx_ultous | 0 | +| taint.cpp:861:6:861:15 | test_iconv | (unsigned long) | | next_prime | 0 | | thread.cpp:4:6:4:9 | sink | (int) | | ASN1_STRING_type_new | 0 | | thread.cpp:4:6:4:9 | sink | (int) | | ASN1_tag2bit | 0 | | thread.cpp:4:6:4:9 | sink | (int) | | ASN1_tag2str | 0 | @@ -47303,6 +47493,18 @@ getParameterTypeName | taint.cpp:837:5:837:11 | fprintf | 0 | FILE * | | taint.cpp:837:5:837:11 | fprintf | 1 | const char * | | taint.cpp:837:5:837:11 | fprintf | 2 | ... | +| taint.cpp:847:5:847:11 | toupper | 0 | int | +| taint.cpp:848:5:848:11 | tolower | 0 | int | +| taint.cpp:859:8:859:12 | iconv | 0 | iconv_t | +| taint.cpp:859:8:859:12 | iconv | 0 | int | +| taint.cpp:859:8:859:12 | iconv | 1 | char ** | +| taint.cpp:859:8:859:12 | iconv | 2 | size_t * | +| taint.cpp:859:8:859:12 | iconv | 2 | unsigned long * | +| taint.cpp:859:8:859:12 | iconv | 3 | char ** | +| taint.cpp:859:8:859:12 | iconv | 4 | size_t * | +| taint.cpp:859:8:859:12 | iconv | 4 | unsigned long * | +| taint.cpp:861:6:861:15 | test_iconv | 0 | size_t | +| taint.cpp:861:6:861:15 | test_iconv | 0 | unsigned long | | thread.cpp:4:6:4:9 | sink | 0 | int | | thread.cpp:6:8:6:8 | operator= | 0 | S && | | thread.cpp:6:8:6:8 | operator= | 0 | const S & | From 1d5d2728226b66c72635500216f04ac54ddccf8b Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 6 Nov 2025 16:55:51 +0000 Subject: [PATCH 2/6] C++: Add a few more models. --- cpp/ql/lib/ext/cctype.model.yml | 9 +++++++++ cpp/ql/lib/ext/iconv.model.yml | 7 +++++++ 2 files changed, 16 insertions(+) create mode 100644 cpp/ql/lib/ext/cctype.model.yml create mode 100644 cpp/ql/lib/ext/iconv.model.yml diff --git a/cpp/ql/lib/ext/cctype.model.yml b/cpp/ql/lib/ext/cctype.model.yml new file mode 100644 index 000000000000..d5fa3861c050 --- /dev/null +++ b/cpp/ql/lib/ext/cctype.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "", False, "tolower", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["std", "", False, "tolower", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["", "", False, "toupper", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["std", "", False, "toupper", "", "", "Argument[0]", "ReturnValue", "taint", "manual"] \ No newline at end of file diff --git a/cpp/ql/lib/ext/iconv.model.yml b/cpp/ql/lib/ext/iconv.model.yml new file mode 100644 index 000000000000..8db5a65841b4 --- /dev/null +++ b/cpp/ql/lib/ext/iconv.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "", False, "iconv", "", "", "Argument[**1]", "Argument[**3]", "value", "manual"] + \ No newline at end of file From 2b6a75f4ad48fef3d8fc18f85a1539c04a22954c Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 6 Nov 2025 16:57:11 +0000 Subject: [PATCH 3/6] C++: Accept test changes. --- cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp | 6 +++--- .../test/library-tests/dataflow/taint-tests/taint.expected | 1 - 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index bc064a1bda63..70d5b8c7b001 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -850,9 +850,9 @@ int tolower(int); void test_toupper_and_tolower() { int s = source(); int u = toupper(s); - sink(u); // $ MISSING: ast,ir + sink(u); // $ ir MISSING: ast int l = tolower(s); - sink(l); // $ MISSING: ast,ir + sink(l); // $ ir MISSING: ast } typedef int iconv_t; @@ -864,5 +864,5 @@ void test_iconv(size_t size) { char* p = out; size_t size_out; iconv(0, &s, &size, &p, &size_out); - sink(*p); // $ MISSING: ast,ir + sink(*p); // $ ast,ir } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected index 5b2bfbadb7f9..444be2565167 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected @@ -3,4 +3,3 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (tai WARNING: module 'DataFlow' has been deprecated and may be removed in future (taint.ql:61,22-30) WARNING: module 'DataFlow' has been deprecated and may be removed in future (taint.ql:68,25-33) WARNING: module 'TaintTracking' has been deprecated and may be removed in future (taint.ql:73,20-33) -| taint.cpp:867:7:867:8 | * ... | Fixed missing result: ast | From f0da0d98a2fc3d8f111dbd3aae20584b5e392bd4 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 6 Nov 2025 17:00:19 +0000 Subject: [PATCH 4/6] C++: Add a few more models I noticed while here. --- .../code/cpp/models/implementations/Memcpy.qll | 8 +++++--- .../code/cpp/models/implementations/Memset.qll | 5 +++-- .../code/cpp/models/implementations/Strcat.qll | 10 ++++++++-- .../code/cpp/models/implementations/Strcpy.qll | 12 ++++++++++-- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll index 311847e8aec0..dc1302d3b8fc 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memcpy.qll @@ -12,8 +12,8 @@ import semmle.code.cpp.models.interfaces.Taint import semmle.code.cpp.models.interfaces.NonThrowing /** - * The standard functions `memcpy`, `memmove` and `bcopy`; and the gcc variant - * `__builtin___memcpy_chk`. + * The standard functions `memcpy`, `memmove` and `bcopy`; and variants such as + * `__builtin___memcpy_chk` and `__builtin___memmove_chk`. */ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffectFunction, AliasFunction, NonCppThrowingFunction @@ -27,7 +27,9 @@ private class MemcpyFunction extends ArrayFunction, DataFlowFunction, SideEffect // bcopy(src, dest, num) // mempcpy(dest, src, num) // memccpy(dest, src, c, n) - this.hasGlobalName(["bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk"]) + this.hasGlobalName([ + "bcopy", mempcpy(), "memccpy", "__builtin___memcpy_chk", "__builtin___memmove_chk" + ]) } /** diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll index 51234e50f94f..f7d3f50234cd 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Memset.qll @@ -19,7 +19,8 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias this.hasGlobalOrStdName("wmemset") or this.hasGlobalName([ - bzero(), "__builtin_memset", "__builtin_memset_chk", "RtlZeroMemory", "RtlSecureZeroMemory" + bzero(), "__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk", + "RtlZeroMemory", "RtlSecureZeroMemory" ]) } @@ -32,7 +33,7 @@ private class MemsetFunctionModel extends ArrayFunction, DataFlowFunction, Alias or this.hasGlobalOrStdName("wmemset") or - this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk"]) + this.hasGlobalName(["__builtin_memset", "__builtin_memset_chk", "__builtin___memset_chk"]) ) and result = 1 } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll index 966c7425dc45..051b887f4d11 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll @@ -30,7 +30,9 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid "_mbsncat", // _mbsncat(dst, src, max_amount) "_mbsncat_l", // _mbsncat_l(dst, src, max_amount, locale) "_mbsnbcat", // _mbsnbcat(dest, src, count) - "_mbsnbcat_l" // _mbsnbcat_l(dest, src, count, locale) + "_mbsnbcat_l", // _mbsnbcat_l(dest, src, count, locale) + "__builtin___strcat_chk", // __builtin___strcat_chk (dest, src, magic); + "__builtin___strncat_chk" // __builtin___strncat_chk (dest, src, max_amount, magic); ]) } @@ -56,7 +58,11 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { ( - this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and + this.getName() = + [ + "strncat", "wcsncat", "_mbsncat", "_mbsncat_l", "__builtin___strncat_chk", + "__builtin___strcat_chk" + ] and input.isParameter(2) or this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll index b7ed20f1bab3..87606ba7b653 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll @@ -36,7 +36,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount) "stpcpy", // stpcpy(dest, src) "stpncpy", // stpncpy(dest, src, max_amount) - "strlcpy" // strlcpy(dst, src, dst_size) + "strlcpy", // strlcpy(dst, src, dst_size) + "__builtin___strcpy_chk", // __builtin___strcpy_chk (dest, src, magic); + "__builtin___stpcpy_chk", // __builtin___stpcpy_chk (dest, src, magic); + "__builtin___stpncpy_chk", // __builtin___stpncpy_chk(dest, src, max_amount, magic) + "__builtin___strncpy_chk" // __builtin___strncpy_chk (dest, src, max_amount, magic); ]) or ( @@ -69,7 +73,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid if this.isSVariant() then result = 1 else ( - this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and + this.getName() + .matches([ + "%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy", "__builtin___strcpy_chk", + "__builtin___stpcpy_chk", "__builtin___stpncpy_chk", "__builtin___strncpy_chk" + ]) and result = 2 ) } From f163d015d58bb95b762629ec5b37010c588ea666 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 7 Nov 2025 17:27:25 +0000 Subject: [PATCH 5/6] C++: Clean up comments. --- .../lib/semmle/code/cpp/models/implementations/Strcat.qll | 4 ++-- .../lib/semmle/code/cpp/models/implementations/Strcpy.qll | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll index 051b887f4d11..5dc0bb206896 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll @@ -31,8 +31,8 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid "_mbsncat_l", // _mbsncat_l(dst, src, max_amount, locale) "_mbsnbcat", // _mbsnbcat(dest, src, count) "_mbsnbcat_l", // _mbsnbcat_l(dest, src, count, locale) - "__builtin___strcat_chk", // __builtin___strcat_chk (dest, src, magic); - "__builtin___strncat_chk" // __builtin___strncat_chk (dest, src, max_amount, magic); + "__builtin___strcat_chk", // __builtin___strcat_chk (dest, src, magic) + "__builtin___strncat_chk" // __builtin___strncat_chk (dest, src, max_amount, magic) ]) } diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll index 87606ba7b653..d96a0d677bc7 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll @@ -37,10 +37,10 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid "stpcpy", // stpcpy(dest, src) "stpncpy", // stpncpy(dest, src, max_amount) "strlcpy", // strlcpy(dst, src, dst_size) - "__builtin___strcpy_chk", // __builtin___strcpy_chk (dest, src, magic); - "__builtin___stpcpy_chk", // __builtin___stpcpy_chk (dest, src, magic); + "__builtin___strcpy_chk", // __builtin___strcpy_chk (dest, src, magic) + "__builtin___stpcpy_chk", // __builtin___stpcpy_chk (dest, src, magic) "__builtin___stpncpy_chk", // __builtin___stpncpy_chk(dest, src, max_amount, magic) - "__builtin___strncpy_chk" // __builtin___strncpy_chk (dest, src, max_amount, magic); + "__builtin___strncpy_chk" // __builtin___strncpy_chk (dest, src, max_amount, magic) ]) or ( From 56b9566299e65e388a5d1d17040d40ccc538a47f Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 7 Nov 2025 17:29:48 +0000 Subject: [PATCH 6/6] C++: Fix mistakes in models of internal strcat and strcpy functions. --- .../lib/semmle/code/cpp/models/implementations/Strcat.qll | 6 +----- .../lib/semmle/code/cpp/models/implementations/Strcpy.qll | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll index 5dc0bb206896..df16d220e02d 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll @@ -58,11 +58,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { ( - this.getName() = - [ - "strncat", "wcsncat", "_mbsncat", "_mbsncat_l", "__builtin___strncat_chk", - "__builtin___strcat_chk" - ] and + this.getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l", "__builtin___strncat_chk"] and input.isParameter(2) or this.getName() = ["_mbsncat_l", "_mbsnbcat_l"] and diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll index d96a0d677bc7..b3230a5a1c8c 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll @@ -73,11 +73,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid if this.isSVariant() then result = 1 else ( - this.getName() - .matches([ - "%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy", "__builtin___strcpy_chk", - "__builtin___stpcpy_chk", "__builtin___stpncpy_chk", "__builtin___strncpy_chk" - ]) and + this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and result = 2 ) }