C++: Repair a few broken models that were incorrectly a pointer

MathiasVP · MathiasVP · commit 5509562fe616 · 2022-09-09T17:04:36.000+01:00
as tainted (instead of the pointee), or vice versa. Because of
existing dataflow pointer/pointee conflation we never noticed that,
but since this PR removes those imprecisions we now need to update
these models.
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
@@ -223,7 +223,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
     output.isQualifierObject()
     or
     input.isQualifierObject() and
-    output.isReturnValueDeref()
+    output.isReturnValue()
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
@@ -176,7 +176,7 @@ private class StdSequenceContainerInsert extends TaintFunction {
     ) and
     (
       output.isQualifierObject() or
-      output.isReturnValueDeref()
+      output.isReturnValue()
     )
   }
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@@ -176,7 +176,7 @@ private class StdStringAppend extends TaintFunction {
     ) and
     (
       output.isQualifierObject() or
-      output.isReturnValueDeref()
+      output.isReturnValue()
     )
     or
     // reverse flow from returned reference to the qualifier (for writes to
@@ -543,11 +543,11 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from second parameter to first parameter
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
     output.isParameterDeref(0)
     or
     // flow from second parameter to return value
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
     output.isReturnValueDeref()
     or
     // reverse flow from returned reference to the first parameter
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@@ -61,7 +61,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
     input.isParameterDeref(0) and
     output.isParameterDeref(0)
     or
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
     output.isParameterDeref(0)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc`
`223`	`223`	`output.isQualifierObject()`
`224`	`224`	`or`
`225`	`225`	`input.isQualifierObject() and`
`226`		`- output.isReturnValueDeref()`
	`226`	`+ output.isReturnValue()`
`227`	`227`	`}`
`228`	`228`
`229`	`229`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ private class StdSequenceContainerInsert extends TaintFunction {`
`176`	`176`	`) and`
`177`	`177`	`(`
`178`	`178`	`output.isQualifierObject() or`
`179`		`- output.isReturnValueDeref()`
	`179`	`+ output.isReturnValue()`
`180`	`180`	`)`
`181`	`181`	`}`
`182`	`182`	`}`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid`
`61`	`61`	`input.isParameterDeref(0) and`
`62`	`62`	`output.isParameterDeref(0)`
`63`	`63`	`or`
`64`		`- input.isParameter(1) and`
	`64`	`+ input.isParameterDeref(1) and`
`65`	`65`	`output.isParameterDeref(0)`
`66`	`66`	`}`
`67`	`67`