C++: Repair a few broken models that were incorrectly a pointer

as tainted (instead of the pointee), or vice versa. Because of existing dataflow pointer/pointee conflation we never noticed that, but since this PR removes those imprecisions we now need to update these models.
2022-08-26 14:55:20 +01:00 · 2022-08-26 14:55:20 +01:00 · 5509562fe6
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Iterator.qll
@ -223,7 +223,7 @@ private class IteratorCrementMemberOperator extends MemberFunction, DataFlowFunc
    output.isQualifierObject()
    or
    input.isQualifierObject() and
-    output.isReturnValueDeref()
+    output.isReturnValue()
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll
@ -176,7 +176,7 @@ private class StdSequenceContainerInsert extends TaintFunction {
    ) and
    (
      output.isQualifierObject() or
-      output.isReturnValueDeref()
+      output.isReturnValue()
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
@ -176,7 +176,7 @@ private class StdStringAppend extends TaintFunction {
    ) and
    (
      output.isQualifierObject() or
-      output.isReturnValueDeref()
+      output.isReturnValue()
    )
    or
    // reverse flow from returned reference to the qualifier (for writes to
@ -543,11 +543,11 @@ private class StdOStreamOutNonMember extends DataFlowFunction, TaintFunction {

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    // flow from second parameter to first parameter
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
    output.isParameterDeref(0)
    or
    // flow from second parameter to return value
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
    output.isReturnValueDeref()
    or
    // reverse flow from returned reference to the first parameter
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@ -61,7 +61,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
    input.isParameterDeref(0) and
    output.isParameterDeref(0)
    or
-    input.isParameter(1) and
+    input.isParameterDeref(1) and
    output.isParameterDeref(0)
  }