C++: Add test cases for ZMQ summary models.

cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll

@@ -32,5 +32,3 @@ private class ZmqSinks extends SinkModelCsv {
       ]
   }
 }
-
-        // TODO: flow into / through zmq_msg_data ?

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -8223,3 +8223,50 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
 | vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs |  |
 | vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
+| zmq.cpp:17:21:17:26 | socket | zmq.cpp:17:21:17:26 | socket |  |
+| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:17:35:17:46 | message_data |  |
+| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:20:35:20:46 | message_data |  |
+| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:25:3:25:14 | message_data |  |
+| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:26:8:26:19 | message_data |  |
+| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:28:35:28:46 | message_data |  |
+| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:20:49:20:59 | message_len |  |
+| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:28:49:28:59 | message_len |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:20:26:20:32 | message |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:21:10:21:16 | message |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:22:24:22:30 | message |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:28:26:28:32 | message |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:29:10:29:16 | message |  |
+| zmq.cpp:18:13:18:19 | message | zmq.cpp:30:24:30:30 | message |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:20:26:20:32 | message [inner post update] |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:21:10:21:16 | message |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:22:24:22:30 | message |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message |  |
+| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message |  |
+| zmq.cpp:20:26:20:32 | message | zmq.cpp:20:25:20:32 | & ... |  |
+| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data |  |
+| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:25:3:25:14 | message_data |  |
+| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:26:8:26:19 | message_data |  |
+| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data |  |
+| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:22:24:22:30 | message [inner post update] |  |
+| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:28:26:28:32 | message |  |
+| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:29:10:29:16 | message |  |
+| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message |  |
+| zmq.cpp:22:24:22:30 | message | zmq.cpp:22:23:22:30 | & ... |  |
+| zmq.cpp:25:3:25:14 | message_data | zmq.cpp:25:3:25:17 | access to array | TAINT |
+| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:17:35:17:46 | message_data |  |
+| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:25:3:25:14 | message_data [inner post update] |  |
+| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:26:8:26:19 | message_data |  |
+| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:28:35:28:46 | message_data |  |
+| zmq.cpp:25:3:25:28 | ... = ... | zmq.cpp:25:3:25:17 | access to array [post update] |  |
+| zmq.cpp:25:16:25:16 | 0 | zmq.cpp:25:3:25:17 | access to array | TAINT |
+| zmq.cpp:25:21:25:26 | call to source | zmq.cpp:25:3:25:28 | ... = ... |  |
+| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data |  |
+| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data |  |
+| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message [inner post update] |  |
+| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message |  |
+| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message |  |
+| zmq.cpp:28:26:28:32 | message | zmq.cpp:28:25:28:32 | & ... |  |
+| zmq.cpp:28:35:28:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data |  |
+| zmq.cpp:30:23:30:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message [inner post update] |  |
+| zmq.cpp:30:24:30:30 | message | zmq.cpp:30:23:30:30 | & ... |  |

cpp/ql/test/library-tests/dataflow/taint-tests/zmq.cpp

@@ -0,0 +1,32 @@
+
+int source();
+void sink(...);
+
+// --- ZMC networking library ---
+
+typedef unsigned long size_t;
+
+struct zmq_msg_t {
+  // ...
+};
+typedef void (*zmq_free_fn)();
+
+int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint);
+void *zmq_msg_data(zmq_msg_t *msg);
+
+void test_zmc(void *socket, char *message_data, size_t message_len) {
+  zmq_msg_t message;
+
+  if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
+    sink(message); // $ SPURIOUS: ast
+    sink(zmq_msg_data(&message));
+  }
+
+  message_data[0] = source();
+  sink(message_data); // $ ast,ir
+
+  if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
+    sink(message); // $ ast MISSING: ir
+    sink(zmq_msg_data(&message)); // $ MISSING: ast,ir
+  }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -140,7 +140,7 @@ void test_zmq(void *remoteSocket)
 	}
 
 	// send as message
-	if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
+	if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) { // (detected here)
 		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable (detected above)
 			// ...
 		}