C++: Add change note

Author: jketema

cpp/ql/lib/change-notes/2025-04-23-typeof.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.

cpp/ql/test/library-tests/ir/ir/test.cpp

@@ -0,0 +1,32 @@
+namespace {
+class Data {
+    public:
+    template <typename U>
+    int process1() {
+        return data_ + 10;
+    }
+
+    template <typename U>
+    int process2(int data) {
+        return data + 20;
+    }
+
+    int process3() {
+        return data_ + 30;
+    }
+
+    int data_;
+};
+}
+
+int taint_source() {return 1;}
+
+void df_test() {
+    int i;
+    Data data;
+
+    data.data_ = taint_source();
+    i = data.process1<void>();
+    i = data.process2<void>(data.data_);
+    i = data.process3();
+}

cpp/ql/test/library-tests/ir/test/PrintAST.expected

@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.PrintAST
+private import PrintConfig
+
+private class PrintConfig extends PrintAstConfiguration {
+  override predicate shouldPrintDeclaration(Declaration decl) { shouldDumpDeclaration(decl) }
+}

cpp/ql/test/library-tests/ir/test/PrintAST.ql

@@ -0,0 +1,24 @@
+private import cpp
+
+/**
+ * Holds if the specified location is in standard headers.
+ */
+predicate locationIsInStandardHeaders(Location loc) {
+  loc.getFile().getAbsolutePath().regexpMatch(".*/include/[^/]+")
+}
+
+/**
+ * Holds if the AST or IR for the specified declaration should be printed in the test output.
+ *
+ * This predicate excludes declarations defined in standard headers.
+ */
+predicate shouldDumpDeclaration(Declaration decl) {
+  not locationIsInStandardHeaders(decl.getLocation()) and
+  (
+    decl instanceof Function
+    or
+    decl.(GlobalOrNamespaceVariable).hasInitializer()
+    or
+    decl.(StaticLocalVariable).hasInitializer()
+  )
+}

cpp/ql/test/library-tests/ir/test/PrintConfig.qll

@@ -0,0 +1,26 @@
+char *getenv(const char *name);
+int printf(const char * format, ...);
+int atoi(const char *str);
+
+void bad1(){
+    int factor = atoi(getenv("BRANCHING_FACTOR"));
+    int i;
+    for(i = 0; i<factor; i++){
+        printf("sfasdfad");
+    }
+}
+
+
+void bad2(){
+    int factor = atoi(getenv("BRANCHING_FACTOR"));
+    int i = 0;
+    while (i < factor)
+    {
+        printf("sfasdfad");
+        i++;
+    }
+}
+
+int main(){
+
+}

cpp/ql/test/test/test.cpp

@@ -0,0 +1,54 @@
+
+
+/**
+ * @name Untrusted input for a condition
+ * @description Using untrusted inputs in a statement that makes a
+ *              security decision makes code vulnerable to
+ *              attack.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/tainted-loop-check
+ * @tags security
+ *       external/cwe/cwe-606
+ */
+
+ import cpp
+ import semmle.code.cpp.security.Security
+ import semmle.code.cpp.security.FlowSources
+ import semmle.code.cpp.ir.dataflow.TaintTracking
+ import semmle.code.cpp.ir.IR
+ import Flow::PathGraph
+ 
+ predicate sensitiveCondition(Expr condition) {
+   exists(ForStmt forstmt |
+     forstmt.getCondition().getAChild*() = condition
+   )
+ }
+ 
+ 
+ predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
+ 
+ module Config implements DataFlow::ConfigSig {
+   predicate isSource(DataFlow::Node node) { isSource(node, _) }
+ 
+   predicate isSink(DataFlow::Node node) {
+     sensitiveCondition(node.asExpr())
+   }
+ 
+ }
+ 
+ module Flow = TaintTracking::Global<Config>;
+ 
+ 
+ from
+   string sourceType, DataFlow::Node source, DataFlow::Node sink,
+   Flow::PathNode sourceNode, Flow::PathNode sinkNode
+ where
+   source = sourceNode.getNode() and
+   sink = sinkNode.getNode() and
+   isSource(source, sourceType) and
+   sensitiveCondition(sink.asExpr()) and
+   Flow::flowPath(sourceNode, sinkNode)
+ select sink, sourceNode, sinkNode, "Taint data to loop condition"