C++: Fix FP.

Author: MathiasVP

cpp/ql/src/experimental/Security/CWE/CWE-416/IteratorToExpiredContainer.ql

@@ -80,6 +80,20 @@ module DestroyedToBeginConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source = getADestroyedNode() }
 
   predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
+
+  DataFlow::FlowFeature getAFeature() {
+    // By blocking argument-to-parameter flow we ensure that we don't enter a
+    // function body where the temporary outlives anything inside the function.
+    // This prevents false positives in cases like:
+    // ```cpp
+    // void foo(const std::vector<int>& v) {
+    //   for(auto x : v) { ... } // this is fine since v outlives the loop
+    // }
+    // ...
+    // foo(create_temporary())
+    // ```
+    result instanceof DataFlow::FeatureHasSinkCallContext
+  }
 }
 
 module DestroyedToBeginFlow = DataFlow::Global<DestroyedToBeginConfig>;

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-416/test.cpp

@@ -744,8 +744,8 @@ std::vector<int> first_in_returnValue_2() {
 }
 
 void test2() {
-  iterate(returnValue()); // GOOD [FALSE POSITIVE] (see *)
-  iterate(returnValue()[0]); // GOOD [FALSE POSITIVE] (see *)
+  iterate(returnValue()); // GOOD
+  iterate(returnValue()[0]); // GOOD
 
   for (auto x : ref_to_first_in_returnValue_1()) {}