Skip to content

Commit 6f120a6

Browse files
authored
Merge pull request github#12368 from geoffw0/taintarith3
Swift: Fill some gaps in arithmetic / bitwise operations modelling
2 parents 9aaf306 + c29dcef commit 6f120a6

File tree

11 files changed

+206
-11
lines changed

11 files changed

+206
-11
lines changed

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,9 @@ private module Cached {
4646
// allow flow through arithmetic (this case includes string concatenation)
4747
nodeTo.asExpr().(ArithmeticOperation).getAnOperand() = nodeFrom.asExpr()
4848
or
49+
// allow flow through bitwise operations
50+
nodeTo.asExpr().(BitwiseOperation).getAnOperand() = nodeFrom.asExpr()
51+
or
4952
// allow flow through assignment operations (e.g. `+=`)
5053
exists(AssignOperation op |
5154
nodeFrom.asExpr() = op.getSource() and

swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,30 +45,33 @@ class BinaryArithmeticOperation extends BinaryExpr {
4545
* An add expression.
4646
* ```
4747
* a + b
48+
* a &+ b
4849
* ```
4950
*/
5051
class AddExpr extends BinaryExpr {
51-
AddExpr() { this.getStaticTarget().getName() = "+(_:_:)" }
52+
AddExpr() { this.getStaticTarget().getName() = ["+(_:_:)", "&+(_:_:)"] }
5253
}
5354

5455
/**
5556
* A subtract expression.
5657
* ```
5758
* a - b
59+
* a &- b
5860
* ```
5961
*/
6062
class SubExpr extends BinaryExpr {
61-
SubExpr() { this.getStaticTarget().getName() = "-(_:_:)" }
63+
SubExpr() { this.getStaticTarget().getName() = ["-(_:_:)", "&-(_:_:)"] }
6264
}
6365

6466
/**
6567
* A multiply expression.
6668
* ```
6769
* a * b
70+
* a &* b
6871
* ```
6972
*/
7073
class MulExpr extends BinaryExpr {
71-
MulExpr() { this.getStaticTarget().getName() = "*(_:_:)" }
74+
MulExpr() { this.getStaticTarget().getName() = ["*(_:_:)", "&*(_:_:)"] }
7275
}
7376

7477
/**

swift/ql/lib/codeql/swift/elements/expr/BitwiseOperation.qll

Lines changed: 41 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ private import codeql.swift.elements.expr.PrefixUnaryExpr
66
* A bitwise operation, such as:
77
* ```
88
* a & b
9+
* a << b
10+
* ~a
911
* ```
1012
*/
1113
class BitwiseOperation extends Expr {
@@ -27,13 +29,18 @@ class BitwiseOperation extends Expr {
2729
* A binary bitwise operation, such as:
2830
* ```
2931
* a & b
32+
* a << b
33+
* a .^ b
3034
* ```
3135
*/
3236
class BinaryBitwiseOperation extends BinaryExpr {
3337
BinaryBitwiseOperation() {
3438
this instanceof AndBitwiseExpr or
3539
this instanceof OrBitwiseExpr or
3640
this instanceof XorBitwiseExpr or
41+
this instanceof PointwiseAndExpr or
42+
this instanceof PointwiseOrExpr or
43+
this instanceof PointwiseXorExpr or
3744
this instanceof ShiftLeftBitwiseExpr or
3845
this instanceof ShiftRightBitwiseExpr
3946
}
@@ -69,24 +76,56 @@ class XorBitwiseExpr extends BinaryExpr {
6976
XorBitwiseExpr() { this.getStaticTarget().getName() = "^(_:_:)" }
7077
}
7178

79+
/**
80+
* A pointwise bitwise-and expression:
81+
* ```
82+
* a .& b
83+
* ```
84+
*/
85+
class PointwiseAndExpr extends BinaryExpr {
86+
PointwiseAndExpr() { this.getOperator().getName() = ".&(_:_:)" }
87+
}
88+
89+
/**
90+
* A pointwise bitwise-or expression:
91+
* ```
92+
* a .| b
93+
* ```
94+
*/
95+
class PointwiseOrExpr extends BinaryExpr {
96+
PointwiseOrExpr() { this.getOperator().getName() = ".|(_:_:)" }
97+
}
98+
99+
/**
100+
* A pointwise bitwise exclusive-or expression:
101+
* ```
102+
* a .^ b
103+
* ```
104+
*/
105+
class PointwiseXorExpr extends BinaryExpr {
106+
PointwiseXorExpr() { this.getOperator().getName() = ".^(_:_:)" }
107+
}
108+
72109
/**
73110
* A bitwise shift left expression.
74111
* ```
75112
* a << b
113+
* a &<<
76114
* ```
77115
*/
78116
class ShiftLeftBitwiseExpr extends BinaryExpr {
79-
ShiftLeftBitwiseExpr() { this.getStaticTarget().getName() = "<<(_:_:)" }
117+
ShiftLeftBitwiseExpr() { this.getStaticTarget().getName() = ["<<(_:_:)", "&<<(_:_:)"] }
80118
}
81119

82120
/**
83121
* A bitwise shift right expression.
84122
* ```
85123
* a >> b
124+
* a &>>
86125
* ```
87126
*/
88127
class ShiftRightBitwiseExpr extends BinaryExpr {
89-
ShiftRightBitwiseExpr() { this.getStaticTarget().getName() = ">>(_:_:)" }
128+
ShiftRightBitwiseExpr() { this.getStaticTarget().getName() = [">>(_:_:)", "&>>(_:_:)"] }
90129
}
91130

92131
/**

swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,18 @@
1919
| simple.swift:21:13:21:20 | call to source() | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
2020
| simple.swift:21:24:21:24 | 100 | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
2121
| simple.swift:23:14:23:21 | call to source() | simple.swift:23:13:23:21 | call to -(_:) |
22+
| simple.swift:27:13:27:13 | 1 | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
23+
| simple.swift:27:18:27:25 | call to source() | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
24+
| simple.swift:28:13:28:20 | call to source() | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
25+
| simple.swift:28:25:28:25 | 1 | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
26+
| simple.swift:29:13:29:13 | 1 | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
27+
| simple.swift:29:18:29:25 | call to source() | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
28+
| simple.swift:30:13:30:20 | call to source() | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
29+
| simple.swift:30:25:30:25 | 1 | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
30+
| simple.swift:31:13:31:13 | 2 | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
31+
| simple.swift:31:18:31:25 | call to source() | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
32+
| simple.swift:32:13:32:20 | call to source() | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
33+
| simple.swift:32:25:32:25 | 2 | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
2234
| simple.swift:36:7:36:7 | SSA def(a) | simple.swift:37:13:37:13 | a |
2335
| simple.swift:36:11:36:11 | 0 | simple.swift:36:7:36:7 | SSA def(a) |
2436
| simple.swift:37:13:37:13 | [post] a | simple.swift:38:3:38:3 | a |
@@ -89,6 +101,27 @@
89101
| simple.swift:68:3:68:3 | [post] &... | simple.swift:69:13:69:13 | e |
90102
| simple.swift:68:3:68:3 | e | simple.swift:68:3:68:3 | &... |
91103
| simple.swift:68:8:68:8 | 100 | simple.swift:68:3:68:3 | &... |
104+
| simple.swift:73:13:73:13 | 0 | simple.swift:73:13:73:24 | ... .\|(_:_:) ... |
105+
| simple.swift:73:17:73:24 | call to source() | simple.swift:73:13:73:24 | ... .\|(_:_:) ... |
106+
| simple.swift:74:13:74:20 | call to source() | simple.swift:74:13:74:24 | ... .\|(_:_:) ... |
107+
| simple.swift:74:24:74:24 | 0 | simple.swift:74:13:74:24 | ... .\|(_:_:) ... |
108+
| simple.swift:76:13:76:13 | 0xffff | simple.swift:76:13:76:29 | ... .&(_:_:) ... |
109+
| simple.swift:76:22:76:29 | call to source() | simple.swift:76:13:76:29 | ... .&(_:_:) ... |
110+
| simple.swift:77:13:77:20 | call to source() | simple.swift:77:13:77:24 | ... .&(_:_:) ... |
111+
| simple.swift:77:24:77:24 | 0xffff | simple.swift:77:13:77:24 | ... .&(_:_:) ... |
112+
| simple.swift:79:13:79:13 | 0xffff | simple.swift:79:13:79:29 | ... .^(_:_:) ... |
113+
| simple.swift:79:22:79:29 | call to source() | simple.swift:79:13:79:29 | ... .^(_:_:) ... |
114+
| simple.swift:80:13:80:20 | call to source() | simple.swift:80:13:80:24 | ... .^(_:_:) ... |
115+
| simple.swift:80:24:80:24 | 0xffff | simple.swift:80:13:80:24 | ... .^(_:_:) ... |
116+
| simple.swift:82:13:82:20 | call to source() | simple.swift:82:13:82:25 | ... .<<(_:_:) ... |
117+
| simple.swift:82:25:82:25 | 1 | simple.swift:82:13:82:25 | ... .<<(_:_:) ... |
118+
| simple.swift:83:13:83:20 | call to source() | simple.swift:83:13:83:26 | ... .&<<(_:_:) ... |
119+
| simple.swift:83:26:83:26 | 1 | simple.swift:83:13:83:26 | ... .&<<(_:_:) ... |
120+
| simple.swift:84:13:84:20 | call to source() | simple.swift:84:13:84:25 | ... .>>(_:_:) ... |
121+
| simple.swift:84:25:84:25 | 1 | simple.swift:84:13:84:25 | ... .>>(_:_:) ... |
122+
| simple.swift:85:13:85:20 | call to source() | simple.swift:85:13:85:26 | ... .&>>(_:_:) ... |
123+
| simple.swift:85:26:85:26 | 1 | simple.swift:85:13:85:26 | ... .&>>(_:_:) ... |
124+
| simple.swift:87:14:87:21 | call to source() | simple.swift:87:13:87:21 | call to ~(_:) |
92125
| subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] |
93126
| subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] |
94127
| subscript.swift:1:7:1:7 | self | subscript.swift:1:7:1:7 | SSA def(self) |

swift/ql/test/library-tests/dataflow/taint/core/Taint.expected

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,12 @@ edges
1010
| simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... |
1111
| simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
1212
| simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) |
13+
| simple.swift:27:18:27:25 | call to source() : | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
14+
| simple.swift:28:13:28:20 | call to source() : | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
15+
| simple.swift:29:18:29:25 | call to source() : | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
16+
| simple.swift:30:13:30:20 | call to source() : | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
17+
| simple.swift:31:18:31:25 | call to source() : | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
18+
| simple.swift:32:13:32:20 | call to source() : | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
1319
| simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a |
1420
| simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a |
1521
| simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b |
@@ -20,6 +26,17 @@ edges
2026
| simple.swift:60:8:60:15 | call to source() : | simple.swift:63:13:63:13 | d |
2127
| simple.swift:66:8:66:15 | call to source() : | simple.swift:67:13:67:13 | e |
2228
| simple.swift:66:8:66:15 | call to source() : | simple.swift:69:13:69:13 | e |
29+
| simple.swift:73:17:73:24 | call to source() : | simple.swift:73:13:73:24 | ... .\|(_:_:) ... |
30+
| simple.swift:74:13:74:20 | call to source() : | simple.swift:74:13:74:24 | ... .\|(_:_:) ... |
31+
| simple.swift:76:22:76:29 | call to source() : | simple.swift:76:13:76:29 | ... .&(_:_:) ... |
32+
| simple.swift:77:13:77:20 | call to source() : | simple.swift:77:13:77:24 | ... .&(_:_:) ... |
33+
| simple.swift:79:22:79:29 | call to source() : | simple.swift:79:13:79:29 | ... .^(_:_:) ... |
34+
| simple.swift:80:13:80:20 | call to source() : | simple.swift:80:13:80:24 | ... .^(_:_:) ... |
35+
| simple.swift:82:13:82:20 | call to source() : | simple.swift:82:13:82:25 | ... .<<(_:_:) ... |
36+
| simple.swift:83:13:83:20 | call to source() : | simple.swift:83:13:83:26 | ... .&<<(_:_:) ... |
37+
| simple.swift:84:13:84:20 | call to source() : | simple.swift:84:13:84:25 | ... .>>(_:_:) ... |
38+
| simple.swift:85:13:85:20 | call to source() : | simple.swift:85:13:85:26 | ... .&>>(_:_:) ... |
39+
| simple.swift:87:14:87:21 | call to source() : | simple.swift:87:13:87:21 | call to ~(_:) |
2340
| subscript.swift:13:15:13:22 | call to source() : | subscript.swift:13:15:13:25 | ...[...] |
2441
| subscript.swift:14:15:14:23 | call to source2() : | subscript.swift:14:15:14:26 | ...[...] |
2542
| try.swift:9:17:9:24 | call to source() : | try.swift:9:13:9:24 | try ... |
@@ -48,6 +65,18 @@ nodes
4865
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | semmle.label | ... .%(_:_:) ... |
4966
| simple.swift:23:13:23:21 | call to -(_:) | semmle.label | call to -(_:) |
5067
| simple.swift:23:14:23:21 | call to source() : | semmle.label | call to source() : |
68+
| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
69+
| simple.swift:27:18:27:25 | call to source() : | semmle.label | call to source() : |
70+
| simple.swift:28:13:28:20 | call to source() : | semmle.label | call to source() : |
71+
| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
72+
| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
73+
| simple.swift:29:18:29:25 | call to source() : | semmle.label | call to source() : |
74+
| simple.swift:30:13:30:20 | call to source() : | semmle.label | call to source() : |
75+
| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
76+
| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
77+
| simple.swift:31:18:31:25 | call to source() : | semmle.label | call to source() : |
78+
| simple.swift:32:13:32:20 | call to source() : | semmle.label | call to source() : |
79+
| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
5180
| simple.swift:40:8:40:15 | call to source() : | semmle.label | call to source() : |
5281
| simple.swift:41:13:41:13 | a | semmle.label | a |
5382
| simple.swift:43:13:43:13 | a | semmle.label | a |
@@ -63,6 +92,28 @@ nodes
6392
| simple.swift:66:8:66:15 | call to source() : | semmle.label | call to source() : |
6493
| simple.swift:67:13:67:13 | e | semmle.label | e |
6594
| simple.swift:69:13:69:13 | e | semmle.label | e |
95+
| simple.swift:73:13:73:24 | ... .\|(_:_:) ... | semmle.label | ... .\|(_:_:) ... |
96+
| simple.swift:73:17:73:24 | call to source() : | semmle.label | call to source() : |
97+
| simple.swift:74:13:74:20 | call to source() : | semmle.label | call to source() : |
98+
| simple.swift:74:13:74:24 | ... .\|(_:_:) ... | semmle.label | ... .\|(_:_:) ... |
99+
| simple.swift:76:13:76:29 | ... .&(_:_:) ... | semmle.label | ... .&(_:_:) ... |
100+
| simple.swift:76:22:76:29 | call to source() : | semmle.label | call to source() : |
101+
| simple.swift:77:13:77:20 | call to source() : | semmle.label | call to source() : |
102+
| simple.swift:77:13:77:24 | ... .&(_:_:) ... | semmle.label | ... .&(_:_:) ... |
103+
| simple.swift:79:13:79:29 | ... .^(_:_:) ... | semmle.label | ... .^(_:_:) ... |
104+
| simple.swift:79:22:79:29 | call to source() : | semmle.label | call to source() : |
105+
| simple.swift:80:13:80:20 | call to source() : | semmle.label | call to source() : |
106+
| simple.swift:80:13:80:24 | ... .^(_:_:) ... | semmle.label | ... .^(_:_:) ... |
107+
| simple.swift:82:13:82:20 | call to source() : | semmle.label | call to source() : |
108+
| simple.swift:82:13:82:25 | ... .<<(_:_:) ... | semmle.label | ... .<<(_:_:) ... |
109+
| simple.swift:83:13:83:20 | call to source() : | semmle.label | call to source() : |
110+
| simple.swift:83:13:83:26 | ... .&<<(_:_:) ... | semmle.label | ... .&<<(_:_:) ... |
111+
| simple.swift:84:13:84:20 | call to source() : | semmle.label | call to source() : |
112+
| simple.swift:84:13:84:25 | ... .>>(_:_:) ... | semmle.label | ... .>>(_:_:) ... |
113+
| simple.swift:85:13:85:20 | call to source() : | semmle.label | call to source() : |
114+
| simple.swift:85:13:85:26 | ... .&>>(_:_:) ... | semmle.label | ... .&>>(_:_:) ... |
115+
| simple.swift:87:13:87:21 | call to ~(_:) | semmle.label | call to ~(_:) |
116+
| simple.swift:87:14:87:21 | call to source() : | semmle.label | call to source() : |
66117
| subscript.swift:13:15:13:22 | call to source() : | semmle.label | call to source() : |
67118
| subscript.swift:13:15:13:25 | ...[...] | semmle.label | ...[...] |
68119
| subscript.swift:14:15:14:23 | call to source2() : | semmle.label | call to source2() : |
@@ -86,6 +137,12 @@ subpaths
86137
| simple.swift:20:13:20:26 | ... .%(_:_:) ... | simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... | result |
87138
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... | result |
88139
| simple.swift:23:13:23:21 | call to -(_:) | simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) | result |
140+
| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | simple.swift:27:18:27:25 | call to source() : | simple.swift:27:13:27:25 | ... .&+(_:_:) ... | result |
141+
| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | simple.swift:28:13:28:20 | call to source() : | simple.swift:28:13:28:25 | ... .&+(_:_:) ... | result |
142+
| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | simple.swift:29:18:29:25 | call to source() : | simple.swift:29:13:29:25 | ... .&-(_:_:) ... | result |
143+
| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | simple.swift:30:13:30:20 | call to source() : | simple.swift:30:13:30:25 | ... .&-(_:_:) ... | result |
144+
| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | simple.swift:31:18:31:25 | call to source() : | simple.swift:31:13:31:25 | ... .&*(_:_:) ... | result |
145+
| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | simple.swift:32:13:32:20 | call to source() : | simple.swift:32:13:32:25 | ... .&*(_:_:) ... | result |
89146
| simple.swift:41:13:41:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a | result |
90147
| simple.swift:43:13:43:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a | result |
91148
| simple.swift:49:13:49:13 | b | simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b | result |
@@ -96,6 +153,17 @@ subpaths
96153
| simple.swift:63:13:63:13 | d | simple.swift:60:8:60:15 | call to source() : | simple.swift:63:13:63:13 | d | result |
97154
| simple.swift:67:13:67:13 | e | simple.swift:66:8:66:15 | call to source() : | simple.swift:67:13:67:13 | e | result |
98155
| simple.swift:69:13:69:13 | e | simple.swift:66:8:66:15 | call to source() : | simple.swift:69:13:69:13 | e | result |
156+
| simple.swift:73:13:73:24 | ... .\|(_:_:) ... | simple.swift:73:17:73:24 | call to source() : | simple.swift:73:13:73:24 | ... .\|(_:_:) ... | result |
157+
| simple.swift:74:13:74:24 | ... .\|(_:_:) ... | simple.swift:74:13:74:20 | call to source() : | simple.swift:74:13:74:24 | ... .\|(_:_:) ... | result |
158+
| simple.swift:76:13:76:29 | ... .&(_:_:) ... | simple.swift:76:22:76:29 | call to source() : | simple.swift:76:13:76:29 | ... .&(_:_:) ... | result |
159+
| simple.swift:77:13:77:24 | ... .&(_:_:) ... | simple.swift:77:13:77:20 | call to source() : | simple.swift:77:13:77:24 | ... .&(_:_:) ... | result |
160+
| simple.swift:79:13:79:29 | ... .^(_:_:) ... | simple.swift:79:22:79:29 | call to source() : | simple.swift:79:13:79:29 | ... .^(_:_:) ... | result |
161+
| simple.swift:80:13:80:24 | ... .^(_:_:) ... | simple.swift:80:13:80:20 | call to source() : | simple.swift:80:13:80:24 | ... .^(_:_:) ... | result |
162+
| simple.swift:82:13:82:25 | ... .<<(_:_:) ... | simple.swift:82:13:82:20 | call to source() : | simple.swift:82:13:82:25 | ... .<<(_:_:) ... | result |
163+
| simple.swift:83:13:83:26 | ... .&<<(_:_:) ... | simple.swift:83:13:83:20 | call to source() : | simple.swift:83:13:83:26 | ... .&<<(_:_:) ... | result |
164+
| simple.swift:84:13:84:25 | ... .>>(_:_:) ... | simple.swift:84:13:84:20 | call to source() : | simple.swift:84:13:84:25 | ... .>>(_:_:) ... | result |
165+
| simple.swift:85:13:85:26 | ... .&>>(_:_:) ... | simple.swift:85:13:85:20 | call to source() : | simple.swift:85:13:85:26 | ... .&>>(_:_:) ... | result |
166+
| simple.swift:87:13:87:21 | call to ~(_:) | simple.swift:87:14:87:21 | call to source() : | simple.swift:87:13:87:21 | call to ~(_:) | result |
99167
| subscript.swift:13:15:13:25 | ...[...] | subscript.swift:13:15:13:22 | call to source() : | subscript.swift:13:15:13:25 | ...[...] | result |
100168
| subscript.swift:14:15:14:26 | ...[...] | subscript.swift:14:15:14:23 | call to source2() : | subscript.swift:14:15:14:26 | ...[...] | result |
101169
| try.swift:9:13:9:24 | try ... | try.swift:9:17:9:24 | call to source() : | try.swift:9:13:9:24 | try ... | result |

swift/ql/test/library-tests/dataflow/taint/core/simple.swift

Lines changed: 24 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24,12 +24,12 @@ func taintThroughArithmetic() {
2424

2525
// overflow operators
2626

27-
sink(arg: 1 &+ source()) // $ MISSING: tainted=
28-
sink(arg: source() &+ 1) // $ MISSING: tainted=
29-
sink(arg: 1 &- source()) // $ MISSING: tainted=
30-
sink(arg: source() &- 1) // $ MISSING: tainted=
31-
sink(arg: 2 &* source()) // $ MISSING: tainted=
32-
sink(arg: source() &* 2) // $ MISSING: tainted=
27+
sink(arg: 1 &+ source()) // $ tainted=27
28+
sink(arg: source() &+ 1) // $ tainted=28
29+
sink(arg: 1 &- source()) // $ tainted=29
30+
sink(arg: source() &- 1) // $ tainted=30
31+
sink(arg: 2 &* source()) // $ tainted=31
32+
sink(arg: source() &* 2) // $ tainted=32
3333
}
3434

3535
func taintThroughAssignmentArithmetic() {
@@ -68,3 +68,21 @@ func taintThroughAssignmentArithmetic() {
6868
e %= 100
6969
sink(arg: e) // $ tainted=66
7070
}
71+
72+
func taintThroughBitwiseOperators() {
73+
sink(arg: 0 | source()) // $ tainted=73
74+
sink(arg: source() | 0) // $ tainted=74
75+
76+
sink(arg: 0xffff & source()) // $ tainted=76
77+
sink(arg: source() & 0xffff) // $ tainted=77
78+
79+
sink(arg: 0xffff ^ source()) // $ tainted=79
80+
sink(arg: source() ^ 0xffff) // $ tainted=80
81+
82+
sink(arg: source() << 1) // $ tainted=82
83+
sink(arg: source() &<< 1) // $ tainted=83
84+
sink(arg: source() >> 1) // $ tainted=84
85+
sink(arg: source() &>> 1) // $ tainted=85
86+
87+
sink(arg: ~source()) // $ tainted=87
88+
}

swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,6 @@
55
| arithmeticoperation.swift:10:6:10:10 | ... .%(_:_:) ... | BinaryArithmeticOperation, RemExpr |
66
| arithmeticoperation.swift:11:6:11:7 | call to -(_:) | UnaryArithmeticOperation, UnaryMinusExpr |
77
| arithmeticoperation.swift:12:6:12:7 | call to +(_:) | UnaryArithmeticOperation, UnaryPlusExpr |
8+
| arithmeticoperation.swift:15:6:15:11 | ... .&+(_:_:) ... | AddExpr, BinaryArithmeticOperation |
9+
| arithmeticoperation.swift:16:6:16:11 | ... .&-(_:_:) ... | BinaryArithmeticOperation, SubExpr |
10+
| arithmeticoperation.swift:17:6:17:11 | ... .&*(_:_:) ... | BinaryArithmeticOperation, MulExpr |

swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.swift

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,9 @@ func test(c: Bool, x: Int, y: Int, z: Int) {
1010
v = x % y;
1111
v = -x;
1212
v = +x;
13+
14+
// arithmetic operations with overflow
15+
v = x &+ y;
16+
v = x &- y;
17+
v = x &* y;
1318
}

0 commit comments

Comments
 (0)