Merge pull request github#10772 from atorralba/atorralba/swift/subscriptexpr-taint-step

Swift: Add taint step for subscript expressions

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

@@ -49,6 +49,12 @@ private module Cached {
       ae.getType().getName() = "String"
     )
     or
+    // flow through a subscript access
+    exists(SubscriptExpr se |
+      se.getBase() = nodeFrom.asExpr() and
+      se = nodeTo.asExpr()
+    )
+    or
     // flow through a flow summary (extension of `SummaryModelCsv`)
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, false)
   }

swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected

@@ -123,3 +123,5 @@
 | string.swift:39:13:39:19 | ... .+(_:_:) ... | string.swift:39:13:39:29 | ... .+(_:_:) ... |
 | string.swift:39:19:39:19 | tainted | string.swift:39:13:39:19 | ... .+(_:_:) ... |
 | string.swift:39:29:39:29 | < | string.swift:39:13:39:29 | ... .+(_:_:) ... |
+| subscript.swift:13:10:13:17 | call to source() | subscript.swift:13:10:13:20 | ...[...] |
+| subscript.swift:14:10:14:18 | call to source2() | subscript.swift:14:10:14:21 | ...[...] |

swift/ql/test/library-tests/dataflow/taint/Taint.expected

@@ -10,6 +10,8 @@ edges
 | string.swift:28:17:28:25 | call to source2() :  | string.swift:35:13:35:23 | ... .+(_:_:) ... |
 | string.swift:28:17:28:25 | call to source2() :  | string.swift:36:13:36:23 | ... .+(_:_:) ... |
 | string.swift:28:17:28:25 | call to source2() :  | string.swift:39:13:39:29 | ... .+(_:_:) ... |
+| subscript.swift:13:10:13:17 | call to source() :  | subscript.swift:13:10:13:20 | ...[...] |
+| subscript.swift:14:10:14:18 | call to source2() :  | subscript.swift:14:10:14:21 | ...[...] |
 | try.swift:9:17:9:24 | call to source() :  | try.swift:9:13:9:24 | try ... |
 | try.swift:15:17:15:24 | call to source() :  | try.swift:15:12:15:24 | try! ... |
 | try.swift:18:18:18:25 | call to source() :  | try.swift:18:12:18:27 | ...! |
@@ -65,6 +67,10 @@ nodes
 | string.swift:35:13:35:23 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | string.swift:36:13:36:23 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | string.swift:39:13:39:29 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| subscript.swift:13:10:13:17 | call to source() :  | semmle.label | call to source() :  |
+| subscript.swift:13:10:13:20 | ...[...] | semmle.label | ...[...] |
+| subscript.swift:14:10:14:18 | call to source2() :  | semmle.label | call to source2() :  |
+| subscript.swift:14:10:14:21 | ...[...] | semmle.label | ...[...] |
 | try.swift:9:13:9:24 | try ... | semmle.label | try ... |
 | try.swift:9:17:9:24 | call to source() :  | semmle.label | call to source() :  |
 | try.swift:15:12:15:24 | try! ... | semmle.label | try! ... |
@@ -115,6 +121,8 @@ subpaths
 | string.swift:35:13:35:23 | ... .+(_:_:) ... | string.swift:28:17:28:25 | call to source2() :  | string.swift:35:13:35:23 | ... .+(_:_:) ... | result |
 | string.swift:36:13:36:23 | ... .+(_:_:) ... | string.swift:28:17:28:25 | call to source2() :  | string.swift:36:13:36:23 | ... .+(_:_:) ... | result |
 | string.swift:39:13:39:29 | ... .+(_:_:) ... | string.swift:28:17:28:25 | call to source2() :  | string.swift:39:13:39:29 | ... .+(_:_:) ... | result |
+| subscript.swift:13:10:13:20 | ...[...] | subscript.swift:13:10:13:17 | call to source() :  | subscript.swift:13:10:13:20 | ...[...] | result |
+| subscript.swift:14:10:14:21 | ...[...] | subscript.swift:14:10:14:18 | call to source2() :  | subscript.swift:14:10:14:21 | ...[...] | result |
 | try.swift:9:13:9:24 | try ... | try.swift:9:17:9:24 | call to source() :  | try.swift:9:13:9:24 | try ... | result |
 | try.swift:15:12:15:24 | try! ... | try.swift:15:17:15:24 | call to source() :  | try.swift:15:12:15:24 | try! ... | result |
 | try.swift:18:12:18:27 | ...! | try.swift:18:18:18:25 | call to source() :  | try.swift:18:12:18:27 | ...! | result |

swift/ql/test/library-tests/dataflow/taint/subscript.swift

@@ -0,0 +1,15 @@
+class SubscriptTest {
+    subscript(index: Int) -> String {
+        get { return "" }
+        set(newValue) {}
+    }
+}
+
+func source() -> Array<String> { return [""] }
+func source2() -> SubscriptTest { return SubscriptTest() }
+func sink(arg: String) {}
+
+func test() {
+    sink(source()[0]) // $ tainted=13
+    sink(source2()[0]) // $ tainted=14
+}