Swift: Detect String -> NSString results.

Author: geoffw0

swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql

@@ -30,6 +30,14 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
       node.asExpr() = member and
       flowstate = "String"
     )
+    or
+    // result of a call to to `NSString.length`
+    exists(MemberRefExpr member |
+      member.getBaseExpr().getType().getName() = ["NSString", "NSMutableString"] and
+      member.getMember().(VarDecl).getName() = "length" and
+      node.asExpr() = member and
+      flowstate = "NSString"
+    )
   }
 
   override predicate isSink(DataFlow::Node node, string flowstate) {
@@ -83,6 +91,27 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
       call.getArgument(pragma[only_bind_into](arg)).getExpr() = node.asExpr() and
       flowstate = "String" // `String` length flowing into `NSString`
     )
+    or
+    // arguments to function calls...
+    exists(string funcName, string paramName, CallExpr call, int arg |
+      (
+        // `dropFirst`, `dropLast`, `removeFirst`, `removeLast`
+        funcName = ["dropFirst(_:)", "dropLast(_:)", "removeFirst(_:)", "removeLast(_:)"] and
+        paramName = "k"
+        or
+        // `prefix`, `suffix`
+        funcName = ["prefix(_:)", "suffix(_:)"] and
+        paramName = "maxLength"
+      ) and
+      call.getFunction().(ApplyExpr).getStaticTarget().getName() = funcName and
+      call.getFunction()
+          .(ApplyExpr)
+          .getStaticTarget()
+          .getParam(pragma[only_bind_into](arg))
+          .getName() = paramName and
+      call.getArgument(pragma[only_bind_into](arg)).getExpr() = node.asExpr() and
+      flowstate = "NSString" // `NSString` length flowing into `String`
+    )
   }
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {

swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected

@@ -1,4 +1,10 @@
 edges
+| StringLengthConflation.swift:93:28:93:31 | .length :  | StringLengthConflation.swift:93:28:93:40 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:97:27:97:30 | .length :  | StringLengthConflation.swift:97:27:97:39 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:101:25:101:28 | .length :  | StringLengthConflation.swift:101:25:101:37 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:105:25:105:28 | .length :  | StringLengthConflation.swift:105:25:105:37 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:111:23:111:26 | .length :  | StringLengthConflation.swift:111:23:111:35 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:117:22:117:25 | .length :  | StringLengthConflation.swift:117:22:117:34 | ... call to -(_:_:) ... |
 | StringLengthConflation.swift:122:34:122:36 | .count :  | StringLengthConflation.swift:122:34:122:44 | ... call to -(_:_:) ... |
 | StringLengthConflation.swift:123:36:123:38 | .count :  | StringLengthConflation.swift:123:36:123:46 | ... call to -(_:_:) ... |
 | StringLengthConflation.swift:128:36:128:38 | .count :  | StringLengthConflation.swift:128:36:128:46 | ... call to -(_:_:) ... |
@@ -9,6 +15,18 @@ edges
 nodes
 | StringLengthConflation.swift:72:33:72:35 | .count | semmle.label | .count |
 | StringLengthConflation.swift:78:47:78:49 | .count | semmle.label | .count |
+| StringLengthConflation.swift:93:28:93:31 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:93:28:93:40 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:97:27:97:30 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:97:27:97:39 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:101:25:101:28 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:101:25:101:37 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:105:25:105:28 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:105:25:105:37 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:111:23:111:26 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:111:23:111:35 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:117:22:117:25 | .length :  | semmle.label | .length :  |
+| StringLengthConflation.swift:117:22:117:34 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
 | StringLengthConflation.swift:122:34:122:36 | .count :  | semmle.label | .count :  |
 | StringLengthConflation.swift:122:34:122:44 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
 | StringLengthConflation.swift:123:36:123:38 | .count :  | semmle.label | .count :  |
@@ -27,6 +45,12 @@ subpaths
 #select
 | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:93:28:93:40 | ... call to -(_:_:) ... | StringLengthConflation.swift:93:28:93:31 | .length :  | StringLengthConflation.swift:93:28:93:40 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
+| StringLengthConflation.swift:97:27:97:39 | ... call to -(_:_:) ... | StringLengthConflation.swift:97:27:97:30 | .length :  | StringLengthConflation.swift:97:27:97:39 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
+| StringLengthConflation.swift:101:25:101:37 | ... call to -(_:_:) ... | StringLengthConflation.swift:101:25:101:28 | .length :  | StringLengthConflation.swift:101:25:101:37 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
+| StringLengthConflation.swift:105:25:105:37 | ... call to -(_:_:) ... | StringLengthConflation.swift:105:25:105:28 | .length :  | StringLengthConflation.swift:105:25:105:37 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
+| StringLengthConflation.swift:111:23:111:35 | ... call to -(_:_:) ... | StringLengthConflation.swift:111:23:111:26 | .length :  | StringLengthConflation.swift:111:23:111:35 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
+| StringLengthConflation.swift:117:22:117:34 | ... call to -(_:_:) ... | StringLengthConflation.swift:117:22:117:25 | .length :  | StringLengthConflation.swift:117:22:117:34 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
 | StringLengthConflation.swift:122:34:122:44 | ... call to -(_:_:) ... | StringLengthConflation.swift:122:34:122:36 | .count :  | StringLengthConflation.swift:122:34:122:44 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:123:36:123:46 | ... call to -(_:_:) ... | StringLengthConflation.swift:123:36:123:38 | .count :  | StringLengthConflation.swift:123:36:123:46 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:128:36:128:46 | ... call to -(_:_:) ... | StringLengthConflation.swift:128:36:128:38 | .count :  | StringLengthConflation.swift:128:36:128:46 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |

swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.swift

@@ -90,31 +90,31 @@ func test(s: String) {
     // --- String operations using an integer directly ---
 
     let str1 = s.dropFirst(s.count - 1) // GOOD
-    let str2 = s.dropFirst(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    let str2 = s.dropFirst(ns.length - 1) // BAD: NSString length used in String
     print("dropFirst '\(str1)' / '\(str2)'")
 
     let str3 = s.dropLast(s.count - 1) // GOOD
-    let str4 = s.dropLast(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    let str4 = s.dropLast(ns.length - 1) // BAD: NSString length used in String
     print("dropLast '\(str3)' / '\(str4)'")
 
     let str5 = s.prefix(s.count - 1) // GOOD
-    let str6 = s.prefix(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    let str6 = s.prefix(ns.length - 1) // BAD: NSString length used in String
     print("prefix '\(str5)' / '\(str6)'")
 
     let str7 = s.suffix(s.count - 1) // GOOD
-    let str8 = s.suffix(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    let str8 = s.suffix(ns.length - 1) // BAD: NSString length used in String
     print("suffix '\(str7)' / '\(str8)'")
 
     var str9 = s
     str9.removeFirst(s.count - 1) // GOOD
     var str10 = s
-    str10.removeFirst(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    str10.removeFirst(ns.length - 1) // BAD: NSString length used in String
     print("removeFirst '\(str9)' / '\(str10)'")
 
     var str11 = s
     str11.removeLast(s.count - 1) // GOOD
     var str12 = s
-    str12.removeLast(ns.length - 1) // BAD: NSString length used in String [NOT DETECTED]
+    str12.removeLast(ns.length - 1) // BAD: NSString length used in String
     print("removeLast '\(str11)' / '\(str12)'")
 
     let nstr1 = ns.character(at: ns.length - 1) // GOOD