Swift: Use dataflow.

geoffw0 · geoffw0 · commit da7f49155d20 · 2022-06-22T19:16:09.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql b/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
@@ -11,8 +11,10 @@
  */
 
 import swift
+import codeql.swift.dataflow.DataFlow
+import DataFlow::PathGraph
 
-predicate isSource(Expr e) {
+predicate isSource0(Expr e) {
   // result of a call to to `String.count`
   exists(MemberRefExpr member |
     member.getBaseExpr().getType().toString() = "String" and // TODO: use of toString
@@ -22,7 +24,7 @@ predicate isSource(Expr e) {
   // TODO: other sources such as NSString.length, with different set of sinks
 }
 
-predicate isSink(Expr e) {
+predicate isSink0(Expr e) {
   // arguments to method calls...
   exists(
     string className, string methodName, string argName, ClassDecl c, AbstractFunctionDecl f,
@@ -75,13 +77,18 @@ predicate isSink(Expr e) {
   )
 }
 
-string describe(Element e) {
-  isSource(e) and result = "isSource"
-  or
-  isSink(e) and result = "isSink"
-  or
-  isSource(e) and isSink(e) and result = "***RESULT***"
+class StringLengthConflationConfiguration extends DataFlow::Configuration {
+  StringLengthConflationConfiguration() { this = "StringLengthConflationConfiguration" }
+
+  override predicate isSource(DataFlow::Node node, string flowstate) {
+    isSource0(node.asExpr()) and flowstate = "String"
+  }
+
+  override predicate isSink(DataFlow::Node node, string flowstate) {
+    isSink0(node.asExpr()) and flowstate = "String"
+  }
 }
 
-from Locatable e
-select e.getLocation(), e, strictconcat(describe(e), ", ")
+from StringLengthConflationConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink, "RESULT"
diff --git a/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected b/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected
@@ -1,45 +1,6 @@
-| StringLengthConflation.swift:10:37:10:44 | Location | StringLengthConflation.swift:10:37:10:44 | .count | isSource |
-| StringLengthConflation.swift:21:37:21:44 | Location | StringLengthConflation.swift:21:37:21:44 | .count | isSource |
-| StringLengthConflation.swift:38:80:38:80 | Location | StringLengthConflation.swift:38:80:38:80 | loc | isSink |
-| StringLengthConflation.swift:38:93:38:93 | Location | StringLengthConflation.swift:38:93:38:93 | len | isSink |
-| StringLengthConflation.swift:47:20:47:22 | Location | StringLengthConflation.swift:47:20:47:22 | .count | isSource |
-| StringLengthConflation.swift:52:43:52:45 | Location | StringLengthConflation.swift:52:43:52:45 | .count | isSource |
-| StringLengthConflation.swift:59:47:59:49 | Location | StringLengthConflation.swift:59:47:59:49 | .count | isSource |
-| StringLengthConflation.swift:64:33:64:35 | Location | StringLengthConflation.swift:64:33:64:35 | .count | isSource |
-| StringLengthConflation.swift:71:30:71:30 | Location | StringLengthConflation.swift:71:30:71:30 | 0 | isSink |
-| StringLengthConflation.swift:71:33:71:36 | Location | StringLengthConflation.swift:71:33:71:36 | .length | isSink |
-| StringLengthConflation.swift:72:30:72:30 | Location | StringLengthConflation.swift:72:30:72:30 | 0 | isSink |
-| StringLengthConflation.swift:72:33:72:35 | Location | StringLengthConflation.swift:72:33:72:35 | .count | ***RESULT***, isSink, isSource |
-| StringLengthConflation.swift:73:30:73:30 | Location | StringLengthConflation.swift:73:30:73:30 | 0 | isSink |
-| StringLengthConflation.swift:73:33:73:46 | Location | StringLengthConflation.swift:73:33:73:46 | .count | isSink |
-| StringLengthConflation.swift:74:30:74:30 | Location | StringLengthConflation.swift:74:30:74:30 | 0 | isSink |
-| StringLengthConflation.swift:74:33:74:78 | Location | StringLengthConflation.swift:74:33:74:78 | call to ... | isSink |
-| StringLengthConflation.swift:77:36:77:36 | Location | StringLengthConflation.swift:77:36:77:36 | 0 | isSink |
-| StringLengthConflation.swift:77:47:77:50 | Location | StringLengthConflation.swift:77:47:77:50 | .length | isSink |
-| StringLengthConflation.swift:78:36:78:36 | Location | StringLengthConflation.swift:78:36:78:36 | 0 | isSink |
-| StringLengthConflation.swift:78:47:78:49 | Location | StringLengthConflation.swift:78:47:78:49 | .count | ***RESULT***, isSink, isSource |
-| StringLengthConflation.swift:83:28:83:30 | Location | StringLengthConflation.swift:83:28:83:30 | .count | isSource |
-| StringLengthConflation.swift:87:27:87:29 | Location | StringLengthConflation.swift:87:27:87:29 | .count | isSource |
-| StringLengthConflation.swift:91:25:91:27 | Location | StringLengthConflation.swift:91:25:91:27 | .count | isSource |
-| StringLengthConflation.swift:95:25:95:27 | Location | StringLengthConflation.swift:95:25:95:27 | .count | isSource |
-| StringLengthConflation.swift:99:34:99:46 | Location | StringLengthConflation.swift:99:34:99:46 | ... call to - ... | isSink |
-| StringLengthConflation.swift:100:36:100:49 | Location | StringLengthConflation.swift:100:36:100:49 | ... call to - ... | isSink |
-| StringLengthConflation.swift:101:34:101:36 | Location | StringLengthConflation.swift:101:34:101:36 | .count | isSource |
-| StringLengthConflation.swift:101:34:101:44 | Location | StringLengthConflation.swift:101:34:101:44 | ... call to - ... | isSink |
-| StringLengthConflation.swift:102:36:102:38 | Location | StringLengthConflation.swift:102:36:102:38 | .count | isSource |
-| StringLengthConflation.swift:102:36:102:46 | Location | StringLengthConflation.swift:102:36:102:46 | ... call to - ... | isSink |
-| StringLengthConflation.swift:105:36:105:48 | Location | StringLengthConflation.swift:105:36:105:48 | ... call to - ... | isSink |
-| StringLengthConflation.swift:106:38:106:51 | Location | StringLengthConflation.swift:106:38:106:51 | ... call to - ... | isSink |
-| StringLengthConflation.swift:107:36:107:38 | Location | StringLengthConflation.swift:107:36:107:38 | .count | isSource |
-| StringLengthConflation.swift:107:36:107:46 | Location | StringLengthConflation.swift:107:36:107:46 | ... call to - ... | isSink |
-| StringLengthConflation.swift:108:38:108:40 | Location | StringLengthConflation.swift:108:38:108:40 | .count | isSource |
-| StringLengthConflation.swift:108:38:108:48 | Location | StringLengthConflation.swift:108:38:108:48 | ... call to - ... | isSink |
-| StringLengthConflation.swift:111:34:111:46 | Location | StringLengthConflation.swift:111:34:111:46 | ... call to - ... | isSink |
-| StringLengthConflation.swift:112:36:112:49 | Location | StringLengthConflation.swift:112:36:112:49 | ... call to - ... | isSink |
-| StringLengthConflation.swift:113:34:113:36 | Location | StringLengthConflation.swift:113:34:113:36 | .count | isSource |
-| StringLengthConflation.swift:113:34:113:44 | Location | StringLengthConflation.swift:113:34:113:44 | ... call to - ... | isSink |
-| StringLengthConflation.swift:114:36:114:38 | Location | StringLengthConflation.swift:114:36:114:38 | .count | isSource |
-| StringLengthConflation.swift:114:36:114:46 | Location | StringLengthConflation.swift:114:36:114:46 | ... call to - ... | isSink |
-| StringLengthConflation.swift:118:28:118:41 | Location | StringLengthConflation.swift:118:28:118:41 | ... call to - ... | isSink |
-| StringLengthConflation.swift:120:28:120:30 | Location | StringLengthConflation.swift:120:28:120:30 | .count | isSource |
-| StringLengthConflation.swift:120:28:120:38 | Location | StringLengthConflation.swift:120:28:120:38 | ... call to - ... | isSink |
+edges
+nodes
+| StringLengthConflation.swift:78:47:78:49 | .count | semmle.label | .count |
+subpaths
+#select
+| StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | RESULT |
