Merge pull request #11378 from atorralba/atorralba/swift/nsdata-models

Swift: Add models for NSData and NSMutableData

Author: atorralba

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -81,6 +81,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.CustomUrlSchemes
   private import codeql.swift.frameworks.StandardLibrary.Data
   private import codeql.swift.frameworks.StandardLibrary.InputStream
+  private import codeql.swift.frameworks.StandardLibrary.NSData
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NSData.qll

@@ -0,0 +1,91 @@
+/** Provides classes and models to work with `NSData`-related objects. */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/** The class `NSData`. */
+class NsData extends ClassDecl {
+  NsData() { this.getFullName() = "NSData" }
+}
+
+/** The class `NSMutableData`. */
+class NsMutableData extends ClassDecl {
+  NsMutableData() { this.getFullName() = "NSMutableData" }
+}
+
+private class NsDataSources extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";NSData;true;init(contentsOf:);;;ReturnValue;remote",
+        ";NSData;true;init(contentsOf:options:);;;ReturnValue;remote"
+      ]
+  }
+}
+
+private class NsDataSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";NSData;true;init(bytes:length:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(bytesNoCopy:length:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(bytesNoCopy:length:deallocator:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(bytesNoCopy:length:freeWhenDone:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(data:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(contentsOfFile:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(contentsOfFile:options:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(contentsOf:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(contentsOf:options:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(contentsOfMappedFile:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(base64Encoded:options:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;init(base64Encoding:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;base64EncodedData(options:);;;Argument[-1];ReturnValue;taint",
+        ";NSData;true;base64EncodedString(options:);;;Argument[-1];ReturnValue;taint",
+        ";NSData;true;base64Encoding();;;Argument[-1];ReturnValue;taint",
+        ";NSData;true;dataWithContentsOfMappedFile(_:);;;Argument[0];ReturnValue;taint",
+        ";NSData;true;enumerateBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";NSData;true;getBytes(_:);;;Argument[-1];Argument[0];taint",
+        ";NSData;true;getBytes(_:length:);;;Argument[-1];Argument[0];taint",
+        ";NSData;true;getBytes(_:range:);;;Argument[-1];Argument[0];taint",
+        ";NSData;true;subdata(with:);;;Argument[-1];ReturnValue;taint",
+        ";NSData;true;compressed(using:);;;Argument[-1];ReturnValue;taint",
+        ";NSData;true;decompressed(using:);;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+private class NsMutableDataSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";NSMutableData;true;append(_:length:);;;Argument[0];Argument[-1];taint",
+        ";NSMutableData;true;append(_:);;;Argument[0];Argument[-1];taint",
+        ";NSMutableData;true;replaceBytes(in:withBytes:);;;Argument[1];Argument[-1];taint",
+        ";NSMutableData;true;replaceBytes(in:withBytes:length:);;;Argument[1];Argument[-1];taint",
+        ";NSMutableData;true;setData(_:);;;Argument[0];Argument[-1];taint",
+      ]
+  }
+}
+
+/** A content implying that, if a `NSData` object is tainted, some of its fields are also tainted. */
+private class NsDataTaintedFields extends TaintInheritingContent, DataFlow::Content::FieldContent {
+  NsDataTaintedFields() {
+    exists(FieldDecl f | this.getField() = f |
+      f.getEnclosingDecl() instanceof NsData and
+      f.getName() = ["bytes", "description"]
+    )
+  }
+}
+
+/** A content implying that, if a `NSMutableData` object is tainted, some of its fields are also tainted. */
+private class NsMutableDataTaintedFields extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  NsMutableDataTaintedFields() {
+    exists(FieldDecl f | this.getField() = f |
+      f.getEnclosingDecl() instanceof NsMutableData and
+      f.getName() = "mutableBytes"
+    )
+  }
+}

swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected

@@ -3,6 +3,10 @@
 | customurlschemes.swift:38:52:38:62 | url | external |
 | customurlschemes.swift:43:9:43:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
 | customurlschemes.swift:48:9:48:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
+| nsdata.swift:18:17:18:17 | call to init(contentsOf:) | external |
+| nsdata.swift:18:17:18:40 | call to init(contentsOf:) | external |
+| nsdata.swift:19:17:19:17 | call to init(contentsOf:options:) | external |
+| nsdata.swift:19:17:19:53 | call to init(contentsOf:options:) | external |
 | string.swift:56:21:56:21 | call to init(contentsOf:) | external |
 | string.swift:56:21:56:44 | call to init(contentsOf:) | external |
 | string.swift:57:21:57:21 | call to init(contentsOf:encoding:) | external |

swift/ql/test/library-tests/dataflow/flowsources/nsdata.swift

@@ -0,0 +1,20 @@
+// --- stubs ---
+
+struct URL
+{
+	init?(string: String) {}
+}
+
+class NSData {
+    struct ReadingOptions : OptionSet { let rawValue: Int }
+    init?(contentsOf: URL) {}
+    init?(contentsOf: URL, options: NSData.ReadingOptions) {}
+}
+
+// --- tests ---
+
+func testNSData() {
+    let url = URL(string: "http://example.com/")
+    let _ = try NSData(contentsOf: url!) // SOURCE
+    let _ = try NSData(contentsOf: url!, options: []) // SOURCE
+}

swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected

@@ -1,3 +1,6 @@
+| nsdata.swift:139:15:139:15 | nsDataTainted24 | nsdata.swift:139:15:139:31 | .bytes |
+| nsdata.swift:140:15:140:15 | nsDataTainted24 | nsdata.swift:140:15:140:31 | .description |
+| nsmutabledata.swift:49:15:49:15 | nsMutableDataTainted6 | nsmutabledata.swift:49:15:49:37 | .mutableBytes |
 | string.swift:7:13:7:13 |  | string.swift:7:13:7:13 | [post]  |
 | string.swift:7:13:7:13 |  | string.swift:7:14:7:14 | [post] &... |
 | string.swift:7:13:7:13 | TapExpr | string.swift:7:13:7:13 | "..." |