Merge pull request #13980 from geoffw0/logfix

Swift: Improvements related to the swift/cleartext-logging query.

Author: geoffw0

swift/ql/.generated.list

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added flow through variadic arguments, and the `getVaList` function.

swift/ql/.gitattributes

@@ -221,6 +221,9 @@ private module Cached {
     // flow through unary `+` (which does nothing)
     nodeFrom.asExpr() = nodeTo.asExpr().(UnaryPlusExpr).getOperand()
     or
+    // flow through varargs expansions (that wrap an `ArrayExpr` where varargs enter a call)
+    nodeFrom.asExpr() = nodeTo.asExpr().(VarargExpansionExpr).getSubExpr()
+    or
     // flow through nil-coalescing operator `??`
     exists(BinaryExpr nco |
       nco.getOperator().(FreeFunction).getName() = "??(_:_:)" and
@@ -966,7 +969,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     node2.(KeyPathReturnNodeImpl).getKeyPathExpr() = component.getKeyPathExpr()
   )
   or
-  // read of an array member via subscript operator
+  // read of array or collection content via subscript operator
   exists(SubscriptExpr subscript |
     subscript.getBase() = node1.asExpr() and
     subscript = node2.asExpr() and

swift/ql/lib/change-notes/2023-08-16-varargs.md

@@ -1,4 +1,12 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.VariadicSequenceType
 
+/**
+ * A variadic sequence type, that is, an array-like type that holds
+ * variadic arguments. For example the type `Int...` of `args` in:
+ * ```
+ * func myVarargsFunction(args: Int...) {
+ *   ...
+ * }
+ * ```
+ */
 class VariadicSequenceType extends Generated::VariadicSequenceType { }

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -0,0 +1,12 @@
+/**
+ * Provides models for Swift "C Interoperability" functions.
+ */
+
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+private class CInteropSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";;false;getVaList(_:);;;Argument[0].ArrayElement;ReturnValue;value"
+  }
+}

swift/ql/lib/codeql/swift/elements/type/VariadicSequenceType.qll

@@ -3,6 +3,7 @@
  */
 
 private import Array
+private import CInterop
 private import Collection
 private import CustomUrlSchemes
 private import Data

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CInterop.qll

@@ -97,14 +97,17 @@ private class LoggingSinks extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        ";;false;print(_:separator:terminator:);;;Argument[0].ArrayElement;log-injection",
-        ";;false;print(_:separator:terminator:);;;Argument[1..2];log-injection",
-        ";;false;print(_:separator:terminator:toStream:);;;Argument[0].ArrayElement;log-injection",
-        ";;false;print(_:separator:terminator:toStream:);;;Argument[1..2];log-injection",
-        ";;false;NSLog(_:_:);;;Argument[0];log-injection",
-        ";;false;NSLog(_:_:);;;Argument[1].ArrayElement;log-injection",
-        ";;false;NSLogv(_:_:);;;Argument[0];log-injection",
-        ";;false;NSLogv(_:_:);;;Argument[1].ArrayElement;log-injection",
+        ";;false;print(_:separator:terminator:);;;Argument[0..2];log-injection",
+        ";;false;print(_:separator:terminator:toStream:);;;Argument[0..2];log-injection",
+        ";;false;print(_:separator:terminator:to:);;;Argument[0..2];log-injection",
+        ";;false;debugPrint(_:separator:terminator:);;;Argument[0..2];log-injection",
+        ";;false;debugPrint(_:separator:terminator:to:);;;Argument[0..2];log-injection",
+        ";;false;dump(_:name:indent:maxDepth:maxItems:);;;Argument[0..1];log-injection",
+        ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[0];log-injection",
+        ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[2];log-injection",
+        ";;false;fatalError(_:file:line:);;;Argument[0];log-injection",
+        ";;false;NSLog(_:_:);;;Argument[0..1];log-injection",
+        ";;false;NSLogv(_:_:);;;Argument[0..1];log-injection",
         ";;false;vfprintf(_:_:_:);;;Agument[1..2];log-injection",
         ";Logger;true;log(_:);;;Argument[0];log-injection",
         ";Logger;true;log(level:_:);;;Argument[1];log-injection",

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll

@@ -25,6 +25,12 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from collection content at the sink.
+    isSink(node) and
+    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added new logging sinks to the `swift/cleartext-logging` query.