Merge pull request #14683 from geoffw0/nsstringclosure

Swift: Model NSString.enumerate*

Author: rdmarsh2

swift/ql/lib/change-notes/2023-11-03-nsstring.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow models for the `NSString.enumerate*` methods.

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsString.qll

@@ -83,7 +83,7 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;lowercased(with:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;uppercased(with:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;capitalized(with:);;;Argument[-1];ReturnValue;taint",
-        ";NSString;true;components(separatedBy:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;components(separatedBy:);;;Argument[-1];ReturnValue.CollectionElement;taint",
         ";NSString;true;trimmingCharacters(in:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;substring(from:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;substring(with:);;;Argument[-1];ReturnValue;taint",
@@ -102,14 +102,15 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;stringEncoding(for:encodingOptions:convertedString:usedLossyCompression:);;;Argument[0];Argument[2];taint",
         ";NSString;true;data(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;data(using:allowLossyConversion:);;;Argument[-1];ReturnValue;taint",
-        ";NSString;true;path(withComponents:);;;Argument[0];ReturnValue;taint",
+        ";NSString;true;path(withComponents:);;;Argument[0].CollectionElement;ReturnValue;taint",
         ";NSString;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[0];taint",
         ";NSString;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[2];taint",
         ";NSString;true;getFileSystemRepresentation(_:maxLength:);;;Argument[-1];Argument[0];taint",
         ";NSString;true;appendingPathComponent(_:);;;Argument[-1..0];ReturnValue;taint",
         ";NSString;true;appendingPathComponent(_:conformingTo:);;;Argument[-1..0];ReturnValue;taint",
         ";NSString;true;appendingPathExtension(_:);;;Argument[-1..0];ReturnValue;taint",
-        ";NSString;true;strings(byAppendingPaths:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSString;true;strings(byAppendingPaths:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;strings(byAppendingPaths:);;;Argument[0].CollectionElement;ReturnValue;taint",
         ";NSString;true;addingPercentEncoding(withAllowedCharacters:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;string(withCString:);;;Argument[0];ReturnValue;taint",
         ";NSString;true;string(withCString:length:);;;Argument[0];ReturnValue;taint",
@@ -118,6 +119,10 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;addingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;replacingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;applyTransform(_:reverse:range:updatedRange:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;enumerateLines(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";NSString;true;enumerateSubstrings(in:options:using:);;;Argument[-1];Argument[2].Parameter[0].OptionalSome;taint",
+        ";NSString;true;enumerateSubstrings(in:options:using:);;;Argument[2].Parameter[0].OptionalSome;Argument[-1];taint",
+        ";NSString;true;enumerateLinguisticTags(in:scheme:options:orthography:using:);;;Argument[-1];Argument[4].Parameter[0].OptionalSome;taint",
         ";NSMutableString;true;append(_:);;;Argument[0];Argument[-1];taint",
         ";NSMutableString;true;insert(_:at:);;;Argument[0];Argument[-1];taint",
         ";NSMutableString;true;replaceCharacters(in:with:);;;Argument[1];Argument[-1];taint",

swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift

@@ -25,8 +25,8 @@ protocol NSMutableCopying {
 
 class NSString : NSObject, NSCopying, NSMutableCopying {
   struct EncodingConversionOptions : OptionSet { let rawValue: Int }
-
   struct CompareOptions : OptionSet { let rawValue: Int }
+  struct EnumerationOptions : OptionSet { let rawValue: Int }
 
   init(characters: UnsafePointer<unichar>, length: Int) {}
   init(charactersNoCopy characters: UnsafeMutablePointer<unichar>, length: Int, freeWhenDone freeBuffer: Bool) {}
@@ -83,6 +83,7 @@ class NSString : NSObject, NSCopying, NSMutableCopying {
   func folding(options: NSString.CompareOptions = [], locale: Locale?) -> String { return "" }
   func applyingTransform(_ transform: StringTransform, reverse: Bool) -> String? { return "" }
   func enumerateLines(_ block: @escaping (String, UnsafeMutablePointer<ObjCBool>) -> Void) { }
+  func enumerateSubstrings(in range: NSRange, options opts: NSString.EnumerationOptions = [], using block: @escaping (String?, NSRange, NSRange, UnsafeMutablePointer<ObjCBool>) -> Void) { }
   func replacingOccurrences(of target: String, with replacement: String) -> String { return "" }
   func replacingOccurrences(of target: String, with replacement: String, options: NSString.CompareOptions = [], range searchRange: NSRange) -> String { return "" }
   func propertyList() -> Any { return 0 }
@@ -136,8 +137,7 @@ class NSMutableString : NSString {
   func setString(_ aString: String) {}
 }
 
-class NSArray : NSObject {
-}
+class NSArray : NSObject { }
 
 struct _NSRange {
   init(location: Int, length: Int) {}
@@ -275,8 +275,8 @@ func taintThroughInterpolatedStrings() {
   sink(arg: sourceNSString().replacingOccurrences(of: "a", with: "b", range: NSRange(location: 0, length: 10))) // $ tainted=275
   sink(arg: harmless.replacingOccurrences(of: "a", with: sourceString(), range: NSRange(location: 0, length: 10))) // $ tainted=276
   sink(arg: NSString.path(withComponents: ["a", "b", "c"]))
-  sink(arg: NSString.path(withComponents: sourceStringArray())) // $ tainted=278
-  sink(arg: NSString.path(withComponents: ["a", sourceString(), "c"])) // $ MISSING: tainted=
+  sink(arg: NSString.path(withComponents: sourceStringArray())) // $ MISSING: tainted=278
+  sink(arg: NSString.path(withComponents: ["a", sourceString(), "c"])) // $ tainted=279
   sink(arg: NSString.string(withCString: sourceCString())) // $ tainted=280
   sink(arg: NSString.string(withCString: sourceCString(), length: 128)) // $ tainted=281
   sink(arg: NSString.string(withContentsOfFile: sourceString())) // $ tainted=282
@@ -306,8 +306,8 @@ func taintThroughInterpolatedStrings() {
 
   sink(arg: harmless.strings(byAppendingPaths: [""]))
   sink(arg: harmless.strings(byAppendingPaths: [""])[0])
-  sink(arg: harmless.strings(byAppendingPaths: [sourceString()])) // $ MISSING: tainted=
-  sink(arg: harmless.strings(byAppendingPaths: [sourceString()])[0]) // $ MISSING: tainted=
+  sink(arg: harmless.strings(byAppendingPaths: [sourceString()])) // $ tainted=309
+  sink(arg: harmless.strings(byAppendingPaths: [sourceString()])[0]) // $ tainted=310
   sink(arg: sourceNSString().strings(byAppendingPaths: [""])) // $ tainted=311
   sink(arg: sourceNSString().strings(byAppendingPaths: [""])[0]) // $ tainted=312
 
@@ -355,7 +355,7 @@ func taintThroughInterpolatedStrings() {
   }))
   sink(arg: sourceNSString().enumerateLines({
     line, stop in
-    sink(arg: line) // $ MISSING: tainted=
+    sink(arg: line) // $ tainted=356
     sink(arg: stop)
   }))
 
@@ -485,3 +485,13 @@ func taintThroughData() {
   let str2 = NSString(data: data1, encoding: 0)!
   sink(arg: str2) // $ tainted=482
 }
+
+func moreTests() {
+  let myTainted = sourceNSString()
+  let myRange = NSRange(location:0, length: 128)
+
+  sink(arg: myTainted.enumerateSubstrings(in: myRange, options: [], using: {
+    substring, substringRange, enclosingRange, stop in
+    sink(arg: substring!) // $ tainted=490
+  }))
+}