Swift: Expand a test to explore why it fails (lack of pointer models and closure capture flow).

geoffw0 · geoffw0 · commit a5206028b085 · 2023-10-24T16:17:21.000+01:00
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -449,26 +449,38 @@ func taintFromUInt8Array() {
   var cleanUInt8Values: [UInt8] = [0x41, 0x42, 0x43, 0] // "ABC"
   var taintedUInt8Values: [UInt8] = [source4()]
 
-  sink(arg: String(unsafeUninitializedCapacity: 256, initializingUTF8With: {
+  sink(arg: taintedUInt8Values[0]) // $ tainted=450
+  let r1 = String(unsafeUninitializedCapacity: 256, initializingUTF8With: {
     (buffer: UnsafeMutableBufferPointer<UInt8>) -> Int in
       sink(arg: buffer[0])
       let _ = buffer.initialize(from: cleanUInt8Values)
       sink(arg: buffer[0])
       return 3
     }
-  ))
-  sink(arg: String(unsafeUninitializedCapacity: 256, initializingUTF8With: { // $ MISSING: tainted=450
+  )
+  sink(arg: r1)
+  let r2 = String(unsafeUninitializedCapacity: 256, initializingUTF8With: {
     (buffer: UnsafeMutableBufferPointer<UInt8>) -> Int in
       sink(arg: buffer[0])
+      sink(arg: taintedUInt8Values[0]) // $ MISSING: tainted=450
       let _ = buffer.initialize(from: taintedUInt8Values)
       sink(arg: buffer[0]) // $ MISSING: tainted=450
       return 256
     }
-  ))
+  )
+  sink(arg: r2) // $ MISSING: tainted=450
+  let r3 = String(unsafeUninitializedCapacity: 256, initializingUTF8With: {
+    (buffer: UnsafeMutableBufferPointer<UInt8>) -> Int in
+      sink(arg: buffer[0])
+      buffer.update(repeating: source4())
+      sink(arg: buffer[0]) // $ tainted=475
+      return 256
+    }
+  )
+  sink(arg: r3) // $ MISSING: tainted=475
 
   sink(arg: String(bytes: cleanUInt8Values, encoding: String.Encoding.utf8)!)
   sink(arg: String(bytes: taintedUInt8Values, encoding: String.Encoding.utf8)!) // $ tainted=450
-
   sink(arg: String(cString: cleanUInt8Values))
   sink(arg: String(cString: taintedUInt8Values)) // $ tainted=450
 
@@ -484,7 +496,6 @@ func taintFromUInt8Array() {
     sink(arg: buffer.baseAddress!) // $ MISSING: tainted=450
     sink(arg: String(cString: buffer.baseAddress!)) // $ MISSING: tainted=450
   })
-
   try! cleanUInt8Values.withUnsafeMutableBytes({
     (buffer: UnsafeMutableRawBufferPointer) throws in
     sink(arg: buffer[0])
@@ -515,15 +526,15 @@ func taintThroughCCharArray() {
   })
   taintedCCharValues.withUnsafeBufferPointer({
     ptr in
-    sink(arg: ptr[0]) // $ tainted=506
-    sink(arg: ptr.baseAddress!) // $ MISSING: tainted=506
-    sink(arg: String(utf8String: ptr.baseAddress!)!) // $ MISSING: tainted=506
-    sink(arg: String(validatingUTF8: ptr.baseAddress!)!) // $ MISSING: tainted=506
-    sink(arg: String(cString: ptr.baseAddress!)) // $ MISSING: tainted=506
+    sink(arg: ptr[0]) // $ tainted=517
+    sink(arg: ptr.baseAddress!) // $ MISSING: tainted=517
+    sink(arg: String(utf8String: ptr.baseAddress!)!) // $ MISSING: tainted=517
+    sink(arg: String(validatingUTF8: ptr.baseAddress!)!) // $ MISSING: tainted=517
+    sink(arg: String(cString: ptr.baseAddress!)) // $ MISSING: tainted=517
   })
 
   sink(arg: String(cString: cleanCCharValues))
-  sink(arg: String(cString: taintedCCharValues)) // $ tainted=506
+  sink(arg: String(cString: taintedCCharValues)) // $ tainted=517
 }
 
 func source6() -> unichar { return 0 }
@@ -541,10 +552,10 @@ func taintThroughUnicharArray() {
   })
   taintedUnicharValues.withUnsafeBufferPointer({
     ptr in
-    sink(arg: ptr[0]) // $ tainted=533
-    sink(arg: ptr.baseAddress!) // $ MISSING: tainted=533
-    sink(arg: String(utf16CodeUnits: ptr.baseAddress!, count: ptr.count)) // $ MISSING: tainted=533
-    sink(arg: String(utf16CodeUnitsNoCopy: ptr.baseAddress!, count: ptr.count, freeWhenDone: false)) // $ MISSING: tainted=533
+    sink(arg: ptr[0]) // $ tainted=544
+    sink(arg: ptr.baseAddress!) // $ MISSING: tainted=544
+    sink(arg: String(utf16CodeUnits: ptr.baseAddress!, count: ptr.count)) // $ MISSING: tainted=5344
+    sink(arg: String(utf16CodeUnitsNoCopy: ptr.baseAddress!, count: ptr.count, freeWhenDone: false)) // $ MISSING: tainted=544
   })
 }
 
@@ -553,43 +564,45 @@ func source7() -> Substring { return Substring() }
 func taintThroughSubstring() {
   let tainted = source2()
 
-  sink(arg: source7()) // $ tainted=556
+  sink(arg: source7()) // $ tainted=567
 
   let sub1 = tainted[tainted.startIndex ..< tainted.endIndex]
-  sink(arg: sub1) // $ tainted=554
-  sink(arg: String(sub1)) // $ tainted=554
+  sink(arg: sub1) // $ tainted=565
+  sink(arg: String(sub1)) // $ tainted=565
 
   let sub2 = tainted.prefix(10)
-  sink(arg: sub2) // $ tainted=554
-  sink(arg: String(sub2)) // $ tainted=554
+  sink(arg: sub2) // $ tainted=565
+  sink(arg: String(sub2)) // $ tainted=565
 
   let sub3 = tainted.prefix(through: tainted.endIndex)
-  sink(arg: sub3) // $ tainted=554
-  sink(arg: String(sub3)) // $ tainted=554
+  sink(arg: sub3) // $ tainted=565
+  sink(arg: String(sub3)) // $ tainted=565
 
   let sub4 = tainted.prefix(upTo: tainted.endIndex)
-  sink(arg: sub4) // $ tainted=554
-  sink(arg: String(sub4)) // $ tainted=554
+  sink(arg: sub4) // $ tainted=565
+  sink(arg: String(sub4)) // $ tainted=565
 
   let sub5 = tainted.suffix(10)
-  sink(arg: sub5) // $ tainted=554
-  sink(arg: String(sub5)) // $ tainted=554
+  sink(arg: sub5) // $ tainted=565
+  sink(arg: String(sub5)) // $ tainted=565
 
   let sub6 = tainted.suffix(from: tainted.startIndex)
-  sink(arg: sub6) // $ tainted=554
-  sink(arg: String(sub6)) // $ tainted=554
+  sink(arg: sub6) // $ tainted=565
+  sink(arg: String(sub6)) // $ tainted=565
 }
 
 func taintedThroughConversion() {
   sink(arg: String(0))
-  sink(arg: String(source())) // $ tainted=585
+  sink(arg: String(source())) // $ tainted=596
+
   sink(arg: Int(0).description)
-  sink(arg: source().description) // $ tainted=587
+  sink(arg: source().description) // $ tainted=599
+
   sink(arg: String(describing: 0))
-  sink(arg: String(describing: source())) // $ tainted=589
+  sink(arg: String(describing: source())) // $ tainted=602
 
   sink(arg: Int("123")!)
-  sink(arg: Int(source2())!) // $ tainted=592
+  sink(arg: Int(source2())!) // $ tainted=605
 }
 
 func untaintedFields() {
@@ -607,7 +620,7 @@ func callbackWithCleanPointer(ptr: UnsafeBufferPointer<String.Element>) throws -
 }
 
 func callbackWithTaintedPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
-  sink(arg: ptr[0]) // $ tainted=617
+  sink(arg: ptr[0]) // $ tainted=630
 
   return source()
 }
@@ -626,7 +639,7 @@ func furtherTaintThroughCallbacks() {
     ptr in
     return source()
   })
-  sink(arg: result2!) // $ tainted=627
+  sink(arg: result2!) // $ tainted=640
 
   // return values from the closure (2)
   if let result3 = clean.withContiguousStorageIfAvailable({
@@ -639,28 +652,28 @@ func furtherTaintThroughCallbacks() {
     ptr in
     return source()
   }) {
-    sink(arg: result4) // $ tainted=640
+    sink(arg: result4) // $ tainted=653
   }
 
   // using a non-closure function
   let result5 = try? clean.withContiguousStorageIfAvailable(callbackWithCleanPointer)
   sink(arg: result5!)
   let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
-  sink(arg: result6!) // $ tainted=612
+  sink(arg: result6!) // $ tainted=625
 }
 
 func testAppendingFormat() {
   var s1 = source2()
-  sink(arg: s1.appendingFormat("%s %i", "", 0)) // $ tainted=653
+  sink(arg: s1.appendingFormat("%s %i", "", 0)) // $ tainted=666
 
   var s2 = ""
-  sink(arg: s2.appendingFormat(source2(), "", 0)) // $ tainted=657
+  sink(arg: s2.appendingFormat(source2(), "", 0)) // $ tainted=670
 
   var s3 = ""
-  sink(arg: s3.appendingFormat("%s %i", source2(), 0)) // $ tainted=660
+  sink(arg: s3.appendingFormat("%s %i", source2(), 0)) // $ tainted=673
 
   var s4 = ""
-  sink(arg: s4.appendingFormat("%s %i", "", source())) // $ tainted=663
+  sink(arg: s4.appendingFormat("%s %i", "", source())) // $ tainted=676
 }
 
 func sourceUInt8() -> UInt8 { return 0 }
@@ -669,22 +682,22 @@ func testDecodeCString() {
   var input : [UInt8] = [1, 2, 3, sourceUInt8()]
 
   let (str1, repaired1) = String.decodeCString(input, as: UTF8.self)!
-  sink(arg: str1) // $ tainted=669
+  sink(arg: str1) // $ tainted=682
   sink(arg: repaired1)
 
   input.withUnsafeBufferPointer({
     ptr in
     let (str2, repaired2) = String.decodeCString(ptr.baseAddress, as: UTF8.self)!
-    sink(arg: str2) // $ MISSING: tainted=669
+    sink(arg: str2) // $ MISSING: tainted=682
     sink(arg: repaired2)
   })
 
   let (str3, repaired3) = String.decodeCString(source2(), as: UTF8.self)!
-  sink(arg: str3) // $ tainted=682
+  sink(arg: str3) // $ tainted=695
   sink(arg: repaired3)
 
   let (str4, repaired4) = String.decodeCString(&input, as: UTF8.self)!
-  sink(arg: str4) // $ tainted=669
+  sink(arg: str4) // $ tainted=682
   sink(arg: repaired4)
 }
 
@@ -696,9 +709,9 @@ func taintMutableCharacters() {
     chars in
     sink(arg: chars)
     chars.append(source2())
-    sink(arg: chars) // $ tainted=698
+    sink(arg: chars) // $ tainted=711
     return source()
   })
-  sink(arg: rtn) // $ tainted=700
-  sink(arg: str) // $ tainted=698
+  sink(arg: rtn) // $ tainted=713
+  sink(arg: str) // $ tainted=711
 }
