Swift: Flow through optional binding.

geoffw0 · geoffw0 · commit b5dd8152498c · 2023-01-06T18:34:22.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -153,6 +153,14 @@ private module Cached {
     or
     nodeFrom.asExpr() = nodeTo.asExpr().(OptionalEvaluationExpr).getSubExpr()
     or
+    // flow through optional binding `if let`
+    exists(ConditionElement ce, ConcreteVarDecl v |
+      ce.getInitializer() = nodeFrom.asExpr() and
+      ce.getPattern() = v.getParentPattern() and
+      //.(OptionalSomePattern).getSubPattern().(BindingPattern).getSubPattern().(NamedPattern) ?
+      nodeTo.asDefinition().getSourceVariable() = v
+    )
+    or
     // flow through nil-coalescing operator `??`
     exists(BinaryExpr nco |
       nco.getOperator().(FreeFunctionDecl).getName() = "??(_:_:)" and
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -107,14 +107,21 @@ edges
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:275:15:275:27 | ... ??(_:_:) ... |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:279:15:279:31 | ... ? ... : ... |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:280:15:280:38 | ... ? ... : ... |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:285:19:285:19 | z |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:291:16:291:17 | ...? :  |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:300:15:300:15 | z1 |
 | test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:303:15:303:16 | ...! :  |
+| test.swift:263:13:263:28 | call to optionalSource() :  | test.swift:307:19:307:19 | z |
 | test.swift:270:15:270:22 | call to source() :  | file://:0:0:0:0 | [summary param] this in signum() :  |
 | test.swift:270:15:270:22 | call to source() :  | test.swift:270:15:270:31 | call to signum() |
 | test.swift:271:15:271:16 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  |
 | test.swift:271:15:271:16 | ...? :  | test.swift:271:15:271:25 | call to signum() :  |
 | test.swift:271:15:271:25 | call to signum() :  | test.swift:271:15:271:25 | OptionalEvaluationExpr |
 | test.swift:280:31:280:38 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() :  | test.swift:282:15:282:38 | ... ? ... : ... |
+| test.swift:291:16:291:17 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  |
+| test.swift:291:16:291:17 | ...? :  | test.swift:291:16:291:26 | call to signum() :  |
+| test.swift:291:16:291:26 | call to signum() :  | test.swift:292:19:292:19 | z |
 | test.swift:303:15:303:16 | ...! :  | file://:0:0:0:0 | [summary param] this in signum() :  |
 | test.swift:303:15:303:16 | ...! :  | test.swift:303:15:303:25 | call to signum() |
 | test.swift:331:14:331:26 | (...) [Tuple element at index 1] :  | test.swift:335:15:335:15 | t1 [Tuple element at index 1] :  |
@@ -261,8 +268,14 @@ nodes
 | test.swift:280:31:280:38 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:282:15:282:38 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:285:19:285:19 | z | semmle.label | z |
+| test.swift:291:16:291:17 | ...? :  | semmle.label | ...? :  |
+| test.swift:291:16:291:26 | call to signum() :  | semmle.label | call to signum() :  |
+| test.swift:292:19:292:19 | z | semmle.label | z |
+| test.swift:300:15:300:15 | z1 | semmle.label | z1 |
 | test.swift:303:15:303:16 | ...! :  | semmle.label | ...! :  |
 | test.swift:303:15:303:25 | call to signum() | semmle.label | call to signum() |
+| test.swift:307:19:307:19 | z | semmle.label | z |
 | test.swift:331:14:331:26 | (...) [Tuple element at index 1] :  | semmle.label | (...) [Tuple element at index 1] :  |
 | test.swift:331:18:331:25 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:335:15:335:15 | t1 [Tuple element at index 1] :  | semmle.label | t1 [Tuple element at index 1] :  |
@@ -311,6 +324,7 @@ subpaths
 | test.swift:219:13:219:15 | .a [x] :  | test.swift:163:7:163:7 | self [x] :  | file://:0:0:0:0 | .x :  | test.swift:219:13:219:17 | .x |
 | test.swift:270:15:270:22 | call to source() :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:270:15:270:31 | call to signum() |
 | test.swift:271:15:271:16 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:271:15:271:25 | call to signum() :  |
+| test.swift:291:16:291:17 | ...? :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:291:16:291:26 | call to signum() :  |
 | test.swift:303:15:303:16 | ...! :  | file://:0:0:0:0 | [summary param] this in signum() :  | file://:0:0:0:0 | [summary] to write: return (return) in signum() :  | test.swift:303:15:303:25 | call to signum() |
 #select
 | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() :  | test.swift:7:15:7:15 | t1 | result |
@@ -351,7 +365,11 @@ subpaths
 | test.swift:280:15:280:38 | ... ? ... : ... | test.swift:259:12:259:19 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... | result |
 | test.swift:280:15:280:38 | ... ? ... : ... | test.swift:280:31:280:38 | call to source() :  | test.swift:280:15:280:38 | ... ? ... : ... | result |
 | test.swift:282:15:282:38 | ... ? ... : ... | test.swift:282:31:282:38 | call to source() :  | test.swift:282:15:282:38 | ... ? ... : ... | result |
+| test.swift:285:19:285:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:285:19:285:19 | z | result |
+| test.swift:292:19:292:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:292:19:292:19 | z | result |
+| test.swift:300:15:300:15 | z1 | test.swift:259:12:259:19 | call to source() :  | test.swift:300:15:300:15 | z1 | result |
 | test.swift:303:15:303:25 | call to signum() | test.swift:259:12:259:19 | call to source() :  | test.swift:303:15:303:25 | call to signum() | result |
+| test.swift:307:19:307:19 | z | test.swift:259:12:259:19 | call to source() :  | test.swift:307:19:307:19 | z | result |
 | test.swift:335:15:335:18 | .1 | test.swift:331:18:331:25 | call to source() :  | test.swift:335:15:335:18 | .1 | result |
 | test.swift:346:15:346:18 | .0 | test.swift:343:12:343:19 | call to source() :  | test.swift:346:15:346:18 | .0 | result |
 | test.swift:356:15:356:18 | .0 | test.swift:351:18:351:25 | call to source() :  | test.swift:356:15:356:18 | .0 | result |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -242,28 +242,36 @@
 | test.swift:282:26:282:27 | ...! | test.swift:282:15:282:38 | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() | test.swift:282:15:282:38 | ... ? ... : ... |
 | test.swift:284:8:284:12 | SSA def(z) | test.swift:285:19:285:19 | z |
+| test.swift:284:16:284:16 | x | test.swift:284:8:284:12 | SSA def(z) |
 | test.swift:284:16:284:16 | x | test.swift:291:16:291:16 | x |
 | test.swift:287:8:287:12 | SSA def(z) | test.swift:288:19:288:19 | z |
+| test.swift:287:16:287:16 | y | test.swift:287:8:287:12 | SSA def(z) |
 | test.swift:287:16:287:16 | y | test.swift:294:16:294:16 | y |
 | test.swift:291:8:291:12 | SSA def(z) | test.swift:292:19:292:19 | z |
 | test.swift:291:16:291:16 | x | test.swift:291:16:291:17 | ...? |
 | test.swift:291:16:291:16 | x | test.swift:298:20:298:20 | x |
+| test.swift:291:16:291:26 | OptionalEvaluationExpr | test.swift:291:8:291:12 | SSA def(z) |
 | test.swift:291:16:291:26 | call to signum() | test.swift:291:16:291:26 | OptionalEvaluationExpr |
 | test.swift:294:8:294:12 | SSA def(z) | test.swift:295:19:295:19 | z |
 | test.swift:294:16:294:16 | y | test.swift:294:16:294:17 | ...? |
 | test.swift:294:16:294:16 | y | test.swift:299:20:299:20 | y |
+| test.swift:294:16:294:26 | OptionalEvaluationExpr | test.swift:294:8:294:12 | SSA def(z) |
 | test.swift:294:16:294:26 | call to signum() | test.swift:294:16:294:26 | OptionalEvaluationExpr |
 | test.swift:298:11:298:15 | SSA def(z1) | test.swift:300:15:300:15 | z1 |
+| test.swift:298:20:298:20 | x | test.swift:298:11:298:15 | SSA def(z1) |
 | test.swift:298:20:298:20 | x | test.swift:303:15:303:15 | x |
 | test.swift:299:11:299:15 | SSA def(z2) | test.swift:301:15:301:15 | z2 |
+| test.swift:299:20:299:20 | y | test.swift:299:11:299:15 | SSA def(z2) |
 | test.swift:299:20:299:20 | y | test.swift:304:15:304:15 | y |
 | test.swift:303:15:303:15 | x | test.swift:303:15:303:16 | ...! |
 | test.swift:303:15:303:15 | x | test.swift:306:28:306:28 | x |
 | test.swift:304:15:304:15 | y | test.swift:304:15:304:16 | ...! |
 | test.swift:304:15:304:15 | y | test.swift:309:28:309:28 | y |
 | test.swift:306:13:306:24 | SSA def(z) | test.swift:307:19:307:19 | z |
+| test.swift:306:28:306:28 | x | test.swift:306:13:306:24 | SSA def(z) |
 | test.swift:306:28:306:28 | x | test.swift:313:12:313:12 | x |
 | test.swift:309:13:309:24 | SSA def(z) | test.swift:310:19:310:19 | z |
+| test.swift:309:28:309:28 | y | test.swift:309:13:309:24 | SSA def(z) |
 | test.swift:309:28:309:28 | y | test.swift:319:12:319:12 | y |
 | test.swift:314:10:314:21 | SSA def(z) | test.swift:315:19:315:19 | z |
 | test.swift:320:10:320:21 | SSA def(z) | test.swift:321:19:321:19 | z |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -282,29 +282,29 @@ func test_optionals(y: Int?) {
     sink(arg: y != nil ? y! : source()) // $ flow=282
 
     if let z = x {
-        sink(arg: z) // $ MISSING: flow=259
+        sink(arg: z) // $ flow=259
     }
     if let z = y {
         sink(arg: z)
     }
 
-    if let z = x?.signum() { // $ MISSING: flow=259
-        sink(arg: z)
+    if let z = x?.signum() {
+        sink(arg: z) // $ flow=259
     }
     if let z = y?.signum() {
         sink(arg: z)
     }
 
     guard let z1 = x else { return }
     guard let z2 = y else { return }
-    sink(arg: z1) // $ MISSING: flow=259
+    sink(arg: z1) // $ flow=259
     sink(arg: z2)
 
     sink(arg: x!.signum()) // $ flow=259
     sink(arg: y!.signum())
 
     if case .some(let z) = x {
-        sink(arg: z) // $ MISSING: flow=259
+        sink(arg: z) // $ flow=259
     }
     if case .some(let z) = y {
         sink(arg: z)
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -1277,10 +1277,12 @@
 | url.swift:102:46:102:46 | urlTainted | url.swift:102:15:102:56 | call to URL.init(string:relativeTo:) |
 | url.swift:102:46:102:46 | urlTainted | url.swift:120:46:120:46 | urlTainted |
 | url.swift:104:5:104:9 | SSA def(x) | url.swift:105:13:105:13 | x |
+| url.swift:104:13:104:30 | call to URL.init(string:) | url.swift:104:5:104:9 | SSA def(x) |
 | url.swift:104:25:104:25 | [post] clean | url.swift:113:26:113:26 | clean |
 | url.swift:104:25:104:25 | clean | url.swift:104:13:104:30 | call to URL.init(string:) |
 | url.swift:104:25:104:25 | clean | url.swift:113:26:113:26 | clean |
 | url.swift:108:5:108:9 | SSA def(y) | url.swift:109:13:109:13 | y |
+| url.swift:108:13:108:32 | call to URL.init(string:) | url.swift:108:5:108:9 | SSA def(y) |
 | url.swift:108:25:108:25 | [post] tainted | url.swift:117:28:117:28 | tainted |
 | url.swift:108:25:108:25 | tainted | url.swift:108:13:108:32 | call to URL.init(string:) |
 | url.swift:108:25:108:25 | tainted | url.swift:117:28:117:28 | tainted |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/Taint.expected
@@ -326,6 +326,7 @@ edges
 | url.swift:43:2:46:55 | [summary param] 0 in dataTask(with:completionHandler:) :  | file://:0:0:0:0 | [summary] to write: argument 1.parameter 0 in dataTask(with:completionHandler:) :  |
 | url.swift:57:16:57:23 | call to source() :  | url.swift:59:31:59:31 | tainted :  |
 | url.swift:57:16:57:23 | call to source() :  | url.swift:83:24:83:24 | tainted :  |
+| url.swift:57:16:57:23 | call to source() :  | url.swift:108:25:108:25 | tainted :  |
 | url.swift:57:16:57:23 | call to source() :  | url.swift:117:28:117:28 | tainted :  |
 | url.swift:59:19:59:38 | call to URL.init(string:) :  | url.swift:62:12:62:12 | urlTainted |
 | url.swift:59:19:59:38 | call to URL.init(string:) :  | url.swift:64:12:64:23 | .absoluteURL |
@@ -419,6 +420,9 @@ edges
 | url.swift:102:15:102:56 | call to URL.init(string:relativeTo:) :  | url.swift:102:15:102:67 | ...! |
 | url.swift:102:46:102:46 | urlTainted :  | url.swift:9:2:9:43 | [summary param] 1 in URL.init(string:relativeTo:) :  |
 | url.swift:102:46:102:46 | urlTainted :  | url.swift:102:15:102:56 | call to URL.init(string:relativeTo:) :  |
+| url.swift:108:13:108:32 | call to URL.init(string:) :  | url.swift:109:13:109:13 | y |
+| url.swift:108:25:108:25 | tainted :  | url.swift:8:2:8:25 | [summary param] 0 in URL.init(string:) :  |
+| url.swift:108:25:108:25 | tainted :  | url.swift:108:13:108:32 | call to URL.init(string:) :  |
 | url.swift:117:16:117:35 | call to URL.init(string:) :  | url.swift:118:12:118:12 | ...! |
 | url.swift:117:28:117:28 | tainted :  | url.swift:8:2:8:25 | [summary param] 0 in URL.init(string:) :  |
 | url.swift:117:28:117:28 | tainted :  | url.swift:117:16:117:35 | call to URL.init(string:) :  |
@@ -1061,6 +1065,9 @@ nodes
 | url.swift:102:15:102:56 | call to URL.init(string:relativeTo:) :  | semmle.label | call to URL.init(string:relativeTo:) :  |
 | url.swift:102:15:102:67 | ...! | semmle.label | ...! |
 | url.swift:102:46:102:46 | urlTainted :  | semmle.label | urlTainted :  |
+| url.swift:108:13:108:32 | call to URL.init(string:) :  | semmle.label | call to URL.init(string:) :  |
+| url.swift:108:25:108:25 | tainted :  | semmle.label | tainted :  |
+| url.swift:109:13:109:13 | y | semmle.label | y |
 | url.swift:117:16:117:35 | call to URL.init(string:) :  | semmle.label | call to URL.init(string:) :  |
 | url.swift:117:28:117:28 | tainted :  | semmle.label | tainted :  |
 | url.swift:118:12:118:12 | ...! | semmle.label | ...! |
@@ -1261,6 +1268,7 @@ subpaths
 | url.swift:100:43:100:43 | urlTainted :  | url.swift:9:2:9:43 | [summary param] 1 in URL.init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in URL.init(string:relativeTo:) :  | url.swift:100:12:100:53 | call to URL.init(string:relativeTo:) :  |
 | url.swift:101:46:101:46 | urlTainted :  | url.swift:9:2:9:43 | [summary param] 1 in URL.init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in URL.init(string:relativeTo:) :  | url.swift:101:15:101:56 | call to URL.init(string:relativeTo:) :  |
 | url.swift:102:46:102:46 | urlTainted :  | url.swift:9:2:9:43 | [summary param] 1 in URL.init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in URL.init(string:relativeTo:) :  | url.swift:102:15:102:56 | call to URL.init(string:relativeTo:) :  |
+| url.swift:108:25:108:25 | tainted :  | url.swift:8:2:8:25 | [summary param] 0 in URL.init(string:) :  | file://:0:0:0:0 | [summary] to write: return (return) in URL.init(string:) :  | url.swift:108:13:108:32 | call to URL.init(string:) :  |
 | url.swift:117:28:117:28 | tainted :  | url.swift:8:2:8:25 | [summary param] 0 in URL.init(string:) :  | file://:0:0:0:0 | [summary] to write: return (return) in URL.init(string:) :  | url.swift:117:16:117:35 | call to URL.init(string:) :  |
 | webview.swift:84:10:84:10 | source :  | webview.swift:36:5:36:41 | [summary param] this in toObject() :  | file://:0:0:0:0 | [summary] to write: return (return) in toObject() :  | webview.swift:84:10:84:26 | call to toObject() |
 | webview.swift:85:10:85:10 | source :  | webview.swift:37:5:37:55 | [summary param] this in toObjectOf(_:) :  | file://:0:0:0:0 | [summary] to write: return (return) in toObjectOf(_:) :  | webview.swift:85:10:85:41 | call to toObjectOf(_:) |
@@ -1422,6 +1430,7 @@ subpaths
 | url.swift:100:12:100:56 | .standardizedFileURL | url.swift:57:16:57:23 | call to source() :  | url.swift:100:12:100:56 | .standardizedFileURL | result |
 | url.swift:101:15:101:63 | ...! | url.swift:57:16:57:23 | call to source() :  | url.swift:101:15:101:63 | ...! | result |
 | url.swift:102:15:102:67 | ...! | url.swift:57:16:57:23 | call to source() :  | url.swift:102:15:102:67 | ...! | result |
+| url.swift:109:13:109:13 | y | url.swift:57:16:57:23 | call to source() :  | url.swift:109:13:109:13 | y | result |
 | url.swift:118:12:118:12 | ...! | url.swift:57:16:57:23 | call to source() :  | url.swift:118:12:118:12 | ...! | result |
 | url.swift:121:15:121:19 | ...! | url.swift:57:16:57:23 | call to source() :  | url.swift:121:15:121:19 | ...! | result |
 | webview.swift:77:10:77:41 | .body | webview.swift:77:11:77:18 | call to source() :  | webview.swift:77:10:77:41 | .body | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/url.swift b/swift/ql/test/library-tests/dataflow/taint/url.swift
@@ -106,7 +106,7 @@ func taintThroughURL() {
 	}
 
 	if let y = URL(string: tainted) {
-		sink(arg: y) // $ MISSING: tainted=57
+		sink(arg: y) // $ tainted=57
 	}
 
 	var urlClean2 : URL!

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ func taintThroughURL() {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`if let y = URL(string: tainted) {`
`109`		`- sink(arg: y) // $ MISSING: tainted=57`
	`109`	`+ sink(arg: y) // $ tainted=57`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`var urlClean2 : URL!`