Merge pull request #14523 from geoffw0/appendingformat

Swift: Model StringProtocol.appendingformat and String.decodecstring

Author: geoffw0

swift/ql/lib/change-notes/2023-10-16-string.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added taint models for `StringProtocol.appendingFormat` and `String.decodeCString`.

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll

@@ -40,7 +40,8 @@ private class StringSummaries extends SummaryModelCsv {
         ";StringProtocol;true;addingPercentEncoding(withAllowedCharacter:);;;Argument[-1];ReturnValue;taint",
         ";StringProtocol;true;addingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
         ";StringProtocol;true;appending(_:);;;Argument[-1..0];ReturnValue;taint",
-        ";StringProtocol;true;appendingFormat(_:_:);;;Argument[-1..0];ReturnValue;taint", //-1..
+        ";StringProtocol;true;appendingFormat(_:_:);;;Argument[-1..0];ReturnValue;taint",
+        ";StringProtocol;true;appendingFormat(_:_:);;;Argument[1].CollectionElement;ReturnValue;taint",
         ";StringProtocol;true;applyingTransform(_:reverse:);;;Argument[-1];ReturnValue;taint",
         ";StringProtocol;true;cString(using:);;;Argument[-1];ReturnValue;taint",
         ";StringProtocol;true;capitalized(with:);;;Argument[-1];ReturnValue;taint",
@@ -123,6 +124,8 @@ private class StringSummaries extends SummaryModelCsv {
         ";String;true;randomElement(using:);;;Argument[-1];ReturnValue;taint",
         ";String;true;enumerated();;;Argument[-1];ReturnValue;taint",
         ";String;true;encode(to:);;;Argument[-1];Argument[0];taint",
+        ";String;true;decodeCString(_:as:repairingInvalidCodeUnits:);;;Argument[0];ReturnValue.TupleElement[0];taint",
+        ";String;true;decodeCString(_:as:repairingInvalidCodeUnits:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0];taint",
         ";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",
       ]
   }

swift/ql/test/library-tests/dataflow/taint/libraries/string.swift

@@ -24,7 +24,6 @@ struct Locale {
 
 
 
-
 
 enum CInterop {
   typealias Char = CChar
@@ -104,6 +103,7 @@ extension StringProtocol {
   func substring(from index: Self.Index) -> String { return "" }
   func trimmingCharacters(in set: CharacterSet) -> String { return "" }
   func appending<T>(_ aString: T) -> String where T : StringProtocol { return "" }
+  func appendingFormat<T>(_ format: T, _ arguments: CVarArg...) -> String where T : StringProtocol { return "" }
   func padding<T>(toLength newLength: Int, withPad padString: T, startingAt padIndex: Int) -> String where T: StringProtocol { return "" }
   func components(separatedBy separator: CharacterSet) -> [String] { return [] }
   func folding(options: String.CompareOptions = [], locale: Locale?) -> String { return "" }
@@ -648,3 +648,42 @@ func furtherTaintThroughCallbacks() {
   let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
   sink(arg: result6!) // $ tainted=612
 }
+
+func testAppendingFormat() {
+  var s1 = source2()
+  sink(arg: s1.appendingFormat("%s %i", "", 0)) // $ tainted=653
+
+  var s2 = ""
+  sink(arg: s2.appendingFormat(source2(), "", 0)) // $ tainted=657
+
+  var s3 = ""
+  sink(arg: s3.appendingFormat("%s %i", source2(), 0)) // $ tainted=660
+
+  var s4 = ""
+  sink(arg: s4.appendingFormat("%s %i", "", source())) // $ tainted=663
+}
+
+func sourceUInt8() -> UInt8 { return 0 }
+
+func testDecodeCString() {
+  var input : [UInt8] = [1, 2, 3, sourceUInt8()]
+
+  let (str1, repaired1) = String.decodeCString(input, as: UTF8.self)!
+  sink(arg: str1) // $ tainted=669
+  sink(arg: repaired1)
+
+  input.withUnsafeBufferPointer({
+    ptr in
+    let (str2, repaired2) = String.decodeCString(ptr.baseAddress, as: UTF8.self)!
+    sink(arg: str2) // $ MISSING: tainted=669
+    sink(arg: repaired2)
+  })
+
+  let (str3, repaired3) = String.decodeCString(source2(), as: UTF8.self)!
+  sink(arg: str3) // $ tainted=682
+  sink(arg: repaired3)
+
+  let (str4, repaired4) = String.decodeCString(&input, as: UTF8.self)!
+  sink(arg: str4) // $ tainted=669
+  sink(arg: repaired4)
+}