Swift: Test the customurlschemes fields that inherit taint.

geoffw0 · geoffw0 · commit bc4724b1fb37 · 2023-07-17T15:39:02.000+01:00
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/FlowSourcesInline.ql b/swift/ql/test/library-tests/dataflow/flowsources/FlowSourcesInline.ql
@@ -1,6 +1,16 @@
 import swift
 import TestUtilities.InlineExpectationsTest
 import FlowConfig
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.DataFlow
+
+module TaintReachConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node sink) { any() }
+}
+
+module TaintReachFlow = TaintTracking::Global<TaintReachConfiguration>;
 
 string describe(FlowSource source) {
   source instanceof RemoteFlowSource and result = "remote"
@@ -9,7 +19,7 @@ string describe(FlowSource source) {
 }
 
 module FlowSourcesTest implements TestSig {
-  string getARelevantTag() { result = "source" }
+  string getARelevantTag() { result = ["source", "tainted"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(FlowSource source |
@@ -20,6 +30,19 @@ module FlowSourcesTest implements TestSig {
       value = describe(source)
     )
   }
+
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    // this is not really what the "flowsources" test is about, but sometimes it's helpful to
+    // confirm that taint reaches certain obvious points in the flow source test code.
+    exists(DataFlow::Node n |
+      TaintReachFlow::flowTo(n) and
+      location = n.getLocation() and
+      location.getFile().getBaseName() != "" and
+      element = n.toString() and
+      tag = "tainted" and
+      value = ""
+    )
+  }
 }
 
 import MakeTest<FlowSourcesTest>
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift b/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift
@@ -26,19 +26,33 @@ protocol UIApplicationDelegate {
 }
 
 class UIScene {
-    class ConnectionOptions {}
+    class ConnectionOptions {
+        var userActivities: Set<NSUserActivity> { get { return Set() } }
+        var urlContexts: Set<UIOpenURLContext> { get { return Set() } }
+    }
 }
 
 class UISceneSession {}
 
-class NSUserActivity {}
+class NSUserActivity: Hashable {
+    static func == (lhs: NSUserActivity, rhs: NSUserActivity) -> Bool {
+        return true;
+    }
+
+    func hash(into hasher: inout Hasher) {}
+
+    var webpageURL: URL? { get { return nil } set { } }
+    var referrerURL: URL? { get { return nil } set { } }
+}
 
 class UIOpenURLContext: Hashable {
     static func == (lhs: UIOpenURLContext, rhs: UIOpenURLContext) -> Bool {
         return true;
     }
 
     func hash(into hasher: inout Hasher) {}
+
+    var url: URL { get { return URL() } }
 }
 
 protocol UISceneDelegate {
@@ -64,28 +78,88 @@ class AppDelegate: UIApplicationDelegate {
     }
 
     func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
-        launchOptions?[.url] // $ source=remote
+        _ = launchOptions?[.url] // $ source=remote
         return true
     }
 
     func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
-        launchOptions?[.url] // $ source=remote
+        _ = launchOptions?[.url] // $ source=remote
         return true
     }
 }
 
 class SceneDelegate : UISceneDelegate {
-    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // $ source=remote
-    func scene(_: UIScene, continue: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, didUpdate: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // $ source=remote
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
+      for userActivity in options.userActivities {
+        let x = userActivity.webpageURL
+        x // $ MISSING: tainted
+        let y = userActivity.referrerURL
+        y // $ MISSING: tainted
+      }
+
+      for urlContext in options.urlContexts {
+        let z = urlContext.url
+        z // $ MISSING: tainted
+      }
+    }
+
+    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
+      let x = `continue`.webpageURL
+      x // $ tainted
+      let y = `continue`.referrerURL
+      y // $ MISSING: tainted
+    }
+
+    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
+      let x = didUpdate.webpageURL
+      x // $ tainted
+      let y = didUpdate.referrerURL
+      y // $ MISSING: tainted
+    }
+
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
+      for openURLContext in openURLContexts {
+        let x = openURLContext.url
+        x // $ MISSING: tainted
+      }
+    }
 }
 
 class Extended {}
 
 extension Extended : UISceneDelegate {
-    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // $ source=remote
-    func scene(_: UIScene, continue: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, didUpdate: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // $ source=remote
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
+      for userActivity in options.userActivities {
+        let x = userActivity.webpageURL
+        x // $ MISSING: tainted
+        let y = userActivity.referrerURL
+        y // $ MISSING: tainted
+      }
+
+      for urlContext in options.urlContexts {
+        let z = urlContext.url
+        z // $ MISSING: tainted
+      }
+    }
+
+    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
+      let x = `continue`.webpageURL
+      x // $ tainted
+      let y = `continue`.referrerURL
+      y // $ MISSING: tainted
+    }
+
+    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
+      let x = didUpdate.webpageURL
+      x // $ tainted
+      let y = didUpdate.referrerURL
+      y // $ MISSING: tainted
+    }
+
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
+      for openURLContext in openURLContexts {
+        let x = openURLContext.url
+        x // $ MISSING: tainted
+      }
+    }
 }
