Swift: Fill some gaps in the URL, NSURL models.

Author: geoffw0

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsUrl.qll

@@ -3,13 +3,34 @@
  */
 
 import swift
+private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A content implying that, if an `NSURL` is tainted, then all its fields are tainted.
+ */
+private class NSUrlFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  NSUrlFieldsInheritTaint() {
+    this.getField().getEnclosingDecl().asNominalTypeDecl().getFullName() = "NSURL"
+  }
+}
 
 /**
  * A model for `NSURL` members that permit taint flow.
  */
 private class NsUrlSummaries extends SummaryModelCsv {
   override predicate row(string row) {
-    row = ";NSURL;true;init(string:);(String);;Argument[0];ReturnValue.OptionalSome;taint"
+    row =
+      [
+        ";NSURL;true;init(string:);(String);;Argument[0];ReturnValue.OptionalSome;taint",
+        ";NSURL;true;appendingPathComponent(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSURL;true;appendingPathComponent(_:isDirectory:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSURL;true;appendingPathComponent(_:conformingTo:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSURL;true;appendingPathExtension(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSURL;true;appendingPathExtension(for:);;;Argument[-1];ReturnValue;taint",
+      ]
   }
 }

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Url.qll

@@ -15,8 +15,8 @@ class UrlDecl extends StructDecl {
 /**
  * A content implying that, if a `URL` is tainted, then all its fields are tainted.
  */
-private class UriFieldsInheritTaint extends TaintInheritingContent, DataFlow::Content::FieldContent {
-  UriFieldsInheritTaint() {
+private class UrlFieldsInheritTaint extends TaintInheritingContent, DataFlow::Content::FieldContent {
+  UrlFieldsInheritTaint() {
     this.getField().getEnclosingDecl().asNominalTypeDecl() instanceof UrlDecl
   }
 }
@@ -106,6 +106,8 @@ private class UrlSummaries extends SummaryModelCsv {
         ";URL;true;init(dataRepresentation:relativeTo:isAbsolute:);;;Argument[0];ReturnValue;taint",
         ";URL;true;init(dataRepresentation:relativeTo:isAbsolute:);;;Argument[1].OptionalSome;ReturnValue;taint",
         ";URL;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(filePath:);;;Argument[0];ReturnValue.OptionalSome;taint",
+        ";URL;true;init(filePath:isDirectory:);;;Argument[0];ReturnValue.OptionalSome;taint",
         ";URL;true;init(filePath:directoryHint:);;;Argument[0];ReturnValue.OptionalSome;taint",
         ";URL;true;init(filePath:directoryHint:relativeTo:);;;Argument[0];ReturnValue;taint",
         ";URL;true;init(filePath:directoryHint:relativeTo:);;;Argument[2].OptionalSome;ReturnValue;taint",
@@ -126,6 +128,7 @@ private class UrlSummaries extends SummaryModelCsv {
         ";URL;true;appendingPathComponent(_:conformingTo:);;;Argument[-1..0];ReturnValue;taint",
         ";URL;true;appendPathExtension(_:);;;Argument[-1..0];Argument[-1];taint",
         ";URL;true;appendingPathExtension(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appendingPathExtension(for:);;;Argument[-1];ReturnValue;taint",
         ";URL;true;deletingLastPathComponent();;;Argument[-1];ReturnValue;taint",
         ";URL;true;deletingPathExtension();;;Argument[-1];ReturnValue;taint",
         ";URL;true;bookmarkData(options:includingResourceValuesForKeys:relativeTo:);;;Argument[-1];ReturnValue;taint",

swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift

@@ -458,11 +458,11 @@ func testPathInjection2(s1: UnsafeMutablePointer<String>, s2: UnsafeMutablePoint
     let u3 = NSURL(string: "")!
     Data("").write(to: u3.filePathURL!, options: [])
     Data("").write(to: u3.appendingPathComponent("")!, options: [])
-    Data("").write(to: u3.appendingPathComponent(remoteString)!, options: []) // $ MISSING: hasPathInjection=445
+    Data("").write(to: u3.appendingPathComponent(remoteString)!, options: []) // $ hasPathInjection=445
 
     let u4 = NSURL(string: remoteString)!
-    Data("").write(to: u4.filePathURL!, options: []) // $ MISSING: hasPathInjection=445
-    Data("").write(to: u4.appendingPathComponent("")!, options: []) // $ MISSING: hasPathInjection=445
+    Data("").write(to: u4.filePathURL!, options: []) // $ hasPathInjection=445
+    Data("").write(to: u4.appendingPathComponent("")!, options: []) // $ hasPathInjection=445
 
     _ = NSData(contentsOfFile: remoteString)! // $ MISSING: hasPathInjection=445
     _ = NSData(contentsOfMappedFile: remoteString)! // $ MISSING: hasPathInjection=445