add taint steps for fields of String

if a String is tainted, then all its fields (including those declared in extensions) should be tainted as well

Author: karimhamdanali

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll

@@ -1,5 +1,7 @@
 import swift
+private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
 
 private class StringSource extends SourceModelCsv {
   override predicate row(string row) {
@@ -16,3 +18,15 @@ private class StringSource extends SourceModelCsv {
       ]
   }
 }
+
+/**
+ * A content implying that, if a `String` is tainted, then all its fields are tainted.
+ */
+private class StringFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  StringFieldsInheritTaint() {
+    this.getField().getEnclosingDecl().(ClassOrStructDecl).getFullName() = "String" or
+    this.getField().getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getFullName() =
+      "String"
+  }
+}

swift/ql/test/library-tests/dataflow/taint/string.swift

@@ -82,10 +82,10 @@ func taintThroughStringOperations() {
   sink(arg: String(repeating: tainted, count: 2)) // $ MISSING: tainted=74
 
   sink(arg: clean.description)
-  sink(arg: tainted.description) // $ MISSING: tainted=74
+  sink(arg: tainted.description) // $ tainted=74
 
   sink(arg: clean.debugDescription)
-  sink(arg: tainted.debugDescription) // $ MISSING: tainted=74
+  sink(arg: tainted.debugDescription) // $ tainted=74
 }
 
 class Data
@@ -111,3 +111,13 @@ func taintThroughData() {
 	sink(arg: stringClean!)
 	sink(arg: stringTainted!) // $ MISSING: tainted=100
 }
+
+func sink(arg: String.UTF8View) {}
+
+func taintThroughStringFields() {
+  let clean = ""
+  let tainted = source2().utf8
+
+  sink(arg: clean)
+  sink(arg: tainted) // $ tainted=95
+}