Swift: collection/tuple content for dictionary flow

rdmarsh2 · rdmarsh2 · commit 70c2ef599a8e · 2023-08-10T20:52:47.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -9,6 +9,7 @@ private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 private import codeql.swift.frameworks.StandardLibrary.Array
+private import codeql.swift.frameworks.StandardLibrary.Dictionary
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.(NodeImpl).getEnclosingCallable() }
@@ -114,6 +115,9 @@ private module Cached {
           any(ApplyExpr apply).getQualifier(), any(TupleElementExpr te).getSubExpr(),
           any(SubscriptExpr se).getBase()
         ])
+    } or
+    TDictionarySubscriptNode(SubscriptExpr e) {
+      e.getBase().getType().getCanonicalType() instanceof CanonicalDictionaryType
     }
 
   private predicate localSsaFlowStepUseUse(Ssa::Definition def, Node nodeFrom, Node nodeTo) {
@@ -296,6 +300,29 @@ import Cached
 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
 
+private class DictionarySubscriptNode extends NodeImpl, TDictionarySubscriptNode {
+  SubscriptExpr expr;
+  DictionarySubscriptNode() {
+    this = TDictionarySubscriptNode(expr)
+  }
+
+  override DataFlowCallable getEnclosingCallable() {
+    result.asSourceCallable() = expr.getEnclosingCallable()
+  }
+
+  override string toStringImpl() {
+    result = "DictionarySubscriptNode"
+  }
+
+  override Location getLocationImpl() {
+    result = expr.getLocation()
+  }
+
+  SubscriptExpr getExpr() {
+    result = expr
+  }
+}
+
 private module ParameterNodes {
   abstract class ParameterNodeImpl extends NodeImpl {
     predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { none() }
@@ -727,6 +754,30 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(any(Content::ArrayContent ac))
   )
   or
+  // read of a dictionary value via subscript operator, with intermediate step
+  exists(AssignExpr assign, SubscriptExpr subscript | 
+    subscript = assign.getDest() and
+    (
+      subscript.getArgument(0).getExpr() = node1.asExpr() and
+      node2.(DictionarySubscriptNode).getExpr() = subscript and
+      c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 1))
+      or
+      assign.getSource() = node1.asExpr() and
+      node2.(DictionarySubscriptNode).getExpr() = subscript and
+      c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 1))
+      or
+      node1.(DictionarySubscriptNode) = node1 and
+      node2.asExpr() = subscript and
+      c.isSingleton(any(Content::CollectionContent cc))
+    )
+  )
+  or
+  exists(DictionaryExpr dict |
+    node1.asExpr() = dict.getAnElement() and
+    node2.asExpr() = dict and
+    c.isSingleton(any(Content::CollectionContent cc))
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
 }
@@ -807,6 +858,17 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(any(Content::ArrayContent ac))
   )
   or
+  // read of a dictionary value via subscript operator
+  exists(SubscriptExpr subscript | 
+    subscript.getBase() = node1.asExpr() and
+    node2.(DictionarySubscriptNode).getExpr() = subscript and
+    c.isSingleton(any(Content::CollectionContent cc))
+    or
+    subscript = node2.asExpr() and
+    node1.(DictionarySubscriptNode).getExpr() = subscript and
+    c.isSingleton(any(Content::TupleContent tc | tc.getIndex() = 1))
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
     node2.(FlowSummaryNode).getSummaryNode())
 }
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Dictionary.qll
@@ -0,0 +1,9 @@
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * An instance of the `Dictionary` type.
+ */
+class CanonicalDictionaryType extends BoundGenericType {
+  CanonicalDictionaryType() { this.getName().matches("Dictionary<%") }
+}
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -404,6 +404,20 @@ edges
 | test.swift:756:15:756:19 | .v2 [some:0] | test.swift:756:15:756:21 | ...! |
 | test.swift:757:15:757:15 | mo1 [v3] | test.swift:732:9:732:9 | self [v3] |
 | test.swift:757:15:757:15 | mo1 [v3] | test.swift:757:15:757:19 | .v3 |
+| test.swift:767:5:767:5 | [post] dict1 [Array element] | test.swift:769:15:769:15 | dict1 [Array element] |
+| test.swift:767:16:767:23 | call to source() | test.swift:767:5:767:5 | [post] dict1 [Array element] |
+| test.swift:769:15:769:15 | dict1 [Array element] | test.swift:769:15:769:22 | ...[...] |
+| test.swift:779:17:779:29 | [...] [Collection element, Tuple element at index 1] | test.swift:780:15:780:15 | dict3 [Collection element, Tuple element at index 1] |
+| test.swift:779:18:779:28 | (...) [Tuple element at index 1] | test.swift:779:17:779:29 | [...] [Collection element, Tuple element at index 1] |
+| test.swift:779:21:779:28 | call to source() | test.swift:779:18:779:28 | (...) [Tuple element at index 1] |
+| test.swift:780:15:780:15 | dict3 [Collection element, Tuple element at index 1] | test.swift:780:15:780:22 | DictionarySubscriptNode [Tuple element at index 1] |
+| test.swift:780:15:780:22 | DictionarySubscriptNode [Tuple element at index 1] | test.swift:780:15:780:22 | ...[...] |
+| test.swift:789:17:789:28 | [...] [Collection element, Tuple element at index 1] | test.swift:793:15:793:15 | dict4 [Collection element, Tuple element at index 1] |
+| test.swift:789:18:789:27 | (...) [Tuple element at index 1] | test.swift:789:17:789:28 | [...] [Collection element, Tuple element at index 1] |
+| test.swift:789:20:789:27 | call to source() | test.swift:789:18:789:27 | (...) [Tuple element at index 1] |
+| test.swift:793:15:793:15 | dict4 [Collection element, Tuple element at index 1] | test.swift:793:15:793:35 | call to randomElement() [some:0, Tuple element at index 1] |
+| test.swift:793:15:793:35 | call to randomElement() [some:0, Tuple element at index 1] | test.swift:793:15:793:36 | ...! [Tuple element at index 1] |
+| test.swift:793:15:793:36 | ...! [Tuple element at index 1] | test.swift:793:15:793:38 | .1 |
 nodes
 | file://:0:0:0:0 | .a [x] | semmle.label | .a [x] |
 | file://:0:0:0:0 | .str | semmle.label | .str |
@@ -849,6 +863,23 @@ nodes
 | test.swift:756:15:756:21 | ...! | semmle.label | ...! |
 | test.swift:757:15:757:15 | mo1 [v3] | semmle.label | mo1 [v3] |
 | test.swift:757:15:757:19 | .v3 | semmle.label | .v3 |
+| test.swift:767:5:767:5 | [post] dict1 [Array element] | semmle.label | [post] dict1 [Array element] |
+| test.swift:767:16:767:23 | call to source() | semmle.label | call to source() |
+| test.swift:769:15:769:15 | dict1 [Array element] | semmle.label | dict1 [Array element] |
+| test.swift:769:15:769:22 | ...[...] | semmle.label | ...[...] |
+| test.swift:779:17:779:29 | [...] [Collection element, Tuple element at index 1] | semmle.label | [...] [Collection element, Tuple element at index 1] |
+| test.swift:779:18:779:28 | (...) [Tuple element at index 1] | semmle.label | (...) [Tuple element at index 1] |
+| test.swift:779:21:779:28 | call to source() | semmle.label | call to source() |
+| test.swift:780:15:780:15 | dict3 [Collection element, Tuple element at index 1] | semmle.label | dict3 [Collection element, Tuple element at index 1] |
+| test.swift:780:15:780:22 | ...[...] | semmle.label | ...[...] |
+| test.swift:780:15:780:22 | DictionarySubscriptNode [Tuple element at index 1] | semmle.label | DictionarySubscriptNode [Tuple element at index 1] |
+| test.swift:789:17:789:28 | [...] [Collection element, Tuple element at index 1] | semmle.label | [...] [Collection element, Tuple element at index 1] |
+| test.swift:789:18:789:27 | (...) [Tuple element at index 1] | semmle.label | (...) [Tuple element at index 1] |
+| test.swift:789:20:789:27 | call to source() | semmle.label | call to source() |
+| test.swift:793:15:793:15 | dict4 [Collection element, Tuple element at index 1] | semmle.label | dict4 [Collection element, Tuple element at index 1] |
+| test.swift:793:15:793:35 | call to randomElement() [some:0, Tuple element at index 1] | semmle.label | call to randomElement() [some:0, Tuple element at index 1] |
+| test.swift:793:15:793:36 | ...! [Tuple element at index 1] | semmle.label | ...! [Tuple element at index 1] |
+| test.swift:793:15:793:38 | .1 | semmle.label | .1 |
 subpaths
 | test.swift:75:22:75:22 | x | test.swift:65:16:65:28 | arg1 | test.swift:65:1:70:1 | arg2[return] | test.swift:75:32:75:32 | [post] y |
 | test.swift:114:19:114:19 | arg | test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg | test.swift:114:12:114:22 | call to ... |
@@ -996,3 +1027,6 @@ subpaths
 | test.swift:754:15:754:15 | v3 | test.swift:744:10:744:17 | call to source() | test.swift:754:15:754:15 | v3 | result |
 | test.swift:756:15:756:21 | ...! | test.swift:746:14:746:21 | call to source() | test.swift:756:15:756:21 | ...! | result |
 | test.swift:757:15:757:19 | .v3 | test.swift:747:14:747:21 | call to source() | test.swift:757:15:757:19 | .v3 | result |
+| test.swift:769:15:769:22 | ...[...] | test.swift:767:16:767:23 | call to source() | test.swift:769:15:769:22 | ...[...] | result |
+| test.swift:780:15:780:22 | ...[...] | test.swift:779:21:779:28 | call to source() | test.swift:780:15:780:22 | ...[...] | result |
+| test.swift:793:15:793:38 | .1 | test.swift:789:20:789:27 | call to source() | test.swift:793:15:793:38 | .1 | result |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -913,3 +913,56 @@
 | test.swift:759:15:759:15 | mo2 | test.swift:760:15:760:15 | mo2 |
 | test.swift:759:15:759:20 | .v2 | test.swift:759:15:759:22 | ...! |
 | test.swift:760:15:760:15 | mo2 | test.swift:760:15:760:18 | ...! |
+| test.swift:764:9:764:9 | SSA def(dict1) | test.swift:765:15:765:15 | dict1 |
+| test.swift:764:9:764:9 | dict1 | test.swift:764:9:764:9 | SSA def(dict1) |
+| test.swift:764:17:764:31 | [...] | test.swift:764:9:764:9 | dict1 |
+| test.swift:765:15:765:15 | &... | test.swift:767:5:767:5 | dict1 |
+| test.swift:765:15:765:15 | [post] dict1 | test.swift:765:15:765:15 | &... |
+| test.swift:765:15:765:15 | dict1 | test.swift:765:15:765:15 | &... |
+| test.swift:767:5:767:5 | &... | test.swift:769:15:769:15 | dict1 |
+| test.swift:767:5:767:5 | [post] dict1 | test.swift:767:5:767:5 | &... |
+| test.swift:767:5:767:5 | dict1 | test.swift:767:5:767:5 | &... |
+| test.swift:769:15:769:15 | [post] dict1 | test.swift:769:15:769:15 | &... |
+| test.swift:769:15:769:15 | dict1 | test.swift:769:15:769:15 | &... |
+| test.swift:771:9:771:9 | SSA def(dict2) | test.swift:772:15:772:15 | dict2 |
+| test.swift:771:9:771:9 | dict2 | test.swift:771:9:771:9 | SSA def(dict2) |
+| test.swift:771:17:771:29 | [...] | test.swift:771:9:771:9 | dict2 |
+| test.swift:772:15:772:15 | &... | test.swift:774:25:774:25 | dict2 |
+| test.swift:772:15:772:15 | [post] dict2 | test.swift:772:15:772:15 | &... |
+| test.swift:772:15:772:15 | dict2 | test.swift:772:15:772:15 | &... |
+| test.swift:774:10:774:10 | SSA def(key) | test.swift:775:19:775:19 | key |
+| test.swift:774:10:774:10 | key | test.swift:774:10:774:10 | SSA def(key) |
+| test.swift:774:15:774:15 | SSA def(value) | test.swift:776:19:776:19 | value |
+| test.swift:774:15:774:15 | value | test.swift:774:15:774:15 | SSA def(value) |
+| test.swift:779:9:779:9 | SSA def(dict3) | test.swift:780:15:780:15 | dict3 |
+| test.swift:779:9:779:9 | dict3 | test.swift:779:9:779:9 | SSA def(dict3) |
+| test.swift:779:17:779:29 | [...] | test.swift:779:9:779:9 | dict3 |
+| test.swift:780:15:780:15 | &... | test.swift:782:5:782:5 | dict3 |
+| test.swift:780:15:780:15 | [post] dict3 | test.swift:780:15:780:15 | &... |
+| test.swift:780:15:780:15 | dict3 | test.swift:780:15:780:15 | &... |
+| test.swift:782:5:782:5 | &... | test.swift:784:25:784:25 | dict3 |
+| test.swift:782:5:782:5 | [post] dict3 | test.swift:782:5:782:5 | &... |
+| test.swift:782:5:782:5 | dict3 | test.swift:782:5:782:5 | &... |
+| test.swift:784:10:784:10 | SSA def(key) | test.swift:785:19:785:19 | key |
+| test.swift:784:10:784:10 | key | test.swift:784:10:784:10 | SSA def(key) |
+| test.swift:784:15:784:15 | SSA def(value) | test.swift:786:19:786:19 | value |
+| test.swift:784:15:784:15 | value | test.swift:784:15:784:15 | SSA def(value) |
+| test.swift:789:9:789:9 | SSA def(dict4) | test.swift:790:15:790:15 | dict4 |
+| test.swift:789:9:789:9 | dict4 | test.swift:789:9:789:9 | SSA def(dict4) |
+| test.swift:789:17:789:28 | [...] | test.swift:789:9:789:9 | dict4 |
+| test.swift:790:15:790:15 | &... | test.swift:791:15:791:15 | dict4 |
+| test.swift:790:15:790:15 | [post] dict4 | test.swift:790:15:790:15 | &... |
+| test.swift:790:15:790:15 | dict4 | test.swift:790:15:790:15 | &... |
+| test.swift:790:15:790:52 | call to updateValue(_:forKey:) | test.swift:790:15:790:53 | ...! |
+| test.swift:791:15:791:15 | &... | test.swift:792:15:792:15 | dict4 |
+| test.swift:791:15:791:15 | [post] dict4 | test.swift:791:15:791:15 | &... |
+| test.swift:791:15:791:15 | dict4 | test.swift:791:15:791:15 | &... |
+| test.swift:791:15:791:52 | call to updateValue(_:forKey:) | test.swift:791:15:791:53 | ...! |
+| test.swift:792:15:792:15 | [post] dict4 | test.swift:793:15:793:15 | dict4 |
+| test.swift:792:15:792:15 | dict4 | test.swift:793:15:793:15 | dict4 |
+| test.swift:792:15:792:35 | call to randomElement() | test.swift:792:15:792:36 | ...! |
+| test.swift:793:15:793:15 | [post] dict4 | test.swift:794:15:794:15 | dict4 |
+| test.swift:793:15:793:15 | dict4 | test.swift:794:15:794:15 | dict4 |
+| test.swift:793:15:793:35 | call to randomElement() | test.swift:793:15:793:36 | ...! |
+| test.swift:794:15:794:15 | [post] dict4 | test.swift:795:15:795:15 | dict4 |
+| test.swift:794:15:794:15 | dict4 | test.swift:795:15:795:15 | dict4 |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -759,3 +759,38 @@ func testWriteOptional() {
     sink(arg: mo2!.v2!) // $ MISSING:flow=749
     sink(arg: mo2!.v3) // $ MISSING:flow=750
 }
+
+func testDictionary() {
+    var dict1 = [1:2, 3:4, 5:6]
+    sink(arg: dict1[1])
+
+    dict1[1] = source()
+
+    sink(arg: dict1[1]) // $ flow=767
+
+    var dict2 = [source(): 1]
+    sink(arg: dict2[1])
+
+    for (key, value) in dict2 {
+        sink(arg: key) // $ MISSING: flow=771
+        sink(arg: value)
+    }
+
+    var dict3 = [1: source()]
+    sink(arg: dict3[1]) // $ flow=779
+
+    dict3[source()] = 2
+
+    for (key, value) in dict3 {
+        sink(arg: key) // $ MISSING: flow=782
+        sink(arg: value) // $ MISSING: flow=779
+    }
+
+    var dict4 = [1:source()]
+    sink(arg: dict4.updateValue(1, forKey: source())!)
+    sink(arg: dict4.updateValue(source(), forKey: 2)!)
+    sink(arg: dict4.randomElement()!.0) // $ MISSING: flow=791
+    sink(arg: dict4.randomElement()!.1) // $ flow=789 MISSING: flow=790
+    sink(arg: dict4.keys.randomElement()) // $ MISSING: flow=791
+    sink(arg: dict4.values.randomElement()) // $ MISSING: flow=789 flow=790
+}
