Swift: Add tests where a user-defined (non-modelled) function taints the pointee of a pointer argument.

geoffw0 · geoffw0 · commit 15227d3c0920 · 2023-03-03T15:00:22.000Z
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
@@ -0,0 +1,101 @@
+
+// --- stubs ---
+
+func sourceString() -> String { return "" }
+func sourceUInt8() -> UInt8 { return 0 }
+func sink(arg: Any) {}
+
+// --- tests ---
+
+func clearPointer1(ptr: UnsafeMutablePointer<String>) {
+  ptr.pointee = "abc"
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+}
+
+func taintPointer(ptr: UnsafeMutablePointer<String>) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  ptr.pointee = sourceString()
+
+  sink(arg: ptr.pointee) // $ tainted=21
+  sink(arg: ptr)
+}
+
+func clearPointer2(ptr: UnsafeMutablePointer<String>) {
+  sink(arg: ptr.pointee) // $ MISSING: tainted=21
+  sink(arg: ptr)
+
+  ptr.pointee = "abc"
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+}
+
+func testMutatingPointerInCall(ptr: UnsafeMutablePointer<String>) {
+  clearPointer1(ptr: ptr)
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  taintPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
+
+  sink(arg: ptr.pointee) // $ MISSING: tainted=21
+  sink(arg: ptr)
+
+  clearPointer2(ptr: ptr)
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+}
+
+// ---
+
+func taintBuffer(buffer: UnsafeMutableBufferPointer<UInt8>) {
+  sink(arg: buffer[0])
+  sink(arg: buffer)
+
+  buffer[0] = sourceUInt8()
+
+  sink(arg: buffer[0]) // $ MISSING: tainted=60
+  sink(arg: buffer)
+}
+
+func testMutatingBufferInCall(ptr: UnsafeMutablePointer<UInt8>) {
+  let buffer = UnsafeMutableBufferPointer<UInt8>(start: ptr, count: 1000)
+
+  sink(arg: buffer[0])
+  sink(arg: buffer)
+
+  taintBuffer(buffer: buffer) // mutates `buffer` contents with a tainted value
+
+  sink(arg: buffer[0]) // $ MISSING: tainted=60
+  sink(arg: buffer)
+
+}
+
+// ---
+
+typealias MyPointer = UnsafeMutablePointer<String>
+
+func taintMyPointer(ptr: MyPointer) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  ptr.pointee = sourceString()
+
+  sink(arg: ptr.pointee) // $ tainted=87
+  sink(arg: ptr)
+}
+
+func testMutatingMyPointerInCall(ptr: MyPointer) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
+
+  sink(arg: ptr.pointee) // $ MISSING: tainted=87
+  sink(arg: ptr)
+}
