Skip to content

Commit 1a7e748

Browse files
geoffw0geoffw0
committed
Swift: Add flow thtaint flow through assignments other than =.
1 parent a222757 commit 1a7e748

File tree

5 files changed

+70
-11
lines changed

5 files changed

+70
-11
lines changed

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,12 @@ private module Cached {
4646
// allow flow through arithmetic (this case includes string concatenation)
4747
nodeTo.asExpr().(ArithmeticOperation).getAnOperand() = nodeFrom.asExpr()
4848
or
49+
// allow flow through assignment operations (e.g. `+=`)
50+
exists(AssignOperation op |
51+
nodeFrom.asExpr() = op.getSource() and
52+
nodeTo.asExpr() = op.getDest()
53+
)
54+
or
4955
// flow through a subscript access
5056
exists(SubscriptExpr se |
5157
se.getBase() = nodeFrom.asExpr() and

swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,7 @@
253253
| data.swift:195:58:195:58 | &... | data.swift:195:58:195:73 | ...[...] |
254254
| data.swift:195:58:195:58 | c | data.swift:195:58:195:58 | &... |
255255
| data.swift:195:58:195:73 | ...[...] | data.swift:195:58:195:73 | &... |
256+
| data.swift:195:78:195:78 | 1 | data.swift:195:58:195:73 | &... |
256257
| data.swift:199:6:199:6 | SSA def(dataTainted27) | data.swift:200:2:200:2 | dataTainted27 |
257258
| data.swift:199:22:199:29 | call to Data.init(_:) | data.swift:199:6:199:6 | SSA def(dataTainted27) |
258259
| data.swift:199:27:199:27 | | data.swift:199:22:199:29 | call to Data.init(_:) |
@@ -585,58 +586,69 @@
585586
| simple.swift:38:3:38:3 | &... | simple.swift:39:13:39:13 | a |
586587
| simple.swift:38:3:38:3 | [post] &... | simple.swift:39:13:39:13 | a |
587588
| simple.swift:38:3:38:3 | a | simple.swift:38:3:38:3 | &... |
589+
| simple.swift:38:8:38:8 | 1 | simple.swift:38:3:38:3 | &... |
588590
| simple.swift:39:13:39:13 | [post] a | simple.swift:40:3:40:3 | a |
589591
| simple.swift:39:13:39:13 | a | simple.swift:40:3:40:3 | a |
590592
| simple.swift:40:3:40:3 | &... | simple.swift:41:13:41:13 | a |
591593
| simple.swift:40:3:40:3 | [post] &... | simple.swift:41:13:41:13 | a |
592594
| simple.swift:40:3:40:3 | a | simple.swift:40:3:40:3 | &... |
595+
| simple.swift:40:8:40:15 | call to source() | simple.swift:40:3:40:3 | &... |
593596
| simple.swift:41:13:41:13 | [post] a | simple.swift:42:3:42:3 | a |
594597
| simple.swift:41:13:41:13 | a | simple.swift:42:3:42:3 | a |
595598
| simple.swift:42:3:42:3 | &... | simple.swift:43:13:43:13 | a |
596599
| simple.swift:42:3:42:3 | [post] &... | simple.swift:43:13:43:13 | a |
597600
| simple.swift:42:3:42:3 | a | simple.swift:42:3:42:3 | &... |
601+
| simple.swift:42:8:42:8 | 1 | simple.swift:42:3:42:3 | &... |
598602
| simple.swift:44:3:44:7 | SSA def(a) | simple.swift:45:13:45:13 | a |
599603
| simple.swift:44:7:44:7 | 0 | simple.swift:44:3:44:7 | SSA def(a) |
600604
| simple.swift:47:7:47:7 | SSA def(b) | simple.swift:48:3:48:3 | b |
601605
| simple.swift:47:11:47:11 | 128 | simple.swift:47:7:47:7 | SSA def(b) |
602606
| simple.swift:48:3:48:3 | &... | simple.swift:49:13:49:13 | b |
603607
| simple.swift:48:3:48:3 | [post] &... | simple.swift:49:13:49:13 | b |
604608
| simple.swift:48:3:48:3 | b | simple.swift:48:3:48:3 | &... |
609+
| simple.swift:48:8:48:15 | call to source() | simple.swift:48:3:48:3 | &... |
605610
| simple.swift:49:13:49:13 | [post] b | simple.swift:50:3:50:3 | b |
606611
| simple.swift:49:13:49:13 | b | simple.swift:50:3:50:3 | b |
607612
| simple.swift:50:3:50:3 | &... | simple.swift:51:13:51:13 | b |
608613
| simple.swift:50:3:50:3 | [post] &... | simple.swift:51:13:51:13 | b |
609614
| simple.swift:50:3:50:3 | b | simple.swift:50:3:50:3 | &... |
615+
| simple.swift:50:8:50:8 | 1 | simple.swift:50:3:50:3 | &... |
610616
| simple.swift:53:7:53:7 | SSA def(c) | simple.swift:54:3:54:3 | c |
611617
| simple.swift:53:11:53:11 | 10 | simple.swift:53:7:53:7 | SSA def(c) |
612618
| simple.swift:54:3:54:3 | &... | simple.swift:55:13:55:13 | c |
613619
| simple.swift:54:3:54:3 | [post] &... | simple.swift:55:13:55:13 | c |
614620
| simple.swift:54:3:54:3 | c | simple.swift:54:3:54:3 | &... |
621+
| simple.swift:54:8:54:15 | call to source() | simple.swift:54:3:54:3 | &... |
615622
| simple.swift:55:13:55:13 | [post] c | simple.swift:56:3:56:3 | c |
616623
| simple.swift:55:13:55:13 | c | simple.swift:56:3:56:3 | c |
617624
| simple.swift:56:3:56:3 | &... | simple.swift:57:13:57:13 | c |
618625
| simple.swift:56:3:56:3 | [post] &... | simple.swift:57:13:57:13 | c |
619626
| simple.swift:56:3:56:3 | c | simple.swift:56:3:56:3 | &... |
627+
| simple.swift:56:8:56:8 | 2 | simple.swift:56:3:56:3 | &... |
620628
| simple.swift:59:7:59:7 | SSA def(d) | simple.swift:60:3:60:3 | d |
621629
| simple.swift:59:11:59:11 | 100 | simple.swift:59:7:59:7 | SSA def(d) |
622630
| simple.swift:60:3:60:3 | &... | simple.swift:61:13:61:13 | d |
623631
| simple.swift:60:3:60:3 | [post] &... | simple.swift:61:13:61:13 | d |
624632
| simple.swift:60:3:60:3 | d | simple.swift:60:3:60:3 | &... |
633+
| simple.swift:60:8:60:15 | call to source() | simple.swift:60:3:60:3 | &... |
625634
| simple.swift:61:13:61:13 | [post] d | simple.swift:62:3:62:3 | d |
626635
| simple.swift:61:13:61:13 | d | simple.swift:62:3:62:3 | d |
627636
| simple.swift:62:3:62:3 | &... | simple.swift:63:13:63:13 | d |
628637
| simple.swift:62:3:62:3 | [post] &... | simple.swift:63:13:63:13 | d |
629638
| simple.swift:62:3:62:3 | d | simple.swift:62:3:62:3 | &... |
639+
| simple.swift:62:8:62:8 | 2 | simple.swift:62:3:62:3 | &... |
630640
| simple.swift:65:7:65:7 | SSA def(e) | simple.swift:66:3:66:3 | e |
631641
| simple.swift:65:11:65:11 | 1000 | simple.swift:65:7:65:7 | SSA def(e) |
632642
| simple.swift:66:3:66:3 | &... | simple.swift:67:13:67:13 | e |
633643
| simple.swift:66:3:66:3 | [post] &... | simple.swift:67:13:67:13 | e |
634644
| simple.swift:66:3:66:3 | e | simple.swift:66:3:66:3 | &... |
645+
| simple.swift:66:8:66:15 | call to source() | simple.swift:66:3:66:3 | &... |
635646
| simple.swift:67:13:67:13 | [post] e | simple.swift:68:3:68:3 | e |
636647
| simple.swift:67:13:67:13 | e | simple.swift:68:3:68:3 | e |
637648
| simple.swift:68:3:68:3 | &... | simple.swift:69:13:69:13 | e |
638649
| simple.swift:68:3:68:3 | [post] &... | simple.swift:69:13:69:13 | e |
639650
| simple.swift:68:3:68:3 | e | simple.swift:68:3:68:3 | &... |
651+
| simple.swift:68:8:68:8 | 100 | simple.swift:68:3:68:3 | &... |
640652
| string.swift:6:8:6:8 | SSA def(self) | string.swift:6:8:6:8 | self[return] |
641653
| string.swift:6:8:6:8 | self | string.swift:6:8:6:8 | SSA def(self) |
642654
| string.swift:10:3:10:3 | SSA def(self) | string.swift:10:3:10:27 | self[return] |
@@ -1166,11 +1178,13 @@
11661178
| string.swift:181:3:181:3 | &... | string.swift:182:13:182:13 | str |
11671179
| string.swift:181:3:181:3 | [post] &... | string.swift:182:13:182:13 | str |
11681180
| string.swift:181:3:181:3 | str | string.swift:181:3:181:3 | &... |
1181+
| string.swift:181:10:181:10 | def | string.swift:181:3:181:3 | &... |
11691182
| string.swift:182:13:182:13 | [post] str | string.swift:183:3:183:3 | str |
11701183
| string.swift:182:13:182:13 | str | string.swift:183:3:183:3 | str |
11711184
| string.swift:183:3:183:3 | &... | string.swift:184:13:184:13 | str |
11721185
| string.swift:183:3:183:3 | [post] &... | string.swift:184:13:184:13 | str |
11731186
| string.swift:183:3:183:3 | str | string.swift:183:3:183:3 | &... |
1187+
| string.swift:183:10:183:18 | call to source2() | string.swift:183:3:183:3 | &... |
11741188
| string.swift:186:7:186:7 | SSA def(str2) | string.swift:187:13:187:13 | str2 |
11751189
| string.swift:186:14:186:14 | abc | string.swift:186:7:186:7 | SSA def(str2) |
11761190
| string.swift:187:13:187:13 | [post] str2 | string.swift:188:3:188:3 | str2 |

swift/ql/test/library-tests/dataflow/taint/Taint.expected

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -342,6 +342,16 @@ edges
342342
| simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... |
343343
| simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
344344
| simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) |
345+
| simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a |
346+
| simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a |
347+
| simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b |
348+
| simple.swift:48:8:48:15 | call to source() : | simple.swift:51:13:51:13 | b |
349+
| simple.swift:54:8:54:15 | call to source() : | simple.swift:55:13:55:13 | c |
350+
| simple.swift:54:8:54:15 | call to source() : | simple.swift:57:13:57:13 | c |
351+
| simple.swift:60:8:60:15 | call to source() : | simple.swift:61:13:61:13 | d |
352+
| simple.swift:60:8:60:15 | call to source() : | simple.swift:63:13:63:13 | d |
353+
| simple.swift:66:8:66:15 | call to source() : | simple.swift:67:13:67:13 | e |
354+
| simple.swift:66:8:66:15 | call to source() : | simple.swift:69:13:69:13 | e |
345355
| string.swift:60:2:60:54 | [summary param] 0 in String.init(data:encoding:) : | file://:0:0:0:0 | [summary] to write: return (return) in String.init(data:encoding:) : |
346356
| string.swift:64:3:64:63 | [summary param] 0 in String.init(format:_:) : | file://:0:0:0:0 | [summary] to write: return (return) in String.init(format:_:) : |
347357
| string.swift:65:3:65:60 | [summary param] 0 in String.init(format:arguments:) : | file://:0:0:0:0 | [summary] to write: return (return) in String.init(format:arguments:) : |
@@ -387,6 +397,7 @@ edges
387397
| string.swift:177:13:177:13 | tainted : | string.swift:177:13:177:38 | call to appending(_:) |
388398
| string.swift:177:31:177:31 | tainted : | string.swift:106:3:106:82 | [summary param] 0 in appending(_:) : |
389399
| string.swift:177:31:177:31 | tainted : | string.swift:177:13:177:38 | call to appending(_:) |
400+
| string.swift:183:10:183:18 | call to source2() : | string.swift:184:13:184:13 | str |
390401
| string.swift:190:3:190:3 | [post] &... : | string.swift:191:13:191:13 | str2 |
391402
| string.swift:190:15:190:23 | call to source2() : | file://:0:0:0:0 | [summary param] 0 in append(_:) : |
392403
| string.swift:190:15:190:23 | call to source2() : | string.swift:190:3:190:3 | [post] &... : |
@@ -1403,6 +1414,21 @@ nodes
14031414
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | semmle.label | ... .%(_:_:) ... |
14041415
| simple.swift:23:13:23:21 | call to -(_:) | semmle.label | call to -(_:) |
14051416
| simple.swift:23:14:23:21 | call to source() : | semmle.label | call to source() : |
1417+
| simple.swift:40:8:40:15 | call to source() : | semmle.label | call to source() : |
1418+
| simple.swift:41:13:41:13 | a | semmle.label | a |
1419+
| simple.swift:43:13:43:13 | a | semmle.label | a |
1420+
| simple.swift:48:8:48:15 | call to source() : | semmle.label | call to source() : |
1421+
| simple.swift:49:13:49:13 | b | semmle.label | b |
1422+
| simple.swift:51:13:51:13 | b | semmle.label | b |
1423+
| simple.swift:54:8:54:15 | call to source() : | semmle.label | call to source() : |
1424+
| simple.swift:55:13:55:13 | c | semmle.label | c |
1425+
| simple.swift:57:13:57:13 | c | semmle.label | c |
1426+
| simple.swift:60:8:60:15 | call to source() : | semmle.label | call to source() : |
1427+
| simple.swift:61:13:61:13 | d | semmle.label | d |
1428+
| simple.swift:63:13:63:13 | d | semmle.label | d |
1429+
| simple.swift:66:8:66:15 | call to source() : | semmle.label | call to source() : |
1430+
| simple.swift:67:13:67:13 | e | semmle.label | e |
1431+
| simple.swift:69:13:69:13 | e | semmle.label | e |
14061432
| string.swift:60:2:60:54 | [summary param] 0 in String.init(data:encoding:) : | semmle.label | [summary param] 0 in String.init(data:encoding:) : |
14071433
| string.swift:64:3:64:63 | [summary param] 0 in String.init(format:_:) : | semmle.label | [summary param] 0 in String.init(format:_:) : |
14081434
| string.swift:65:3:65:60 | [summary param] 0 in String.init(format:arguments:) : | semmle.label | [summary param] 0 in String.init(format:arguments:) : |
@@ -1446,6 +1472,8 @@ nodes
14461472
| string.swift:177:13:177:13 | tainted : | semmle.label | tainted : |
14471473
| string.swift:177:13:177:38 | call to appending(_:) | semmle.label | call to appending(_:) |
14481474
| string.swift:177:31:177:31 | tainted : | semmle.label | tainted : |
1475+
| string.swift:183:10:183:18 | call to source2() : | semmle.label | call to source2() : |
1476+
| string.swift:184:13:184:13 | str | semmle.label | str |
14491477
| string.swift:190:3:190:3 | [post] &... : | semmle.label | [post] &... : |
14501478
| string.swift:190:15:190:23 | call to source2() : | semmle.label | call to source2() : |
14511479
| string.swift:191:13:191:13 | str2 | semmle.label | str2 |
@@ -2128,6 +2156,16 @@ subpaths
21282156
| simple.swift:20:13:20:26 | ... .%(_:_:) ... | simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... | result |
21292157
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... | result |
21302158
| simple.swift:23:13:23:21 | call to -(_:) | simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) | result |
2159+
| simple.swift:41:13:41:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a | result |
2160+
| simple.swift:43:13:43:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a | result |
2161+
| simple.swift:49:13:49:13 | b | simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b | result |
2162+
| simple.swift:51:13:51:13 | b | simple.swift:48:8:48:15 | call to source() : | simple.swift:51:13:51:13 | b | result |
2163+
| simple.swift:55:13:55:13 | c | simple.swift:54:8:54:15 | call to source() : | simple.swift:55:13:55:13 | c | result |
2164+
| simple.swift:57:13:57:13 | c | simple.swift:54:8:54:15 | call to source() : | simple.swift:57:13:57:13 | c | result |
2165+
| simple.swift:61:13:61:13 | d | simple.swift:60:8:60:15 | call to source() : | simple.swift:61:13:61:13 | d | result |
2166+
| simple.swift:63:13:63:13 | d | simple.swift:60:8:60:15 | call to source() : | simple.swift:63:13:63:13 | d | result |
2167+
| simple.swift:67:13:67:13 | e | simple.swift:66:8:66:15 | call to source() : | simple.swift:67:13:67:13 | e | result |
2168+
| simple.swift:69:13:69:13 | e | simple.swift:66:8:66:15 | call to source() : | simple.swift:69:13:69:13 | e | result |
21312169
| string.swift:139:13:139:13 | "..." | string.swift:137:11:137:18 | call to source() : | string.swift:139:13:139:13 | "..." | result |
21322170
| string.swift:141:13:141:13 | "..." | string.swift:137:11:137:18 | call to source() : | string.swift:141:13:141:13 | "..." | result |
21332171
| string.swift:143:13:143:13 | "..." | string.swift:137:11:137:18 | call to source() : | string.swift:143:13:143:13 | "..." | result |
@@ -2141,6 +2179,7 @@ subpaths
21412179
| string.swift:175:13:175:36 | call to appending(_:) | string.swift:161:17:161:25 | call to source2() : | string.swift:175:13:175:36 | call to appending(_:) | result |
21422180
| string.swift:176:13:176:36 | call to appending(_:) | string.swift:161:17:161:25 | call to source2() : | string.swift:176:13:176:36 | call to appending(_:) | result |
21432181
| string.swift:177:13:177:38 | call to appending(_:) | string.swift:161:17:161:25 | call to source2() : | string.swift:177:13:177:38 | call to appending(_:) | result |
2182+
| string.swift:184:13:184:13 | str | string.swift:183:10:183:18 | call to source2() : | string.swift:184:13:184:13 | str | result |
21442183
| string.swift:191:13:191:13 | str2 | string.swift:190:15:190:23 | call to source2() : | string.swift:191:13:191:13 | str2 | result |
21452184
| string.swift:198:13:198:13 | str3 | string.swift:197:27:197:35 | call to source2() : | string.swift:198:13:198:13 | str3 | result |
21462185
| string.swift:205:13:205:13 | str4 | string.swift:204:14:204:22 | call to source2() : | string.swift:205:13:205:13 | str4 | result |

swift/ql/test/library-tests/dataflow/taint/simple.swift

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -38,33 +38,33 @@ func taintThroughAssignmentArithmetic() {
3838
a += 1
3939
sink(arg: a)
4040
a += source()
41-
sink(arg: a) // $ MISSING: tainted=
41+
sink(arg: a) // $ tainted=40
4242
a += 1
43-
sink(arg: a) // $ MISSING: tainted=
43+
sink(arg: a) // $ tainted=40
4444
a = 0
4545
sink(arg: a)
4646

4747
var b = 128
4848
b -= source()
49-
sink(arg: b) // $ MISSING: tainted=
49+
sink(arg: b) // $ tainted=48
5050
b -= 1
51-
sink(arg: b) // $ MISSING: tainted=
51+
sink(arg: b) // $ tainted=48
5252

5353
var c = 10
5454
c *= source()
55-
sink(arg: c) // $ MISSING: tainted=
55+
sink(arg: c) // $ tainted=54
5656
c *= 2
57-
sink(arg: c) // $ MISSING: tainted=
57+
sink(arg: c) // $ tainted=54
5858

5959
var d = 100
6060
d /= source()
61-
sink(arg: d) // $ MISSING: tainted=
61+
sink(arg: d) // $ tainted=60
6262
d /= 2
63-
sink(arg: d) // $ MISSING: tainted=
63+
sink(arg: d) // $ tainted=60
6464

6565
var e = 1000
6666
e %= source()
67-
sink(arg: e) // $ MISSING: tainted=
67+
sink(arg: e) // $ tainted=66
6868
e %= 100
69-
sink(arg: e) // $ MISSING: tainted=
69+
sink(arg: e) // $ tainted=66
7070
}

swift/ql/test/library-tests/dataflow/taint/string.swift

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,7 @@ func taintThroughStringConcatenation() {
181181
str += "def"
182182
sink(arg: str)
183183
str += source2()
184-
sink(arg: str) // $ MISSING: tainted=183
184+
sink(arg: str) // $ tainted=183
185185

186186
var str2 = "abc"
187187
sink(arg: str2)

0 commit comments

Comments
 (0)