Swift: Use PointerType in data flow's 'modifiable' predicate.

geoffw0 · geoffw0 · commit 234f17b57829 · 2023-03-03T16:23:49.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -7,6 +7,7 @@ private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
 private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -212,7 +213,7 @@ private predicate modifiable(Argument arg) {
   or
   arg.getExpr().getType() instanceof NominalType
   or
-  arg.getLabel() = "ptr"
+  arg.getExpr().getType() instanceof PointerType
 }
 
 predicate modifiableParam(ParamDecl param) {
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift
@@ -158,13 +158,13 @@ func taintThroughData() {
 	let dataTainted19 = source() as! Data
 	let pointerTainted19 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted19.copyBytes(to: pointerTainted19, count: 0)
-	sink(arg: pointerTainted19) // $ MISSING: tainted=158
+	sink(arg: pointerTainted19) // $ tainted=158
 
 	// ";Data;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
 	let dataTainted20 = source() as! Data
 	let pointerTainted20 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted20.copyBytes(to: pointerTainted20, from: 0..<1)
-	sink(arg: pointerTainted20) // $ MISSING: tainted=164
+	sink(arg: pointerTainted20) // $ tainted=164
 
 	// ";Data;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted21 = source() as! Data
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift
@@ -318,14 +318,14 @@ func taintThroughInterpolatedStrings() {
   harmless.getCharacters(ptr1, range: myRange)
   sink(arg: ptr1)
   sourceNSString().getCharacters(ptr1, range: myRange)
-  sink(arg: ptr1) // $ MISSING: tainted=
+  sink(arg: ptr1) // $ tainted=320
 
   var ptr2 = (nil as UnsafeMutablePointer<unichar>?)!
   sink(arg: ptr2)
   harmless.getCharacters(ptr2)
   sink(arg: ptr2)
   sourceNSString().getCharacters(ptr2)
-  sink(arg: ptr2) // $ MISSING: tainted=
+  sink(arg: ptr2) // $ tainted=327
 
   var ptr3 = (nil as UnsafeMutableRawPointer?)!
   sink(arg: ptr3)
@@ -339,14 +339,14 @@ func taintThroughInterpolatedStrings() {
   harmless.getCString(ptr4, maxLength: 128, encoding: 0)
   sink(arg: ptr4)
   sourceNSString().getCString(ptr4, maxLength: 128, encoding: 0)
-  sink(arg: ptr4) // $ MISSING: tainted=
+  sink(arg: ptr4) // $ tainted=341
 
   var ptr5 = (nil as UnsafeMutablePointer<CChar>?)!
   sink(arg: ptr5)
   harmless.getCString(ptr5)
   sink(arg: ptr5)
   sourceNSString().getCString(ptr5)
-  sink(arg: ptr5) // $ MISSING: tainted=
+  sink(arg: ptr5) // $ tainted=348
 
   sink(arg: harmless.enumerateLines({
     line, stop in
@@ -363,18 +363,18 @@ func taintThroughInterpolatedStrings() {
   var outLongest = (nil as AutoreleasingUnsafeMutablePointer<NSString?>?)!
   var outArray = (nil as AutoreleasingUnsafeMutablePointer<NSArray?>?)!
   if (str10.completePath(into: outLongest, caseSensitive: false, matchesInto: outArray, filterTypes: nil) > 0) {
-    sink(arg: outLongest) // $ MISSING: tainted=
+    sink(arg: outLongest) // $ tainted=362
     sink(arg: outLongest.pointee) // $ MISSING: tainted=
     sink(arg: outLongest.pointee!) // $ MISSING: tainted=
-    sink(arg: outArray) // $ MISSING: tainted=
+    sink(arg: outArray) // $ tainted=362
     sink(arg: outArray.pointee) // $ MISSING: tainted=
     sink(arg: outArray.pointee!) // $ MISSING: tainted=
   }
 
   var str11 = sourceNSString()
   var outBuffer = (nil as UnsafeMutablePointer<CChar>?)!
   if (str11.getFileSystemRepresentation(outBuffer, maxLength: 256)) {
-    sink(arg: outBuffer) // $ MISSING: tainted=
+    sink(arg: outBuffer) // $ tainted=374
     sink(arg: outBuffer.pointee) // $ MISSING: tainted=
   }
 
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
@@ -96,6 +96,6 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {
 
   taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
 
-  sink(arg: ptr.pointee) // $ tainted=87
+  sink(arg: ptr.pointee) // $ MISSING: tainted=87
   sink(arg: ptr)
 }

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,6 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {`
`96`	`96`
`97`	`97`	taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
`98`	`98`
`99`		`- sink(arg: ptr.pointee) // $ tainted=87`
	`99`	`+ sink(arg: ptr.pointee) // $ MISSING: tainted=87`
`100`	`100`	`sink(arg: ptr)`
`101`	`101`	`}`