Swift: Support other parse modes.

Author: geoffw0

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -72,8 +72,8 @@ class RegexParseMode extends TRegexParseMode {
     (this = MkIgnoreCase() and result = "IGNORECASE") or
     (this = MkVerbose() and result = "VERBOSE") or
     (this = MkDotAll() and result = "DOTALL") or
-    (this = MkUnicode() and result = "MULTILINE") or
-    (this = MkIgnoreCase() and result = "UNICODE")
+    (this = MkMultiLine() and result = "MULTILINE") or
+    (this = MkUnicode() and result = "UNICODE")
   }
 }
 
@@ -105,11 +105,21 @@ class StandardRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
   override predicate modifiesParseMode(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, RegexParseMode mode, boolean isSet)
   {
     exists(CallExpr ce |
-      ce.getStaticTarget().(Method).hasQualifiedName("Regex", "dotMatchesNewlines(_:)") and
       nodeFrom.asExpr() = ce.getQualifier() and
       nodeTo.asExpr() = ce and
-      mode = MkDotAll() and
-      // TODO: other methods
+      // decode the parse mode being set
+      (
+        (
+          ce.getStaticTarget().(Method).hasQualifiedName("Regex", "ignoresCase(_:)") and
+          mode = MkIgnoreCase()
+        ) or (
+          ce.getStaticTarget().(Method).hasQualifiedName("Regex", "dotMatchesNewlines(_:)") and
+          mode = MkDotAll()
+        ) or (
+          ce.getStaticTarget().(Method).hasQualifiedName("Regex", "anchorsMatchLineEndings(_:)") and
+          mode = MkMultiLine()
+        )
+      ) and
       // decode the value being set
       if ce.getArgument(0).getExpr().(BooleanLiteralExpr).getValue() = false then
         isSet = false // mode is set to false
@@ -150,6 +160,20 @@ abstract class RegexEval extends CallExpr {
       RegexUseFlow::flow(regexCreation, DataFlow::exprNode(this.getRegexInput()))
     )
   }
+
+  /**
+   * Gets a parse mode that is set at this evaluation (in at least one path
+   * from the creation of the regular expression object).
+   */
+  RegexParseMode getAParseMode() {
+    exists(DataFlow::Node setNode |
+      // parse mode flag is set
+      any(RegexAdditionalFlowStep s).modifiesParseMode(_, setNode, result, true)
+      and
+      // reaches here
+      RegexParseModeFlow::flow(setNode, DataFlow::exprNode(this.getRegexInput()))
+    )
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/regex/internal/ParseRegex.qll

@@ -333,8 +333,7 @@ abstract class RegExp extends Expr {
     // mode flags applied to the regex object before evaluation
     exists(RegexEval e |
       e.getARegex() = this and
-      RegexParseModeFlow::flow(_, DataFlow::exprNode(e.getRegexInput())) and
-      result = "DOTALL" // TODO
+      result = e.getAParseMode().toString() // TODO: temp toString()
     )
   }
 

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -56,25 +56,39 @@ module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
  * flags from the point they are set to the point of use. The flow state
  * encodes which parse mode flag was set.
  */
-private module RegexParseModeConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) {
-    // parse mode flag is set
-    any(RegexAdditionalFlowStep s).modifiesParseMode(_, node, MkDotAll(), true)
-  }
+private module RegexParseModeConfig implements DataFlow::StateConfigSig {
+  class FlowState = RegexParseMode;
 
-  predicate isBarrierIn(DataFlow::Node node) {
-    // parse mode flag is set or unset
-    any(RegexAdditionalFlowStep s).modifiesParseMode(_, node, MkDotAll(), _)
+  predicate isSource(DataFlow::Node node, FlowState flowstate) {
+    // parse mode flag is set
+    any(RegexAdditionalFlowStep s).modifiesParseMode(_, node, flowstate, true)
   }
 
-  predicate isSink(DataFlow::Node node) {
+  predicate isSink(DataFlow::Node node, FlowState flowstate) {
     // evaluation of the regex
     node.asExpr() = any(RegexEval eval).getRegexInput()
+    and
+    flowstate = any(FlowState fs)
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    none()
+  }
+
+  predicate isBarrier(DataFlow::Node node, FlowState flowstate) {
+    // parse mode flag is set or unset
+    any(RegexAdditionalFlowStep s).modifiesParseMode(node, _, flowstate, _)
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState flowstateFrom, DataFlow::Node nodeTo, FlowState flowStateTo
+  ) {
+    none()
+  }
 }
 
-module RegexParseModeFlow = DataFlow::Global<RegexParseModeConfig>;
+module RegexParseModeFlow = DataFlow::GlobalWithState<RegexParseModeConfig>;

swift/ql/test/library-tests/regex/regex.swift

@@ -214,7 +214,7 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
     _ = try Regex("abc").dotMatchesNewlines(false).firstMatch(in: input) // $ input=input regex=abc
     _ = try Regex("abc").dotMatchesNewlines(true).dotMatchesNewlines(false).firstMatch(in: input) // $ input=input regex=abc
     _ = try Regex("abc").dotMatchesNewlines(false).dotMatchesNewlines(true).firstMatch(in: input) // $ input=input regex=abc modes=DOTALL
-    _ = try Regex("abc").dotMatchesNewlines().ignoresCase().firstMatch(in: input) // $ input=input regex=abc SPURIOUS: modes=DOTALL MISSING: modes="DOTALL | IGNORECASE"
+    _ = try Regex("abc").dotMatchesNewlines().ignoresCase().firstMatch(in: input) // $ input=input regex=abc modes="DOTALL | IGNORECASE"
 
     _ = try NSRegularExpression(pattern: ".*", options: .caseInsensitive).firstMatch(in: input, range: NSMakeRange(0, input.utf16.count)) // $ regex=.* input=input MISSING: modes=IGNORECASE
     _ = try NSRegularExpression(pattern: ".*", options: .dotMatchesLineSeparators).firstMatch(in: input, range: NSMakeRange(0, input.utf16.count)) // $ regex=.* input=input MISSING: modes=DOTALL