Merge pull request github#12391 from geoffw0/ptrout

Swift: Permit data flow out through pointer arguments

Author: geoffw0

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -7,6 +7,7 @@ private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
 private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -211,6 +212,8 @@ private predicate modifiable(Argument arg) {
   arg.getExpr() instanceof InOutExpr
   or
   arg.getExpr().getType() instanceof NominalType
+  or
+  arg.getExpr().getType() instanceof PointerType
 }
 
 predicate modifiableParam(ParamDecl param) {

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll

@@ -0,0 +1,75 @@
+/**
+ * Provides models for Swift pointer types including `UnsafePointer`,
+ * `UnsafeBufferPointer` and similar types.
+ */
+
+import swift
+
+/**
+ * A type that is used as a pointer in Swift, such as `UnsafePointer`,
+ * `UnsafeBufferPointer` and similar types.
+ */
+class PointerType extends Type {
+  PointerType() {
+    this instanceof UnsafeTypedPointerType or
+    this instanceof UnsafeRawPointerType or
+    this instanceof OpaquePointerType or
+    this instanceof AutoreleasingUnsafeMutablePointerType or
+    this instanceof UnmanagedType or
+    this instanceof CVaListPointerType or
+    this instanceof ManagedBufferPointerType
+  }
+}
+
+/**
+ * A Swift unsafe typed pointer type such as `UnsafePointer`,
+ * `UnsafeMutablePointer` or `UnsafeBufferPointer`.
+ */
+class UnsafeTypedPointerType extends BoundGenericType {
+  UnsafeTypedPointerType() { this.getName().regexpMatch("Unsafe(Mutable|)(Buffer|)Pointer<.*") }
+}
+
+/**
+ * A Swift unsafe raw pointer type such as `UnsafeRawPointer`,
+ * `UnsafeMutableRawPointer` or `UnsafeRawBufferPointer`.
+ */
+class UnsafeRawPointerType extends NominalType {
+  UnsafeRawPointerType() { this.getName().regexpMatch("Unsafe(Mutable|)Raw(Buffer|)Pointer") }
+}
+
+/**
+ * A Swift `OpaquePointer`.
+ */
+class OpaquePointerType extends NominalType {
+  OpaquePointerType() { this.getName() = "OpaquePointer" }
+}
+
+/**
+ * A Swift `AutoreleasingUnsafeMutablePointer`.
+ */
+class AutoreleasingUnsafeMutablePointerType extends BoundGenericType {
+  AutoreleasingUnsafeMutablePointerType() {
+    this.getName().matches("AutoreleasingUnsafeMutablePointer<%")
+  }
+}
+
+/**
+ * A Swift `Unmanaged` object reference.
+ */
+class UnmanagedType extends BoundGenericType {
+  UnmanagedType() { this.getName().matches("Unmanaged<%") }
+}
+
+/**
+ * A Swift `CVaListPointer`.
+ */
+class CVaListPointerType extends NominalType {
+  CVaListPointerType() { this.getName() = "CVaListPointer" }
+}
+
+/**
+ * A Swift `ManagedBufferPointer`.
+ */
+class ManagedBufferPointerType extends BoundGenericType {
+  ManagedBufferPointerType() { this.getName().matches("ManagedBufferPointer<%") }
+}

swift/ql/test/library-tests/dataflow/taint/libraries/data.swift

@@ -158,13 +158,13 @@ func taintThroughData() {
 	let dataTainted19 = source() as! Data
 	let pointerTainted19 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted19.copyBytes(to: pointerTainted19, count: 0)
-	sink(arg: pointerTainted19) // $ MISSING: tainted=158
+	sink(arg: pointerTainted19) // $ tainted=158
 
 	// ";Data;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
 	let dataTainted20 = source() as! Data
 	let pointerTainted20 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted20.copyBytes(to: pointerTainted20, from: 0..<1)
-	sink(arg: pointerTainted20) // $ MISSING: tainted=164
+	sink(arg: pointerTainted20) // $ tainted=164
 
 	// ";Data;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted21 = source() as! Data

swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift

@@ -318,14 +318,14 @@ func taintThroughInterpolatedStrings() {
   harmless.getCharacters(ptr1, range: myRange)
   sink(arg: ptr1)
   sourceNSString().getCharacters(ptr1, range: myRange)
-  sink(arg: ptr1) // $ MISSING: tainted=
+  sink(arg: ptr1) // $ tainted=320
 
   var ptr2 = (nil as UnsafeMutablePointer<unichar>?)!
   sink(arg: ptr2)
   harmless.getCharacters(ptr2)
   sink(arg: ptr2)
   sourceNSString().getCharacters(ptr2)
-  sink(arg: ptr2) // $ MISSING: tainted=
+  sink(arg: ptr2) // $ tainted=327
 
   var ptr3 = (nil as UnsafeMutableRawPointer?)!
   sink(arg: ptr3)
@@ -339,14 +339,14 @@ func taintThroughInterpolatedStrings() {
   harmless.getCString(ptr4, maxLength: 128, encoding: 0)
   sink(arg: ptr4)
   sourceNSString().getCString(ptr4, maxLength: 128, encoding: 0)
-  sink(arg: ptr4) // $ MISSING: tainted=
+  sink(arg: ptr4) // $ tainted=341
 
   var ptr5 = (nil as UnsafeMutablePointer<CChar>?)!
   sink(arg: ptr5)
   harmless.getCString(ptr5)
   sink(arg: ptr5)
   sourceNSString().getCString(ptr5)
-  sink(arg: ptr5) // $ MISSING: tainted=
+  sink(arg: ptr5) // $ tainted=348
 
   sink(arg: harmless.enumerateLines({
     line, stop in
@@ -363,18 +363,18 @@ func taintThroughInterpolatedStrings() {
   var outLongest = (nil as AutoreleasingUnsafeMutablePointer<NSString?>?)!
   var outArray = (nil as AutoreleasingUnsafeMutablePointer<NSArray?>?)!
   if (str10.completePath(into: outLongest, caseSensitive: false, matchesInto: outArray, filterTypes: nil) > 0) {
-    sink(arg: outLongest) // $ MISSING: tainted=
+    sink(arg: outLongest) // $ tainted=362
     sink(arg: outLongest.pointee) // $ MISSING: tainted=
     sink(arg: outLongest.pointee!) // $ MISSING: tainted=
-    sink(arg: outArray) // $ MISSING: tainted=
+    sink(arg: outArray) // $ tainted=362
     sink(arg: outArray.pointee) // $ MISSING: tainted=
     sink(arg: outArray.pointee!) // $ MISSING: tainted=
   }
 
   var str11 = sourceNSString()
   var outBuffer = (nil as UnsafeMutablePointer<CChar>?)!
   if (str11.getFileSystemRepresentation(outBuffer, maxLength: 256)) {
-    sink(arg: outBuffer) // $ MISSING: tainted=
+    sink(arg: outBuffer) // $ tainted=374
     sink(arg: outBuffer.pointee) // $ MISSING: tainted=
   }
 

swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift

@@ -0,0 +1,101 @@
+
+// --- stubs ---
+
+func sourceString() -> String { return "" }
+func sourceUInt8() -> UInt8 { return 0 }
+func sink(arg: Any) {}
+
+// --- tests ---
+
+func clearPointer1(ptr: UnsafeMutablePointer<String>) {
+  ptr.pointee = "abc"
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+}
+
+func taintPointer(ptr: UnsafeMutablePointer<String>) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  ptr.pointee = sourceString()
+
+  sink(arg: ptr.pointee) // $ tainted=21
+  sink(arg: ptr)
+}
+
+func clearPointer2(ptr: UnsafeMutablePointer<String>) {
+  sink(arg: ptr.pointee) // $ tainted=21
+  sink(arg: ptr)
+
+  ptr.pointee = "abc"
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+}
+
+func testMutatingPointerInCall(ptr: UnsafeMutablePointer<String>) {
+  clearPointer1(ptr: ptr)
+
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  taintPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
+
+  sink(arg: ptr.pointee) // $ tainted=21
+  sink(arg: ptr)
+
+  clearPointer2(ptr: ptr)
+
+  sink(arg: ptr.pointee) // $ SPURIOUS: tainted=21
+  sink(arg: ptr)
+}
+
+// ---
+
+func taintBuffer(buffer: UnsafeMutableBufferPointer<UInt8>) {
+  sink(arg: buffer[0])
+  sink(arg: buffer)
+
+  buffer[0] = sourceUInt8()
+
+  sink(arg: buffer[0]) // $ MISSING: tainted=60
+  sink(arg: buffer)
+}
+
+func testMutatingBufferInCall(ptr: UnsafeMutablePointer<UInt8>) {
+  let buffer = UnsafeMutableBufferPointer<UInt8>(start: ptr, count: 1000)
+
+  sink(arg: buffer[0])
+  sink(arg: buffer)
+
+  taintBuffer(buffer: buffer) // mutates `buffer` contents with a tainted value
+
+  sink(arg: buffer[0]) // $ MISSING: tainted=60
+  sink(arg: buffer)
+
+}
+
+// ---
+
+typealias MyPointer = UnsafeMutablePointer<String>
+
+func taintMyPointer(ptr: MyPointer) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  ptr.pointee = sourceString()
+
+  sink(arg: ptr.pointee) // $ tainted=87
+  sink(arg: ptr)
+}
+
+func testMutatingMyPointerInCall(ptr: MyPointer) {
+  sink(arg: ptr.pointee)
+  sink(arg: ptr)
+
+  taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
+
+  sink(arg: ptr.pointee) // $ MISSING: tainted=87
+  sink(arg: ptr)
+}

swift/ql/test/library-tests/elements/type/pointertypes/pointers.swift

@@ -0,0 +1,29 @@
+
+struct AutoreleasingUnsafeMutablePointer<Pointee> {
+}
+
+class MyClass {
+	init() {
+		val = 0
+	}
+
+	var val: Int
+}
+
+func test() {
+	var p1: UnsafePointer<Int>
+	var p2: UnsafeMutablePointer<UInt8>
+	var p3: UnsafeBufferPointer<String>
+	var p4: UnsafeMutableBufferPointer<MyClass>
+	var p5: UnsafeRawPointer
+	var p6: UnsafeMutableRawPointer
+	var p7: UnsafeRawBufferPointer
+	var p8: UnsafeMutableRawBufferPointer
+
+	var op: OpaquePointer // C-interop
+	var aump: AutoreleasingUnsafeMutablePointer<UInt8> // ObjC-interop
+	var um: Unmanaged<MyClass> // C-interop
+	var cvlp: CVaListPointer // varargs list pointer
+
+	var mbp: ManagedBufferPointer<Int, MyClass>
+}

swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.expected

@@ -0,0 +1,14 @@
+| pointers.swift:2:8:2:8 | self | AutoreleasingUnsafeMutablePointer<Pointee> | AutoreleasingUnsafeMutablePointerType, PointerType |
+| pointers.swift:14:6:14:6 | p1 | UnsafePointer<Int> | PointerType, UnsafeTypedPointerType |
+| pointers.swift:15:6:15:6 | p2 | UnsafeMutablePointer<UInt8> | PointerType, UnsafeTypedPointerType |
+| pointers.swift:16:6:16:6 | p3 | UnsafeBufferPointer<String> | PointerType, UnsafeTypedPointerType |
+| pointers.swift:17:6:17:6 | p4 | UnsafeMutableBufferPointer<MyClass> | PointerType, UnsafeTypedPointerType |
+| pointers.swift:18:6:18:6 | p5 | UnsafeRawPointer | PointerType, UnsafeRawPointerType |
+| pointers.swift:19:6:19:6 | p6 | UnsafeMutableRawPointer | PointerType, UnsafeRawPointerType |
+| pointers.swift:20:6:20:6 | p7 | UnsafeRawBufferPointer | PointerType, UnsafeRawPointerType |
+| pointers.swift:21:6:21:6 | p8 | UnsafeMutableRawBufferPointer | PointerType, UnsafeRawPointerType |
+| pointers.swift:23:6:23:6 | op | OpaquePointer | OpaquePointerType, PointerType |
+| pointers.swift:24:6:24:6 | aump | AutoreleasingUnsafeMutablePointer<UInt8> | AutoreleasingUnsafeMutablePointerType, PointerType |
+| pointers.swift:25:6:25:6 | um | Unmanaged<MyClass> | PointerType, UnmanagedType |
+| pointers.swift:26:6:26:6 | cvlp | CVaListPointer | CVaListPointerType, PointerType |
+| pointers.swift:28:6:28:6 | mbp | ManagedBufferPointer<Int, MyClass> | ManagedBufferPointerType, PointerType |

swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.ql

@@ -0,0 +1,29 @@
+import swift
+import codeql.swift.frameworks.StandardLibrary.PointerTypes
+
+string describe(Type t) {
+  t instanceof PointerType and result = "PointerType"
+  or
+  t instanceof BuiltinRawPointerType and result = "BuiltinRawPointerType"
+  or
+  t instanceof UnsafeTypedPointerType and result = "UnsafeTypedPointerType"
+  or
+  t instanceof UnsafeRawPointerType and result = "UnsafeRawPointerType"
+  or
+  t instanceof OpaquePointerType and result = "OpaquePointerType"
+  or
+  t instanceof AutoreleasingUnsafeMutablePointerType and
+  result = "AutoreleasingUnsafeMutablePointerType"
+  or
+  t instanceof UnmanagedType and result = "UnmanagedType"
+  or
+  t instanceof CVaListPointerType and result = "CVaListPointerType"
+  or
+  t instanceof ManagedBufferPointerType and result = "ManagedBufferPointerType"
+}
+
+from VarDecl v, Type t
+where
+  v.getLocation().getFile().getBaseName() != "" and
+  t = v.getType()
+select v, t.toString(), strictconcat(describe(t), ", ")