Swift: Add heuristic model for init(contentsOfFile) and similar.

geoffw0 · geoffw0 · commit 5723a75f3c92 · 2023-11-22T15:24:19.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/Frameworks.qll b/swift/ql/lib/codeql/swift/frameworks/Frameworks.qll
@@ -8,3 +8,4 @@ private import SQL.SQL
 private import StandardLibrary.StandardLibrary
 private import UIKit.UIKit
 private import Xml.Xml
+private import Heuristic
diff --git a/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll b/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll
@@ -0,0 +1,48 @@
+/**
+ * Provides heuristic models that match taint sources and flow through unknown
+ * classes and libraries.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.FlowSources
+
+/**
+ * An imprecise flow source for an initializer call with a "contentsOf"
+ * argument that appears to be remote. For example:
+ * ```
+ * let myObject = MyClass(contentsOf: url)
+ * ```
+ */
+private class InitializerContentsOfRemoteSource extends RemoteFlowSource {
+  InitializerContentsOfRemoteSource() {
+    exists(InitializerCallExpr ce, Argument arg |
+      ce.getAnArgument() = arg and
+      arg.getLabel() = ["contentsOf", "contentsOfFile", "contentsOfPath", "contentsOfDirectory"] and
+      arg.getExpr().getType().getUnderlyingType().getName() = ["URL", "NSURL"] and
+      this.asExpr() = ce
+    )
+  }
+
+  override string getSourceType() { result = "contentsOf initializer" }
+}
+
+/**
+ * An imprecise flow source for an initializer call with a "contentsOf"
+ * argument that appears to be local. For example:
+ * ```
+ * let myObject = MyClass(contentsOfFile: "foo.txt")
+ * ```
+ */
+private class InitializerContentsOfLocalSource extends LocalFlowSource {
+  InitializerContentsOfLocalSource() {
+    exists(InitializerCallExpr ce, Argument arg |
+      ce.getAnArgument() = arg and
+      arg.getLabel() = ["contentsOf", "contentsOfFile", "contentsOfPath", "contentsOfDirectory"] and
+      not arg.getExpr().getType().getUnderlyingType().getName() = ["URL", "NSURL"] and
+      this.asExpr() = ce
+    )
+  }
+
+  override string getSourceType() { result = "contentsOf initializer" }
+}
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/custom.swift b/swift/ql/test/library-tests/dataflow/flowsources/custom.swift
@@ -22,12 +22,12 @@ class MyClass {
 func testCustom() {
 	let url = URL(string: "http://example.com/")!
 
-	let x = MyClass(contentsOfFile: "foo.txt") // $ MISSING: source=remote
-	_ = MyClass(contentsOfFile: "foo.txt", options: []) // $ MISSING: source=remote
-	_ = MyClass(contentsOf: url, fileTypeHint: 1) // $ MISSING: source=remote
+	let x = MyClass(contentsOfFile: "foo.txt") // $ source=local
+	_ = MyClass(contentsOfFile: "foo.txt", options: []) // $ source=local
+	_ = MyClass(contentsOf: url, fileTypeHint: 1) // $ source=remote
 
-	_ = MyClass(contentsOfPath: "/foo/bar") // $ MISSING: source=remote
-	_ = MyClass(contentsOfDirectory: "/foo/bar") // $ MISSING: source=remote
+	_ = MyClass(contentsOfPath: "/foo/bar") // $ source=local
+	_ = MyClass(contentsOfDirectory: "/foo/bar") // $ source=local
 
 	x.append(contentsOf: "abcdef") // (not a flow source)
 	_ = x.appending(contentsOf: "abcdef") // (not a flow source)
