Swift: Track parse modes (prototype version).

Author: geoffw0

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -60,6 +60,65 @@ private class StandardRegexCreation extends RegexCreation {
   override DataFlow::Node getStringInput() { result = input }
 }
 
+newtype TRegexParseMode =
+  MkIgnoreCase() or // case insensitive
+  MkVerbose() or // ignores whitespace and `#` comments within patterns
+  MkDotAll() or // dot matches all characters, including line terminators
+  MkMultiLine() or // `^` and `$` also match beginning and end of lines
+  MkUnicode() // Unicode UAX 29 word boundary mode
+
+class RegexParseMode extends TRegexParseMode {
+  string toString() {
+    (this = MkIgnoreCase() and result = "IGNORECASE") or
+    (this = MkVerbose() and result = "VERBOSE") or
+    (this = MkDotAll() and result = "DOTALL") or
+    (this = MkUnicode() and result = "MULTILINE") or
+    (this = MkIgnoreCase() and result = "UNICODE")
+  }
+}
+
+/**
+ * A unit class for adding additional flow steps for regular expressions.
+ */
+class RegexAdditionalFlowStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a flow
+   * step for regular expressions.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+
+  /**
+   * Holds if the step from `node1` to `node2` either sets (`isSet` = true)
+   * or unsets (`isSet` = false) parse mode `mode` for the regular expression.
+   */
+  abstract predicate modifiesParseMode(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, RegexParseMode mode, boolean isSet);
+}
+
+/**
+ * An additional flow step for `Regex` or `NSRegularExpression`.
+ */
+class StandardRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    this.modifiesParseMode(nodeFrom, nodeTo, _, _)
+  }
+
+  override predicate modifiesParseMode(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, RegexParseMode mode, boolean isSet)
+  {
+    exists(CallExpr ce |
+      ce.getStaticTarget().(Method).hasQualifiedName("Regex", "dotMatchesNewlines(_:)") and
+      nodeFrom.asExpr() = ce.getQualifier() and
+      nodeTo.asExpr() = ce and
+      mode = MkDotAll() and
+      // TODO: other methods
+      // decode the value being set
+      if ce.getArgument(0).getExpr().(BooleanLiteralExpr).getValue() = false then
+        isSet = false // mode is set to false
+      else
+        isSet = true // mode is set to true OR mode is set to default (=true) OR mode is set to an unknown value
+    )
+  }
+}
+
 /**
  * A call that evaluates a regular expression. For example, the call to `firstMatch` in:
  * ```

swift/ql/lib/codeql/swift/regex/internal/ParseRegex.qll

@@ -6,6 +6,8 @@
  */
 
 import swift
+private import RegexTracking
+private import codeql.swift.regex.Regex
 
 /**
  * A `Expr` containing a regular expression term, that is, either
@@ -324,7 +326,17 @@ abstract class RegExp extends Expr {
    * MULTILINE
    * UNICODE
    */
-  string getAMode() { result = this.getModeFromPrefix() }
+  string getAMode() {
+    // mode flags from inside the regex string
+    result = this.getModeFromPrefix()
+    or
+    // mode flags applied to the regex object before evaluation
+    exists(RegexEval e |
+      e.getARegex() = this and
+      RegexParseModeFlow::flow(_, DataFlow::exprNode(e.getRegexInput())) and
+      result = "DOTALL" // TODO
+    )
+  }
 
   /**
    * Holds if the `i`th character could not be parsed.

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -6,7 +6,7 @@
 
 import swift
 import codeql.swift.regex.RegexTreeView
-private import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.DataFlow
 private import ParseRegex
 private import codeql.swift.regex.Regex
 
@@ -37,7 +37,6 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     // creation of the regex
     node instanceof RegexCreation
-    // TODO: track parse mode flags.
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -46,9 +45,36 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // TODO: flow through regex methods that return a modified regex.
-    none()
+    any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 
 module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
+
+/**
+ * A data flow configuration for tracking regular expression parse mode
+ * flags from the point they are set to the point of use. The flow state
+ * encodes which parse mode flag was set.
+ */
+private module RegexParseModeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // parse mode flag is set
+    any(RegexAdditionalFlowStep s).modifiesParseMode(_, node, MkDotAll(), true)
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // parse mode flag is set or unset
+    any(RegexAdditionalFlowStep s).modifiesParseMode(_, node, MkDotAll(), _)
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // evaluation of the regex
+    node.asExpr() = any(RegexEval eval).getRegexInput()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+module RegexParseModeFlow = DataFlow::Global<RegexParseModeConfig>;

swift/ql/test/library-tests/regex/regex.swift

@@ -210,11 +210,11 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
     _ = try Regex("(?s)abc").firstMatch(in: input) // $ input=input modes=DOTALL regex=(?s)abc
     _ = try Regex("(?is)abc").firstMatch(in: input) // $ input=input modes="DOTALL | IGNORECASE" regex=(?is)abc
 
-    _ = try Regex("abc").dotMatchesNewlines(true).firstMatch(in: input) // $ input=input regex=abc MISSING: modes=DOTALL
+    _ = try Regex("abc").dotMatchesNewlines(true).firstMatch(in: input) // $ input=input regex=abc modes=DOTALL
     _ = try Regex("abc").dotMatchesNewlines(false).firstMatch(in: input) // $ input=input regex=abc
     _ = try Regex("abc").dotMatchesNewlines(true).dotMatchesNewlines(false).firstMatch(in: input) // $ input=input regex=abc
-    _ = try Regex("abc").dotMatchesNewlines(false).dotMatchesNewlines(true).firstMatch(in: input) // $ input=input regex=abc MISSING: modes=DOTALL
-    _ = try Regex("abc").dotMatchesNewlines().ignoresCase().firstMatch(in: input) // $ input=input regex=abc MISSING: modes="DOTALL | IGNORECASE"
+    _ = try Regex("abc").dotMatchesNewlines(false).dotMatchesNewlines(true).firstMatch(in: input) // $ input=input regex=abc modes=DOTALL
+    _ = try Regex("abc").dotMatchesNewlines().ignoresCase().firstMatch(in: input) // $ input=input regex=abc SPURIOUS: modes=DOTALL MISSING: modes="DOTALL | IGNORECASE"
 
     _ = try NSRegularExpression(pattern: ".*", options: .caseInsensitive).firstMatch(in: input, range: NSMakeRange(0, input.utf16.count)) // $ regex=.* input=input MISSING: modes=IGNORECASE
     _ = try NSRegularExpression(pattern: ".*", options: .dotMatchesLineSeparators).firstMatch(in: input, range: NSMakeRange(0, input.utf16.count)) // $ regex=.* input=input MISSING: modes=DOTALL