Swift: Fix incorrect taint to String fields.

geoffw0 · geoffw0 · commit d88851068810 · 2023-02-03T10:21:52.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -26,9 +26,20 @@ private class StringSource extends SourceModelCsv {
 private class StringFieldsInheritTaint extends TaintInheritingContent,
   DataFlow::Content::FieldContent {
   StringFieldsInheritTaint() {
-    this.getField().getEnclosingDecl().(NominalTypeDecl).getFullName() =
-      ["String", "StringProtocol"] or
-    this.getField().getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getFullName() =
-      ["String", "StringProtocol"]
+    exists(FieldDecl f | this.getField() = f |
+      (
+        f.getEnclosingDecl().(NominalTypeDecl).getName() = ["String", "StringProtocol"] or
+        f.getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getName() =
+          ["String", "StringProtocol"]
+      ) and
+      f.getName() =
+        [
+          "first", "last", "unicodeScalars", "utf8", "utf16", "lazy", "utf8CString", "description",
+          "debugDescription", "dataValue", "identifierValue", "capitalized", "localizedCapitalized",
+          "localizedLowercase", "localizedUppercase", "decomposedStringWithCanonicalMapping",
+          "decomposedStringWithCompatibilityMapping", "precomposedStringWithCanonicalMapping",
+          "precomposedStringWithCompatibilityMapping", "removingPercentEncoding"
+        ]
+    )
   }
 }
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -1122,15 +1122,13 @@
 | string.swift:204:3:204:3 | [post] &... | string.swift:204:38:204:38 | str5 |
 | string.swift:204:3:204:3 | str5 | string.swift:204:3:204:3 | &... |
 | string.swift:204:38:204:38 | [post] str5 | string.swift:205:13:205:13 | str5 |
-| string.swift:204:38:204:38 | str5 | string.swift:204:38:204:43 | .startIndex |
 | string.swift:204:38:204:38 | str5 | string.swift:205:13:205:13 | str5 |
 | string.swift:205:13:205:13 | [post] str5 | string.swift:206:3:206:3 | str5 |
 | string.swift:205:13:205:13 | str5 | string.swift:206:3:206:3 | str5 |
 | string.swift:206:3:206:3 | &... | string.swift:206:42:206:42 | str5 |
 | string.swift:206:3:206:3 | [post] &... | string.swift:206:42:206:42 | str5 |
 | string.swift:206:3:206:3 | str5 | string.swift:206:3:206:3 | &... |
 | string.swift:206:42:206:42 | [post] str5 | string.swift:207:13:207:13 | str5 |
-| string.swift:206:42:206:42 | str5 | string.swift:206:42:206:47 | .startIndex |
 | string.swift:206:42:206:42 | str5 | string.swift:207:13:207:13 | str5 |
 | string.swift:211:7:211:7 | SSA def(clean) | string.swift:215:20:215:20 | clean |
 | string.swift:211:15:211:15 |  | string.swift:211:7:211:7 | SSA def(clean) |
@@ -1166,7 +1164,6 @@
 | string.swift:232:13:232:13 | [post] tainted | string.swift:232:37:232:37 | tainted |
 | string.swift:232:13:232:13 | tainted | string.swift:232:37:232:37 | tainted |
 | string.swift:232:37:232:37 | [post] tainted | string.swift:234:13:234:13 | tainted |
-| string.swift:232:37:232:37 | tainted | string.swift:232:37:232:45 | .startIndex |
 | string.swift:232:37:232:37 | tainted | string.swift:234:13:234:13 | tainted |
 | string.swift:234:13:234:13 | [post] tainted | string.swift:235:13:235:13 | tainted |
 | string.swift:234:13:234:13 | tainted | string.swift:235:13:235:13 | tainted |
@@ -1311,7 +1308,6 @@
 | string.swift:302:13:302:13 | [post] &... | string.swift:302:29:302:29 | str1 |
 | string.swift:302:13:302:13 | str1 | string.swift:302:13:302:13 | &... |
 | string.swift:302:29:302:29 | [post] str1 | string.swift:303:13:303:13 | str1 |
-| string.swift:302:29:302:29 | str1 | string.swift:302:29:302:34 | .startIndex |
 | string.swift:302:29:302:29 | str1 | string.swift:303:13:303:13 | str1 |
 | string.swift:305:7:305:7 | SSA def(str2) | string.swift:306:13:306:13 | str2 |
 | string.swift:305:14:305:22 | call to source2() | string.swift:305:7:305:7 | SSA def(str2) |
@@ -1357,12 +1353,10 @@
 | string.swift:328:3:328:3 | [post] &... | string.swift:328:23:328:23 | str5 |
 | string.swift:328:3:328:3 | str5 | string.swift:328:3:328:3 | &... |
 | string.swift:328:23:328:23 | [post] str5 | string.swift:328:43:328:43 | str5 |
-| string.swift:328:23:328:23 | str5 | string.swift:328:23:328:28 | .startIndex |
 | string.swift:328:23:328:23 | str5 | string.swift:328:43:328:43 | str5 |
 | string.swift:328:43:328:43 | [post] str5 | string.swift:328:54:328:54 | str5 |
 | string.swift:328:43:328:43 | str5 | string.swift:328:54:328:54 | str5 |
 | string.swift:328:54:328:54 | [post] str5 | string.swift:329:13:329:13 | str5 |
-| string.swift:328:54:328:54 | str5 | string.swift:328:54:328:59 | .startIndex |
 | string.swift:328:54:328:54 | str5 | string.swift:329:13:329:13 | str5 |
 | string.swift:331:7:331:7 | SSA def(str6) | string.swift:332:13:332:13 | str6 |
 | string.swift:331:14:331:22 | call to source2() | string.swift:331:7:331:7 | SSA def(str6) |
@@ -1611,10 +1605,8 @@
 | string.swift:544:14:544:14 | tainted | string.swift:544:22:544:22 | tainted |
 | string.swift:544:14:544:61 | ...[...] | string.swift:544:7:544:7 | SSA def(sub1) |
 | string.swift:544:22:544:22 | [post] tainted | string.swift:544:45:544:45 | tainted |
-| string.swift:544:22:544:22 | tainted | string.swift:544:22:544:30 | .startIndex |
 | string.swift:544:22:544:22 | tainted | string.swift:544:45:544:45 | tainted |
 | string.swift:544:45:544:45 | [post] tainted | string.swift:548:14:548:14 | tainted |
-| string.swift:544:45:544:45 | tainted | string.swift:544:45:544:53 | .endIndex |
 | string.swift:544:45:544:45 | tainted | string.swift:548:14:548:14 | tainted |
 | string.swift:545:13:545:13 | [post] sub1 | string.swift:546:20:546:20 | sub1 |
 | string.swift:545:13:545:13 | sub1 | string.swift:546:20:546:20 | sub1 |
@@ -1628,15 +1620,13 @@
 | string.swift:552:14:552:14 | tainted | string.swift:552:38:552:38 | tainted |
 | string.swift:552:14:552:54 | call to prefix(through:) | string.swift:552:7:552:7 | SSA def(sub3) |
 | string.swift:552:38:552:38 | [post] tainted | string.swift:556:14:556:14 | tainted |
-| string.swift:552:38:552:38 | tainted | string.swift:552:38:552:46 | .endIndex |
 | string.swift:552:38:552:38 | tainted | string.swift:556:14:556:14 | tainted |
 | string.swift:553:13:553:13 | sub3 | string.swift:554:20:554:20 | sub3 |
 | string.swift:556:7:556:7 | SSA def(sub4) | string.swift:557:13:557:13 | sub4 |
 | string.swift:556:14:556:14 | [post] tainted | string.swift:556:35:556:35 | tainted |
 | string.swift:556:14:556:14 | tainted | string.swift:556:35:556:35 | tainted |
 | string.swift:556:14:556:51 | call to prefix(upTo:) | string.swift:556:7:556:7 | SSA def(sub4) |
 | string.swift:556:35:556:35 | [post] tainted | string.swift:560:14:560:14 | tainted |
-| string.swift:556:35:556:35 | tainted | string.swift:556:35:556:43 | .endIndex |
 | string.swift:556:35:556:35 | tainted | string.swift:560:14:560:14 | tainted |
 | string.swift:557:13:557:13 | sub4 | string.swift:558:20:558:20 | sub4 |
 | string.swift:560:7:560:7 | SSA def(sub5) | string.swift:561:13:561:13 | sub5 |
@@ -1648,7 +1638,6 @@
 | string.swift:564:14:564:14 | [post] tainted | string.swift:564:35:564:35 | tainted |
 | string.swift:564:14:564:14 | tainted | string.swift:564:35:564:35 | tainted |
 | string.swift:564:14:564:53 | call to suffix(from:) | string.swift:564:7:564:7 | SSA def(sub6) |
-| string.swift:564:35:564:35 | tainted | string.swift:564:35:564:43 | .startIndex |
 | string.swift:565:13:565:13 | sub6 | string.swift:566:20:566:20 | sub6 |
 | string.swift:570:7:570:7 | SSA def(clean) | string.swift:573:13:573:13 | clean |
 | string.swift:570:15:570:26 | call to FilePath.init(_:) | string.swift:570:7:570:7 | SSA def(clean) |
@@ -1717,9 +1706,6 @@
 | string.swift:629:13:629:26 | call to Self.init(_:) | string.swift:629:13:629:27 | ...! |
 | string.swift:633:7:633:7 | SSA def(tainted) | string.swift:637:13:637:13 | tainted |
 | string.swift:633:17:633:25 | call to source2() | string.swift:633:7:633:7 | SSA def(tainted) |
-| string.swift:635:13:635:13 | String.Type | string.swift:635:13:635:20 | .availableStringEncodings |
-| string.swift:636:13:636:13 | String.Type | string.swift:636:13:636:20 | .defaultCStringEncoding |
-| string.swift:637:13:637:13 | tainted | string.swift:637:13:637:21 | .isContiguousUTF8 |
 | subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] |
 | subscript.swift:1:7:1:7 | SSA def(self) | subscript.swift:1:7:1:7 | self[return] |
 | subscript.swift:1:7:1:7 | self | subscript.swift:1:7:1:7 | SSA def(self) |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/Taint.expected
@@ -607,7 +607,6 @@ edges
 | string.swift:331:14:331:22 | call to source2() :  | string.swift:332:13:332:13 | str6 |
 | string.swift:331:14:331:22 | call to source2() :  | string.swift:334:13:334:13 | str6 |
 | string.swift:540:17:540:25 | call to source2() :  | string.swift:545:13:545:13 | sub1 |
-| string.swift:633:17:633:25 | call to source2() :  | string.swift:637:13:637:21 | .isContiguousUTF8 |
 | subscript.swift:13:15:13:22 | call to source() :  | subscript.swift:13:15:13:25 | ...[...] |
 | subscript.swift:14:15:14:23 | call to source2() :  | subscript.swift:14:15:14:26 | ...[...] |
 | try.swift:9:17:9:24 | call to source() :  | try.swift:9:13:9:24 | try ... |
@@ -1397,8 +1396,6 @@ nodes
 | string.swift:540:17:540:25 | call to source2() :  | semmle.label | call to source2() :  |
 | string.swift:542:13:542:21 | call to source7() | semmle.label | call to source7() |
 | string.swift:545:13:545:13 | sub1 | semmle.label | sub1 |
-| string.swift:633:17:633:25 | call to source2() :  | semmle.label | call to source2() :  |
-| string.swift:637:13:637:21 | .isContiguousUTF8 | semmle.label | .isContiguousUTF8 |
 | subscript.swift:13:15:13:22 | call to source() :  | semmle.label | call to source() :  |
 | subscript.swift:13:15:13:25 | ...[...] | semmle.label | ...[...] |
 | subscript.swift:14:15:14:23 | call to source2() :  | semmle.label | call to source2() :  |
@@ -1890,7 +1887,6 @@ subpaths
 | string.swift:334:13:334:13 | str6 | string.swift:331:14:331:22 | call to source2() :  | string.swift:334:13:334:13 | str6 | result |
 | string.swift:542:13:542:21 | call to source7() | string.swift:542:13:542:21 | call to source7() | string.swift:542:13:542:21 | call to source7() | result |
 | string.swift:545:13:545:13 | sub1 | string.swift:540:17:540:25 | call to source2() :  | string.swift:545:13:545:13 | sub1 | result |
-| string.swift:637:13:637:21 | .isContiguousUTF8 | string.swift:633:17:633:25 | call to source2() :  | string.swift:637:13:637:21 | .isContiguousUTF8 | result |
 | subscript.swift:13:15:13:25 | ...[...] | subscript.swift:13:15:13:22 | call to source() :  | subscript.swift:13:15:13:25 | ...[...] | result |
 | subscript.swift:14:15:14:26 | ...[...] | subscript.swift:14:15:14:23 | call to source2() :  | subscript.swift:14:15:14:26 | ...[...] | result |
 | try.swift:9:13:9:24 | try ... | try.swift:9:17:9:24 | call to source() :  | try.swift:9:13:9:24 | try ... | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/string.swift b/swift/ql/test/library-tests/dataflow/taint/string.swift
@@ -634,5 +634,5 @@ func untaintedFields() {
 
   sink(arg: String.availableStringEncodings)
   sink(arg: String.defaultCStringEncoding)
-  sink(arg: tainted.isContiguousUTF8) // $ SPURIOUS: tainted=633
+  sink(arg: tainted.isContiguousUTF8)
 }

Original file line number	Diff line number	Diff line change
`@@ -634,5 +634,5 @@ func untaintedFields() {`
`634`	`634`
`635`	`635`	`sink(arg: String.availableStringEncodings)`
`636`	`636`	`sink(arg: String.defaultCStringEncoding)`
`637`		`- sink(arg: tainted.isContiguousUTF8) // $ SPURIOUS: tainted=633`
	`637`	`+ sink(arg: tainted.isContiguousUTF8)`
`638`	`638`	`}`