Swift: Add imprecise append/insert models.

geoffw0 · geoffw0 · commit f19c6f337d36 · 2023-11-27T19:43:15.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll b/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll
@@ -70,3 +70,42 @@ private class InitializerFromDataStep extends AdditionalTaintStep {
     )
   }
 }
+
+/**
+ * An imprecise flow step for an `append`, `insert` or similar function.  For
+ * example:
+ * ```
+ *	mc.append(taintedObj)
+ *	mc.insert(taintedObj, at: 0)
+ * ```
+ */
+private class AppendCallStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(CallExpr ce, Argument arg |
+      ce.getAnArgument() = arg and
+      ce.getStaticTarget().(Function).getShortName() = ["append", "insert"] and
+      arg.getLabel() = ["", "contentsOf"] and
+      node1.asExpr() = arg.getExpr() and
+      node2.asExpr() = ce.getQualifier()
+    )
+  }
+}
+
+/**
+ * An imprecise flow step for an `appending` or similar function.  For
+ * example:
+ * ```
+ *	let mc2 = mc.appending(taintedObj)
+ * ```
+ */
+private class AppendingCallStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(CallExpr ce, Argument arg |
+      ce.getAnArgument() = arg and
+      ce.getStaticTarget().(Function).getShortName() = ["appending", "inserting"] and
+      arg.getLabel() = ["", "contentsOf"] and
+      node1.asExpr() = arg.getExpr() and
+      node2.asExpr() = ce
+    )
+  }
+}
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/array.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/array.swift
@@ -33,7 +33,7 @@ func testArray() {
   arr4.insert(contentsOf: arrClean, at: 0)
   sink(arg: arr4[0])
   arr4.insert(contentsOf: arr3, at: 0)
-  sink(arg: arr4[0]) // $ MISSING: tainted=int3
+  sink(arg: arr4[0]) // $ tainted=int3
 
   var arr5 = Array<Int>()
   arr5.insert(contentsOf: 1...10, at: 0)
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/custom.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/custom.swift
@@ -54,50 +54,50 @@ func testCustom() {
 	sink(arg: mc1)
 	sink(arg: mc1[0])
 	mc1.append(source("data3"))
-	sink(arg: mc1) // $ MISSING: tainted=data3
-	sink(arg: mc1[0]) // $ MISSING: tainted=data3
+	sink(arg: mc1) // $ tainted=data3
+	sink(arg: mc1[0]) // $ tainted=data3
 
 	var mc2 = MyContainer()
 	mc2.insert(Data(0), at: 0)
 	sink(arg: mc2)
 	sink(arg: mc2[0])
 	mc2.insert(source("data4"), at: 0)
-	sink(arg: mc2) // $ MISSING: tainted=data4
-	sink(arg: mc2[0]) // $ MISSING: tainted=data4
+	sink(arg: mc2) // $ tainted=data4
+	sink(arg: mc2[0]) // $ tainted=data4
 
 	var mc3 = MyContainer()
 	mc3.append(contentsOf: clean)
 	sink(arg: mc3)
 	sink(arg: mc3[0])
 	mc3.append(contentsOf: tainted)
-	sink(arg: mc3) // $ MISSING: tainted=data1
-	sink(arg: mc3[0]) // $ MISSING: tainted=data1
+	sink(arg: mc3) // $ tainted=data1
+	sink(arg: mc3[0]) // $ tainted=data1
 
 	var mc4 = MyContainer()
 	mc4.insert(contentsOf: clean, at: 0)
 	sink(arg: mc4)
 	sink(arg: mc4[0])
 	mc4.insert(contentsOf: tainted, at: 0)
-	sink(arg: mc4) // $ MISSING: tainted=data1
-	sink(arg: mc4[0]) // $ MISSING: tainted=data1
+	sink(arg: mc4) // $ tainted=data1
+	sink(arg: mc4[0]) // $ tainted=data1
 
 	let mc5 = MyContainer()
 	sink(arg: mc5.appending(Data(0)))
 	sink(arg: mc5.appending(Data(0))[0])
-	sink(arg: mc5.appending(source("data5"))) // $ MISSING: tainted=data5
-	sink(arg: mc5.appending(source("data6"))[0]) // $ MISSING: tainted=data6
+	sink(arg: mc5.appending(source("data5"))) // $ tainted=data5
+	sink(arg: mc5.appending(source("data6"))[0]) // $ tainted=data6
 	sink(arg: mc5.inserting(Data(0), at: 0))
 	sink(arg: mc5.inserting(Data(0), at: 0)[0])
-	sink(arg: mc5.inserting(source("data7"), at: 0)) // $ MISSING: tainted=data7
-	sink(arg: mc5.inserting(source("data8"), at: 0)[0]) // $ MISSING: tainted=data8
+	sink(arg: mc5.inserting(source("data7"), at: 0)) // $ tainted=data7
+	sink(arg: mc5.inserting(source("data8"), at: 0)[0]) // $ tainted=data8
 	sink(arg: mc5.appending(contentsOf: clean))
 	sink(arg: mc5.appending(contentsOf: clean)[0])
-	sink(arg: mc5.appending(contentsOf: tainted)) // $ MISSING: tainted=data1
-	sink(arg: mc5.appending(contentsOf: tainted)[0]) // $ MISSING: tainted=data1
+	sink(arg: mc5.appending(contentsOf: tainted)) // $ tainted=data1
+	sink(arg: mc5.appending(contentsOf: tainted)[0]) // $ tainted=data1
 	sink(arg: mc5.inserting(contentsOf: clean, at: 0))
 	sink(arg: mc5.inserting(contentsOf: clean, at: 0)[0])
-	sink(arg: mc5.inserting(contentsOf: tainted, at: 0)) // $ MISSING: tainted=data1
-	sink(arg: mc5.inserting(contentsOf: tainted, at: 0)[0]) // $ MISSING: tainted=data1
+	sink(arg: mc5.inserting(contentsOf: tainted, at: 0)) // $ tainted=data1
+	sink(arg: mc5.inserting(contentsOf: tainted, at: 0)[0]) // $ tainted=data1
 	sink(arg: mc5)
 
 	let taintedString = sourceString("data9")
@@ -106,8 +106,8 @@ func testCustom() {
 	sink(arg: mc6)
 	sink(arg: mc6[0])
 	mc6.append(taintedString)
-	sink(arg: mc6) // $ MISSING: tainted=data9
-	sink(arg: mc6[0]) // $ MISSING: tainted=data9
+	sink(arg: mc6) // $ tainted=data9
+	sink(arg: mc6[0]) // $ tainted=data9
 
 	let taintedArray = [source("data10")]
 	var mc7 = MyContainer()
