Skip to content

Commit 1ac9d2c

Browse files
geoffw0geoffw0
committed
Swift: Update models with CollectionElement, value flow.
1 parent 59e2b04 commit 1ac9d2c

File tree

6 files changed

+58
-24
lines changed

6 files changed

+58
-24
lines changed

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,12 @@ module Content {
225225
override string toString() { result = "Array element" }
226226
}
227227

228-
/** An element of a collection. */
228+
/**
229+
* An element of a collection. This is a broad class including:
230+
* - elements of collections, such as `Set<Element>`.
231+
* - elements of buffers, such as `UnsafeBufferPointer<Element>`.
232+
* - the pointee of a pointer, such as `UnsafePointer<Pointee>`.
233+
*/
229234
class CollectionContent extends Content, TCollectionContent {
230235
override string toString() { result = "Collection element" }
231236
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll

Lines changed: 20 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -21,30 +21,33 @@ private class ArraySummaries extends SummaryModelCsv {
2121
[
2222
";Array;true;insert(_:at:);;;Argument[0];Argument[-1].ArrayElement;value",
2323
";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint",
24-
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
25-
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
24+
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
25+
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
2626
";Array;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
27-
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
28-
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
29-
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0];Argument[-1].ArrayElement;taint",
27+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
28+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
29+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].ArrayElement;value",
3030
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
31-
";Array;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
32-
";Array;true;withUnsafeBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
31+
";Array;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
32+
";Array;true;withUnsafeBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;taint",
3333
";Array;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
34-
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
35-
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
36-
";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0];Argument[-1].ArrayElement;taint",
34+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
35+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;taint",
36+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].ArrayElement;taint",
3737
";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
38-
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
38+
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
39+
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
3940
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
40-
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
41-
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
41+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
42+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
43+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
4244
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
43-
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
44-
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
45+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
46+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
47+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
4548
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
46-
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
47-
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
49+
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
50+
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
4851
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
4952
]
5053
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,10 @@ private class CollectionSummaries extends SummaryModelCsv {
3737
";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
3838
";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint",
3939
";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint",
40-
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
41-
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
42-
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
40+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
41+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
42+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
43+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
4344
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",
4445
]
4546
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ class ManagedBufferPointerType extends BoundGenericType {
6464
*/
6565
private class PointerSummaries extends SummaryModelCsv {
6666
override predicate row(string row) {
67-
row = ";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1];taint"
67+
row =
68+
";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1].CollectionElement;value"
6869
}
6970
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,9 @@ private class SequenceSummaries extends SummaryModelCsv {
2525
";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
2626
";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
2727
";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",
28-
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
29-
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0];taint",
28+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
29+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
30+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
3031
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",
3132
]
3233
}

swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,25 @@
11
failures
22
testFailures
3+
| int.swift:18:21:19:1 | // $ SPURIOUS: tainted=13\n | Fixed spurious result:tainted=13 |
4+
| int.swift:19:24:20:1 | // $ tainted=13\n | Missing result:tainted=13 |
5+
| int.swift:33:21:34:1 | // $ SPURIOUS: tainted=28\n | Fixed spurious result:tainted=28 |
6+
| int.swift:34:24:35:1 | // $ tainted=28\n | Missing result:tainted=28 |
7+
| int.swift:48:23:49:1 | // $ SPURIOUS: tainted=47\n | Fixed spurious result:tainted=47 |
8+
| int.swift:49:26:50:1 | // $ tainted=47\n | Missing result:tainted=47 |
9+
| int.swift:84:20:85:1 | // $ SPURIOUS: tainted=83\n | Fixed spurious result:tainted=83 |
10+
| int.swift:85:23:86:1 | // $ tainted=83\n | Missing result:tainted=83 |
11+
| int.swift:89:23:90:1 | // $ SPURIOUS: tainted=83\n | Fixed spurious result:tainted=83 |
12+
| int.swift:90:26:91:1 | // $ tainted=83\n | Missing result:tainted=83 |
13+
| int.swift:132:20:133:1 | // $ tainted=131\n | Missing result:tainted=131 |
14+
| int.swift:133:23:134:1 | // $ tainted=131\n | Missing result:tainted=131 |
15+
| int.swift:137:30:138:1 | // $ SPURIOUS: tainted=131\n | Fixed spurious result:tainted=131 |
16+
| int.swift:138:33:139:1 | // $ tainted=131\n | Missing result:tainted=131 |
17+
| int.swift:147:23:148:1 | // $ SPURIOUS: tainted=142\n | Fixed spurious result:tainted=142 |
18+
| int.swift:148:26:149:1 | // $ tainted=142\n | Missing result:tainted=142 |
19+
| string.swift:407:23:408:1 | // $ tainted=366\n | Missing result:tainted=366 |
20+
| string.swift:441:20:442:1 | // $ tainted=366\n | Missing result:tainted=366 |
21+
| string.swift:483:23:484:1 | // $ tainted=450\n | Missing result:tainted=450 |
22+
| string.swift:496:23:497:1 | // $ tainted=450\n | Missing result:tainted=450 |
23+
| string.swift:518:20:519:1 | // $ tainted=506\n | Missing result:tainted=506 |
24+
| string.swift:544:20:545:1 | // $ tainted=533\n | Missing result:tainted=533 |
25+
| string.swift:610:18:611:1 | // $ tainted=617\n | Missing result:tainted=617 |

0 commit comments

Comments
 (0)