Merge pull request github#13946 from geoffw0/arraysteptest

Swift: Models and tests for numeric conversions

Author: geoffw0

swift/ql/lib/change-notes/2023-08-10-numeric-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added taint models for `Numeric` conversions.

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -213,6 +213,11 @@ private module Cached {
     //   retaining this case increases robustness of flow).
     nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
     or
+    // read of an optional .some member via `let x: T = y: T?` pattern matching
+    // note: similar to `ForceValueExpr` this is ideally a content `readStep` but
+    //   in practice we sometimes have taint on the optional itself.
+    nodeTo.asPattern() = nodeFrom.asPattern().(OptionalSomePattern).getSubPattern()
+    or
     // flow through `?` and `?.`
     nodeFrom.asExpr() = nodeTo.asExpr().(BindOptionalExpr).getSubExpr()
     or

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll

@@ -19,6 +19,10 @@ private class ArraySummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
+        ";Array;true;init(_:);;;Argument[0];ReturnValue.CollectionElement;value",
+        ";Array;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
+        ";Array;true;init(repeating:count:);;;Argument[0];ReturnValue.CollectionElement;value",
+        ";Array;true;init(arrayLiteral:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
         ";Array;true;insert(_:at:);;;Argument[0];Argument[-1].CollectionElement;value",
         ";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint",
         ";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CInterop.qll

@@ -7,6 +7,6 @@ private import codeql.swift.dataflow.ExternalFlow
 
 private class CInteropSummaries extends SummaryModelCsv {
   override predicate row(string row) {
-    row = ";;false;getVaList(_:);;;Argument[0].ArrayElement;ReturnValue;value"
+    row = ";;false;getVaList(_:);;;Argument[0].CollectionElement;ReturnValue;value"
   }
 }

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll

@@ -0,0 +1,53 @@
+/**
+ * Provides models for `Numeric` and related Swift classes (such as `Int` and `Float`).
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `Numeric` and related class members and functions that permit taint flow.
+ */
+private class NumericSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";;false;numericCast(_:);;;Argument[0];ReturnValue;taint",
+        ";;false;unsafeDowncast(_:to:);;;Argument[0];ReturnValue;taint",
+        ";;false;unsafeBitCast(_:to:);;;Argument[0];ReturnValue;taint",
+        ";Numeric;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value",
+        ";Numeric;true;init(bitPattern:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(clamping:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(truncatingIfNeeded:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:format:lenient:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;formatted();;;Argument[-1];ReturnValue;taint",
+        ";BinaryInteger;true;formatted(_:);;;Argument[-1];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(littleEndian:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(bigEndian:);;;Argument[0];ReturnValue;taint",
+        ";FloatingPoint;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FloatingPoint;true;init(sign:exponent:significand:);;;Argument[1..2];ReturnValue;taint",
+        ";FloatingPoint;true;init(signOf:magnitudeOf:);;;Argument[1];ReturnValue;taint",
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `Numeric` is tainted, then some of its fields are
+ * tainted.
+ */
+private class NumericFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  NumericFieldsInheritTaint() {
+    this.getField().hasQualifiedName("FixedWidthInteger", ["littleEndian", "bigEndian"])
+    or
+    this.getField()
+        .hasQualifiedName(["Double", "Float", "Float80", "FloatingPoint"],
+          ["exponent", "significand"])
+  }
+}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll

@@ -15,6 +15,7 @@ private import NsData
 private import NsObject
 private import NsString
 private import NsUrl
+private import Numeric
 private import PointerTypes
 private import Sequence
 private import Set

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll

@@ -27,7 +27,7 @@ private class StringSource extends SourceModelCsv {
 }
 
 /**
- * A model for `String` and `StringProtocol` members that permit taint flow.
+ * A model for members of `String`, `StringProtocol` and similar classes that permit taint flow.
  */
 private class StringSummaries extends SummaryModelCsv {
   override predicate row(string row) {
@@ -124,7 +124,8 @@ private class StringSummaries extends SummaryModelCsv {
         ";String;true;randomElement();;;Argument[-1];ReturnValue;taint",
         ";String;true;randomElement(using:);;;Argument[-1];ReturnValue;taint",
         ";String;true;enumerated();;;Argument[-1];ReturnValue;taint",
-        ";String;true;encode(to:);;;Argument[-1];Argument[0];taint"
+        ";String;true;encode(to:);;;Argument[-1];Argument[0];taint",
+        ";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",
       ]
   }
 }

swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll

@@ -69,3 +69,13 @@ private class CommandInjectionSinks extends SinkModelCsv {
       ]
   }
 }
+
+/**
+ * A barrier for command injection vulnerabilities.
+ */
+private class CommandInjectionDefaultBarrier extends CommandInjectionBarrier {
+  CommandInjectionDefaultBarrier() {
+    // any numeric type
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+  }
+}

swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll

@@ -39,3 +39,13 @@ private class PredicateInjectionSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+/**
+ * A barrier for predicate injection vulnerabilities vulnerabilities.
+ */
+private class PredicateInjectionDefaultBarrier extends PredicateInjectionBarrier {
+  PredicateInjectionDefaultBarrier() {
+    // any numeric type
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+  }
+}

swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll

@@ -153,3 +153,13 @@ private class GrdbDefaultSqlInjectionSink extends SqlInjectionSink {
 private class DefaultSqlInjectionSink extends SqlInjectionSink {
   DefaultSqlInjectionSink() { sinkNode(this, "sql-injection") }
 }
+
+/**
+ * A barrier for SQL injection.
+ */
+private class SqlInjectionDefaultBarrier extends SqlInjectionBarrier {
+  SqlInjectionDefaultBarrier() {
+    // any numeric type
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+  }
+}