Skip to content

Commit 2fd627b

Browse files
MathiasVPMathiasVP
authored
Merge pull request github#13827 from geoffw0/closuremodels
Swift: Model withUnsafeBytes and similar closure methods
2 parents 50a9c31 + f7776f8 commit 2fd627b

File tree

16 files changed

+362
-100
lines changed

16 files changed

+362
-100
lines changed

swift/ql/lib/change-notes/2023-08-04-closure-models.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
5+
* Added flow models of collection `.withContiguous[Mutable]StorageIfAvailable`, `.withUnsafe[Mutable]BufferPointer` and `.withUnsafe[Mutable]Bytes` methods.

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -818,8 +818,12 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
818818
exists(SubscriptExpr subscript |
819819
subscript.getBase() = node1.asExpr() and
820820
subscript = node2.asExpr() and
821-
subscript.getBase().getType() instanceof ArrayType and
822-
c.isSingleton(any(Content::ArrayContent ac))
821+
(
822+
subscript.getBase().getType() instanceof ArrayType and
823+
c.isSingleton(any(Content::ArrayContent ac))
824+
or
825+
c.isSingleton(any(Content::CollectionContent ac))
826+
)
823827
)
824828
or
825829
FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,12 @@ module Content {
225225
override string toString() { result = "Array element" }
226226
}
227227

228-
/** An element of a collection. */
228+
/**
229+
* An element of a collection. This is a broad class including:
230+
* - elements of collections, such as `Set<Element>`.
231+
* - elements of buffers, such as `UnsafeBufferPointer<Element>`.
232+
* - the pointee of a pointer, such as `UnsafePointer<Pointee>`.
233+
*/
229234
class CollectionContent extends Content, TCollectionContent {
230235
override string toString() { result = "Collection element" }
231236
}

swift/ql/lib/codeql/swift/frameworks/Frameworks.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
*/
44

55
private import Alamofire.Alamofire
6+
private import JavaScriptCore.JavaScriptCore
67
private import StandardLibrary.StandardLibrary
78
private import UIKit.UIKit
89
private import Xml.Xml

swift/ql/lib/codeql/swift/frameworks/JavaScriptCore/JavaScriptCore.qll

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
/**
2+
* Provides models for the `JavaScriptCore` library.
3+
*/
4+
5+
import swift
6+
private import codeql.swift.dataflow.ExternalFlow
7+
8+
/**
9+
* A model for `JavaScriptCore` functions and class members that permit taint flow.
10+
*/
11+
private class JSStringSummaries extends SummaryModelCsv {
12+
override predicate row(string row) {
13+
row =
14+
[
15+
";;false;JSStringCreateWithUTF8CString(_:);;;Argument[0];ReturnValue;taint",
16+
";;false;JSStringCreateWithCharacters(_:_:);;;Argument[0];ReturnValue;taint",
17+
";;false;JSStringRetain(_:);;;Argument[0];ReturnValue;taint",
18+
]
19+
}
20+
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,14 +13,42 @@ class ArrayType extends Type {
1313
}
1414

1515
/**
16-
* A model for `Array` and related class members that permit data flow.
16+
* A model for `Array` and related Swift class members that permit taint flow.
1717
*/
1818
private class ArraySummaries extends SummaryModelCsv {
1919
override predicate row(string row) {
2020
row =
2121
[
2222
";Array;true;insert(_:at:);;;Argument[0];Argument[-1].ArrayElement;value",
23-
";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint"
23+
";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint",
24+
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
25+
";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
26+
";Array;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
27+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
28+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
29+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
30+
";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
31+
";Array;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
32+
";Array;true;withUnsafeBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;taint",
33+
";Array;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
34+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
35+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;taint",
36+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
37+
";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
38+
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
39+
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
40+
";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
41+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
42+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
43+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
44+
";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
45+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
46+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
47+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
48+
";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
49+
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
50+
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
51+
";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
2452
]
2553
}
2654
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ private import codeql.swift.dataflow.ExternalFlow
88
private import codeql.swift.dataflow.FlowSteps
99

1010
/**
11-
* A model for `Collection` members that permit taint flow.
11+
* A model for `Collection` and related Swift class members that permit taint flow.
1212
*/
1313
private class CollectionSummaries extends SummaryModelCsv {
1414
override predicate row(string row) {
@@ -37,6 +37,11 @@ private class CollectionSummaries extends SummaryModelCsv {
3737
";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
3838
";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint",
3939
";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint",
40+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
41+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
42+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
43+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",
44+
";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",
4045
]
4146
}
4247
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
*/
55

66
import swift
7+
private import codeql.swift.dataflow.ExternalFlow
78

89
/**
910
* A Swift unsafe typed pointer type such as `UnsafePointer`,
@@ -57,3 +58,13 @@ class CVaListPointerType extends NominalType {
5758
class ManagedBufferPointerType extends BoundGenericType {
5859
ManagedBufferPointerType() { this.getName().matches("ManagedBufferPointer<%") }
5960
}
61+
62+
/**
63+
* A model for `UnsafePointer` and related Swift class members that permit taint flow.
64+
*/
65+
private class PointerSummaries extends SummaryModelCsv {
66+
override predicate row(string row) {
67+
row =
68+
";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1].CollectionElement;value"
69+
}
70+
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,9 @@ private class SequenceSummaries extends SummaryModelCsv {
2525
";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
2626
";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
2727
";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",
28-
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
28+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
29+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].ArrayElement;Argument[0].Parameter[0].CollectionElement;value",
30+
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value",
2931
";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",
3032
]
3133
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll

Lines changed: 39 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -34,22 +34,24 @@ private class StringSummaries extends SummaryModelCsv {
3434
row =
3535
[
3636
";StringProtocol;true;init(cString:);;;Argument[0];ReturnValue;taint",
37+
";StringProtocol;true;init(cString:);;;Argument[0].ArrayElement;ReturnValue;taint",
38+
";StringProtocol;true;init(cString:);;;Argument[0].CollectionElement;ReturnValue;taint",
3739
";StringProtocol;true;init(decoding:as:);;;Argument[0];ReturnValue;taint",
38-
";StringProtocol;true;init(decodingCString:as:);;;Argument[0];ReturnValue;taint",
40+
";StringProtocol;true;init(decodingCString:as:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.TupleElement[0];taint",
3941
";StringProtocol;true;addingPercentEncoding(withAllowedCharacter:);;;Argument[-1];ReturnValue;taint",
4042
";StringProtocol;true;addingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
4143
";StringProtocol;true;appending(_:);;;Argument[-1..0];ReturnValue;taint",
4244
";StringProtocol;true;appendingFormat(_:_:);;;Argument[-1..0];ReturnValue;taint", //-1..
4345
";StringProtocol;true;applyingTransform(_:reverse:);;;Argument[-1];ReturnValue;taint",
4446
";StringProtocol;true;cString(using:);;;Argument[-1];ReturnValue;taint",
4547
";StringProtocol;true;capitalized(with:);;;Argument[-1];ReturnValue;taint",
46-
";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[0];taint",
47-
";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[2];taint",
48+
";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[0].OptionalSome.CollectionElement;taint",
49+
";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[2].OptionalSome.CollectionElement.ArrayElement;taint",
4850
";StringProtocol;true;components(separatedBy:);;;Argument[-1];ReturnValue;taint",
4951
";StringProtocol;true;data(using:allowLossyConversion:);;;Argument[-1];ReturnValue;taint",
5052
";StringProtocol;true;folding(options:locale:);;;Argument[-1];ReturnValue;taint",
51-
";StringProtocol;true;getBytes(_:maxLength:usedLength:encoding:options:range:remaining:);;;Argument[-1];Argument[0];taint",
52-
";StringProtocol;true;getCString(_:maxLength:encoding:);;;Argument[-1];Argument[0];taint",
53+
";StringProtocol;true;getBytes(_:maxLength:usedLength:encoding:options:range:remaining:);;;Argument[-1];Argument[0].ArrayElement;taint",
54+
";StringProtocol;true;getCString(_:maxLength:encoding:);;;Argument[-1];Argument[0].ArrayElement;taint",
5355
";StringProtocol;true;lowercased();;;Argument[-1];ReturnValue;taint",
5456
";StringProtocol;true;lowercased(with:);;;Argument[-1];ReturnValue;taint",
5557
";StringProtocol;true;padding(toLength:withPad:startingAt:);;;Argument[-1];ReturnValue;taint",
@@ -68,18 +70,26 @@ private class StringSummaries extends SummaryModelCsv {
6870
";StringProtocol;true;uppercased(with:);;;Argument[-1];ReturnValue;taint",
6971
";String;true;init(decoding:);;;Argument[0];ReturnValue;taint",
7072
";String;true;init(_:);;;Argument[0];ReturnValue;taint",
73+
";String;true;init(_:);;;Argument[0];ReturnValue.OptionalSome;taint",
7174
";String;true;init(repeating:count:);;;Argument[0];ReturnValue;taint",
72-
";String;true;init(data:encoding:);;;Argument[0];ReturnValue;taint",
73-
";String;true;init(validatingUTF8:);;;Argument[0];ReturnValue;taint",
74-
";String;true;init(utf16CodeUnits:count:);;;Argument[0];ReturnValue;taint",
75-
";String;true;init(utf16CodeUnitsNoCopy:count:freeWhenDone:);;;Argument[0];ReturnValue;taint",
76-
";String;true;init(format:_:);;;Argument[0];ReturnValue;taint", //0..
77-
";String;true;init(format:arguments:);;;Argument[0..1];ReturnValue;taint",
78-
";String;true;init(format:locale:_:);;;Argument[0];ReturnValue;taint", //0,2..
75+
";String;true;init(data:encoding:);;;Argument[0];ReturnValue.OptionalSome;taint",
76+
";String;true;init(validatingUTF8:);;;Argument[0];ReturnValue.OptionalSome;taint",
77+
";String;true;init(validatingUTF8:);;;Argument[0].ArrayElement;ReturnValue.OptionalSome;taint",
78+
";String;true;init(validatingUTF8:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
79+
";String;true;init(utf16CodeUnits:count:);;;Argument[0].CollectionElement;ReturnValue;taint",
80+
";String;true;init(utf16CodeUnitsNoCopy:count:freeWhenDone:);;;Argument[0].CollectionElement;ReturnValue;taint",
81+
";String;true;init(format:_:);;;Argument[0];ReturnValue;taint",
82+
";String;true;init(format:_:);;;Argument[1].ArrayElement;ReturnValue;taint",
83+
";String;true;init(format:arguments:);;;Argument[0];ReturnValue;taint",
84+
";String;true;init(format:arguments:);;;Argument[1].ArrayElement;ReturnValue;taint",
85+
";String;true;init(format:locale:_:);;;Argument[0];ReturnValue;taint",
86+
";String;true;init(format:locale:_:);;;Argument[2].ArrayElement;ReturnValue;taint",
7987
";String;true;init(format:locale:arguments:);;;Argument[0];ReturnValue;taint",
88+
";String;true;init(format:locale:arguments:);;;Argument[2].ArrayElement;ReturnValue;taint",
8089
";String;true;init(_:radix:uppercase:);;;Argument[0];ReturnValue;taint",
81-
";String;true;init(bytes:encoding:);;;Argument[0];ReturnValue;taint",
82-
";String;true;init(bytesNoCopy:length:encoding:freeWhenDone:);;;Argument[0];ReturnValue;taint",
90+
";String;true;init(bytes:encoding:);;;Argument[0].ArrayElement;ReturnValue.OptionalSome;taint",
91+
";String;true;init(bytes:encoding:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
92+
";String;true;init(bytesNoCopy:length:encoding:freeWhenDone:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
8393
";String;true;init(describing:);;;Argument[0];ReturnValue;taint",
8494
";String;true;init(contentsOf:);;;Argument[0];ReturnValue;taint",
8595
";String;true;init(contentsOf:encoding:);;;Argument[0];ReturnValue;taint",
@@ -88,16 +98,26 @@ private class StringSummaries extends SummaryModelCsv {
8898
";String;true;init(contentsOfFile:encoding:);;;Argument[0];ReturnValue;taint",
8999
";String;true;init(contentsOfFile:usedEncoding:);;;Argument[0];ReturnValue;taint",
90100
";String;true;init(from:);;;Argument[0];ReturnValue;taint",
101+
";String;true;init(from:);;;Argument[0];ReturnValue.OptionalSome;taint",
91102
";String;true;init(stringInterpolation:);;;Argument[0];ReturnValue;taint",
92103
";String;true;init(stringLiteral:);;;Argument[0];ReturnValue;taint",
93104
";String;true;init(unicodeScalarLiteral:);;;Argument[0];ReturnValue;taint",
94105
";String;true;init(extendedGraphemeClusterLiteral:);;;Argument[0];ReturnValue;taint",
95-
";String;true;init(cString:encoding:);;;Argument[0];ReturnValue;taint",
106+
";String;true;init(cString:encoding:);;;Argument[0];ReturnValue.OptionalSome;taint",
107+
";String;true;init(cString:encoding:);;;Argument[0].ArrayElement;ReturnValue.OptionalSome;taint",
108+
";String;true;init(cString:encoding:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
96109
";String;true;init(platformString:);;;Argument[0];ReturnValue;taint",
97-
";String;true;init(utf8String:);;;Argument[0];ReturnValue;taint",
98-
";String;true;init(validating:);;;Argument[0];ReturnValue;taint",
99-
";String;true;init(validatingPlatformString:);;;Argument[0];ReturnValue;taint",
100-
";String;true;localizedStringWithFormat(_:_:);;;Argument[0..1];ReturnValue;taint",
110+
";String;true;init(platformString:);;;Argument[0].ArrayElement;ReturnValue;taint",
111+
";String;true;init(platformString:);;;Argument[0].CollectionElement;ReturnValue;taint",
112+
";String;true;init(utf8String:);;;Argument[0];ReturnValue.OptionalSome;taint",
113+
";String;true;init(utf8String:);;;Argument[0].ArrayElement;ReturnValue.OptionalSome;taint",
114+
";String;true;init(utf8String:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
115+
";String;true;init(validating:);;;Argument[0];ReturnValue.OptionalSome;taint",
116+
";String;true;init(validatingPlatformString:);;;Argument[0];ReturnValue.OptionalSome;taint",
117+
";String;true;init(validatingPlatformString:);;;Argument[0].ArrayElement;ReturnValue.OptionalSome;taint",
118+
";String;true;init(validatingPlatformString:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
119+
";String;true;localizedStringWithFormat(_:_:);;;Argument[0];ReturnValue;taint",
120+
";String;true;localizedStringWithFormat(_:_:);;;Argument[1].ArrayContent;ReturnValue;taint",
101121
";String;true;write(_:);;;Argument[0];Argument[-1];taint",
102122
";String;true;write(to:);;;Argument[-1];Argument[0];taint",
103123
";String;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",

0 commit comments

Comments
 (0)