Swift: Model update(repeating:), to support the tests.

geoffw0 · geoffw0 · commit 49d1556c29d4 · 2023-08-04T09:18:36.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
@@ -4,6 +4,7 @@
  */
 
 import swift
+private import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A Swift unsafe typed pointer type such as `UnsafePointer`,
@@ -57,3 +58,12 @@ class CVaListPointerType extends NominalType {
 class ManagedBufferPointerType extends BoundGenericType {
   ManagedBufferPointerType() { this.getName().matches("ManagedBufferPointer<%") }
 }
+
+/**
+ * A model for `UnsafePointer` and related Swift class members that permit taint flow.
+ */
+private class PointerSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1];taint"
+  }
+}
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift
@@ -45,8 +45,8 @@ func taintThroughMutablePointer() {
   let return1 = myArray1.withUnsafeMutableBufferPointer({
     buffer in
     buffer.update(repeating: source())
-    sink(arg: buffer)
-    sink(arg: buffer[0]) // $ MISSING: tainted=47
+    sink(arg: buffer) // $ tainted=47
+    sink(arg: buffer[0]) // $ tainted=47
     sink(arg: buffer.baseAddress!.pointee) // $ MISSING: tainted=47
     return source()
   })
@@ -81,8 +81,8 @@ func taintThroughMutablePointer() {
   let return3 = myArray3.withContiguousMutableStorageIfAvailable({
     ptr in
     ptr.update(repeating: source())
-    sink(arg: ptr)
-    sink(arg: ptr[0]) // $ MISSING: tainted=83
+    sink(arg: ptr) // $ tainted=83
+    sink(arg: ptr[0]) // $ tainted=83
     return source()
   })
   sink(arg: return3!) // $ MISSING: tainted=83
@@ -129,8 +129,8 @@ func taintThroughMutablePointer() {
   let return6 = myMutableBuffer.withContiguousMutableStorageIfAvailable({
     ptr in
     ptr.update(repeating: source2())
-    sink(arg: ptr)
-    sink(arg: ptr[0]) // $ MISSING: tainted=131
+    sink(arg: ptr) // $ tainted=131
+    sink(arg: ptr[0]) // $ tainted=131
     return source()
   })
   sink(arg: return6!) // $ MISSING: tainted=134
