Swift: Add some more test cases, including handling return propagation.

geoffw0 · geoffw0 · commit 52e84ba12bfe · 2023-07-21T13:53:14.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll
@@ -25,7 +25,7 @@ private class SequenceSummaries extends SummaryModelCsv {
         ";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
         ";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
         ";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",
-        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint"
       ]
   }
 }
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -599,3 +599,52 @@ func untaintedFields() {
   sink(arg: String.defaultCStringEncoding)
   sink(arg: tainted.isContiguousUTF8)
 }
+
+func callbackWithCleanPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr)
+
+  return 0
+}
+
+func callbackWithTaintedPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr) // $ tainted=617
+
+  return source()
+}
+
+func furtherTaintThroughCallbacks() {
+  let clean = ""
+  let tainted = source2()
+
+  // return values from the closure (1)
+  let result1 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  })
+  sink(arg: result1!)
+  let result2 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  })
+  sink(arg: result2!) // $ MISSING: tainted=627
+
+  // return values from the closure (2)
+  if let result3 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  }) {
+    sink(arg: result3)
+  }
+  if let result4 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  }) {
+    sink(arg: result4) // $ MISSING: tainted=640
+  }
+
+  // using a non-closure function
+  let result5 = try? clean.withContiguousStorageIfAvailable(callbackWithCleanPointer)
+  sink(arg: result5!)
+  let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
+  sink(arg: result6!) // $ MISSING: tainted=612
+}

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ private class SequenceSummaries extends SummaryModelCsv {`
`25`	`25`	`";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",`
`26`	`26`	`";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",`
`27`	`27`	`";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",`
`28`		`- ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",`
	`28`	`+ ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint"`
`29`	`29`	`]`
`30`	`30`	`}`
`31`	`31`	`}`