Swift: Add closure function models.

geoffw0 · geoffw0 · commit 664dc01c485a · 2023-08-04T09:18:36.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Array.qll
@@ -13,14 +13,32 @@ class ArrayType extends Type {
 }
 
 /**
- * A model for `Array` and related class members that permit data flow.
+ * A model for `Array` and related Swift class members that permit taint flow.
  */
 private class ArraySummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
         ";Array;true;insert(_:at:);;;Argument[0];Argument[-1].ArrayElement;value",
-        ";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint"
+        ";Array;true;insert(_:at:);;;Argument[1];Argument[-1];taint",
+        ";Array;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Array;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
+        ";Array;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";Array;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
+        ";Array;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";ContiguousArray;true;withUnsafeBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
+        ";ContiguousArray;true;withUnsafeMutableBufferPointer(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
+        ";ContiguousArray;true;withUnsafeMutableBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";ContiguousBytes;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
       ]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
@@ -8,7 +8,7 @@ private import codeql.swift.dataflow.ExternalFlow
 private import codeql.swift.dataflow.FlowSteps
 
 /**
- * A model for `Collection` members that permit taint flow.
+ * A model for `Collection` and related Swift class members that permit taint flow.
  */
 private class CollectionSummaries extends SummaryModelCsv {
   override predicate row(string row) {
@@ -35,6 +35,9 @@ private class CollectionSummaries extends SummaryModelCsv {
         ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
         ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint",
         ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint",
+        ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0];Argument[-1];taint",
+        ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",
       ]
   }
 }
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift
@@ -34,7 +34,7 @@ func taintThroughClosurePointer() {
     sink(arg: ptr2[0]) // $ MISSING: tainted=28
     return source()
   })
-  sink(arg: return2) // $ MISSING: tainted=35
+  sink(arg: return2) // $ tainted=35
 }
 
 func taintThroughMutablePointer() {
@@ -45,14 +45,14 @@ func taintThroughMutablePointer() {
   let return1 = myArray1.withUnsafeMutableBufferPointer({
     buffer in
     buffer.update(repeating: source())
-    sink(arg: buffer) // $ tainted=47
+    sink(arg: buffer) // $ SPURIOUS: tainted=47
     sink(arg: buffer[0]) // $ tainted=47
     sink(arg: buffer.baseAddress!.pointee) // $ MISSING: tainted=47
     return source()
   })
-  sink(arg: return1) // $ MISSING: tainted=47
-  sink(arg: myArray1)
-  sink(arg: myArray1[0]) // $ MISSING: tainted=47
+  sink(arg: return1) // $ tainted=51
+  sink(arg: myArray1) // $ tainted=47
+  sink(arg: myArray1[0]) // $ tainted=47
 
   // ---
 
@@ -68,7 +68,7 @@ func taintThroughMutablePointer() {
     sink(arg: buffer.baseAddress!.pointee) // $ MISSING: tainted=65
     return source()
   })
-  sink(arg: return2) // $ MISSING: tainted=65
+  sink(arg: return2) // $ tainted=69
   sink(arg: myArray2)
   sink(arg: myArray2[0]) // $ MISSING: tainted=65
 
@@ -81,13 +81,13 @@ func taintThroughMutablePointer() {
   let return3 = myArray3.withContiguousMutableStorageIfAvailable({
     ptr in
     ptr.update(repeating: source())
-    sink(arg: ptr) // $ tainted=83
+    sink(arg: ptr) // $ SPURIOUS: tainted=83
     sink(arg: ptr[0]) // $ tainted=83
     return source()
   })
-  sink(arg: return3!) // $ MISSING: tainted=83
-  sink(arg: myArray3)
-  sink(arg: myArray3[0]) // $ MISSING: tainted=83
+  sink(arg: return3!) // $ tainted=86
+  sink(arg: myArray3) // $ SPURIOUS: tainted=83
+  sink(arg: myArray3[0]) // $ tainted=83
 
   // ---
 
@@ -113,7 +113,7 @@ func taintThroughMutablePointer() {
     sink(arg: return5) // $ MISSING: tainted=111
     return source()
   })
-  sink(arg: return4) // $ MISSING: tainted=114
+  sink(arg: return4) // $ tainted=114
   sink(arg: myArray4)
   sink(arg: myArray4[0]) // $ MISSING: tainted=97
   sink(arg: myArray5)
@@ -133,9 +133,9 @@ func taintThroughMutablePointer() {
     sink(arg: ptr[0]) // $ tainted=131
     return source()
   })
-  sink(arg: return6!) // $ MISSING: tainted=134
-  sink(arg: myMutableBuffer)
-  sink(arg: myMutableBuffer[0]) // $ MISSING: tainted=131
+  sink(arg: return6!) // $ tainted=134
+  sink(arg: myMutableBuffer) // $ SPURIOUS: tainted=131
+  sink(arg: myMutableBuffer[0]) // $ tainted=131
 }
 
 func taintCollections(array: inout Array<Int>, contiguousArray: inout ContiguousArray<Int>, dictionary: inout Dictionary<Int, Int>) {
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -480,7 +480,7 @@ func taintFromUInt8Array() {
   })
   try! taintedUInt8Values.withUnsafeBufferPointer({
     (buffer: UnsafeBufferPointer<UInt8>) throws in
-    sink(arg: buffer) // $ MISSING: tainted=450
+    sink(arg: buffer) // $ tainted=450
     sink(arg: buffer.baseAddress!) // $ MISSING: tainted=450
     sink(arg: String(cString: buffer.baseAddress!)) // $ MISSING: tainted=450
   })
@@ -493,7 +493,7 @@ func taintFromUInt8Array() {
   })
   try! taintedUInt8Values.withUnsafeMutableBytes({
     (buffer: UnsafeMutableRawBufferPointer) throws in
-    sink(arg: buffer) // $ MISSING: tainted=450
+    sink(arg: buffer) // $ tainted=450
     sink(arg: buffer.baseAddress!) // $ MISSING: tainted=450
     sink(arg: String(bytesNoCopy: buffer.baseAddress!, length: buffer.count, encoding: String.Encoding.utf8, freeWhenDone: false)!) // $ MISSING: tainted=450
   })
@@ -515,7 +515,7 @@ func taintThroughCCharArray() {
   })
   taintedCCharValues.withUnsafeBufferPointer({
     ptr in
-    sink(arg: ptr) // $ MISSING: tainted=506
+    sink(arg: ptr) // $ tainted=506
     sink(arg: ptr.baseAddress!) // $ MISSING: tainted=506
     sink(arg: String(utf8String: ptr.baseAddress!)!) // $ MISSING: tainted=506
     sink(arg: String(validatingUTF8: ptr.baseAddress!)!) // $ MISSING: tainted=506
@@ -541,7 +541,7 @@ func taintThroughUnicharArray() {
   })
   taintedUnicharValues.withUnsafeBufferPointer({
     ptr in
-    sink(arg: ptr) // $ MISSING: tainted=533
+    sink(arg: ptr) // $ tainted=533
     sink(arg: ptr.baseAddress!) // $ MISSING: tainted=533
     sink(arg: String(utf16CodeUnits: ptr.baseAddress!, count: ptr.count)) // $ MISSING: tainted=533
     sink(arg: String(utf16CodeUnitsNoCopy: ptr.baseAddress!, count: ptr.count, freeWhenDone: false)) // $ MISSING: tainted=533
diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected
@@ -10,24 +10,28 @@ edges
 | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:276:13:276:13 | string |
 | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:279:13:279:13 | string |
 | UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:285:13:285:13 | string |
+| UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:299:13:299:13 | string |
 | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:204:7:204:66 | try! ... |
 | UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:265:13:265:13 | string |
 | UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:268:13:268:13 | string |
 | UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:276:13:276:13 | string |
 | UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:279:13:279:13 | string |
 | UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:285:13:285:13 | string |
+| UnsafeJsEval.swift:205:7:205:7 | remoteString | UnsafeJsEval.swift:299:13:299:13 | string |
 | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string |
 | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string |
 | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string |
 | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string |
 | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string |
+| UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string |
 | UnsafeJsEval.swift:211:19:211:41 | call to Data.init(_:) | UnsafeJsEval.swift:214:24:214:24 | remoteData |
 | UnsafeJsEval.swift:211:24:211:37 | .utf8 | UnsafeJsEval.swift:211:19:211:41 | call to Data.init(_:) |
 | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:265:13:265:13 | string |
 | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:268:13:268:13 | string |
 | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:276:13:276:13 | string |
 | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:279:13:279:13 | string |
 | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:285:13:285:13 | string |
+| UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:299:13:299:13 | string |
 | UnsafeJsEval.swift:214:24:214:24 | remoteData | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) |
 | UnsafeJsEval.swift:265:13:265:13 | string | UnsafeJsEval.swift:266:43:266:43 | string |
 | UnsafeJsEval.swift:266:43:266:43 | string | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) |
@@ -43,6 +47,14 @@ edges
 | UnsafeJsEval.swift:287:31:287:97 | call to JSStringCreateWithCharacters(_:_:) | UnsafeJsEval.swift:287:16:287:98 | call to JSStringRetain(_:) |
 | UnsafeJsEval.swift:287:60:287:60 | stringBytes | UnsafeJsEval.swift:287:60:287:72 | .baseAddress |
 | UnsafeJsEval.swift:287:60:287:72 | .baseAddress | UnsafeJsEval.swift:287:31:287:97 | call to JSStringCreateWithCharacters(_:_:) |
+| UnsafeJsEval.swift:299:13:299:13 | string | UnsafeJsEval.swift:300:3:300:10 | .utf8CString |
+| UnsafeJsEval.swift:300:3:300:10 | .utf8CString | UnsafeJsEval.swift:300:48:300:48 | stringBytes |
+| UnsafeJsEval.swift:300:48:300:48 | stringBytes | UnsafeJsEval.swift:301:61:301:61 | stringBytes |
+| UnsafeJsEval.swift:301:16:301:85 | call to JSStringRetain(_:) | UnsafeJsEval.swift:305:17:305:17 | jsstr |
+| UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) | UnsafeJsEval.swift:124:21:124:42 | string |
+| UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) | UnsafeJsEval.swift:301:16:301:85 | call to JSStringRetain(_:) |
+| UnsafeJsEval.swift:301:61:301:61 | stringBytes | UnsafeJsEval.swift:301:61:301:73 | .baseAddress |
+| UnsafeJsEval.swift:301:61:301:73 | .baseAddress | UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) |
 | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... |
 nodes
 | UnsafeJsEval.swift:124:21:124:42 | string | semmle.label | string |
@@ -76,10 +88,19 @@ nodes
 | UnsafeJsEval.swift:287:60:287:60 | stringBytes | semmle.label | stringBytes |
 | UnsafeJsEval.swift:287:60:287:72 | .baseAddress | semmle.label | .baseAddress |
 | UnsafeJsEval.swift:291:17:291:17 | jsstr | semmle.label | jsstr |
+| UnsafeJsEval.swift:299:13:299:13 | string | semmle.label | string |
+| UnsafeJsEval.swift:300:3:300:10 | .utf8CString | semmle.label | .utf8CString |
+| UnsafeJsEval.swift:300:48:300:48 | stringBytes | semmle.label | stringBytes |
+| UnsafeJsEval.swift:301:16:301:85 | call to JSStringRetain(_:) | semmle.label | call to JSStringRetain(_:) |
+| UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) | semmle.label | call to JSStringCreateWithUTF8CString(_:) |
+| UnsafeJsEval.swift:301:61:301:61 | stringBytes | semmle.label | stringBytes |
+| UnsafeJsEval.swift:301:61:301:73 | .baseAddress | semmle.label | .baseAddress |
+| UnsafeJsEval.swift:305:17:305:17 | jsstr | semmle.label | jsstr |
 | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) |
 | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 subpaths
 | UnsafeJsEval.swift:287:31:287:97 | call to JSStringCreateWithCharacters(_:_:) | UnsafeJsEval.swift:124:21:124:42 | string | UnsafeJsEval.swift:124:70:124:70 | string | UnsafeJsEval.swift:287:16:287:98 | call to JSStringRetain(_:) |
+| UnsafeJsEval.swift:301:31:301:84 | call to JSStringCreateWithUTF8CString(_:) | UnsafeJsEval.swift:124:21:124:42 | string | UnsafeJsEval.swift:124:70:124:70 | string | UnsafeJsEval.swift:301:16:301:85 | call to JSStringRetain(_:) |
 #select
 | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. |
 | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. |
@@ -91,4 +112,6 @@ subpaths
 | UnsafeJsEval.swift:280:26:280:26 | string | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:280:26:280:26 | string | Evaluation of uncontrolled JavaScript from a remote source. |
 | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
 | UnsafeJsEval.swift:291:17:291:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:291:17:291:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:165:14:165:37 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:305:17:305:17 | jsstr | UnsafeJsEval.swift:204:12:204:66 | call to String.init(contentsOf:) | UnsafeJsEval.swift:305:17:305:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
 | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | UnsafeJsEval.swift:318:24:318:87 | call to String.init(contentsOf:) | UnsafeJsEval.swift:320:44:320:74 | ... .+(_:_:) ... | Evaluation of uncontrolled JavaScript from a remote source. |

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ private import codeql.swift.dataflow.ExternalFlow`
`8`	`8`	`private import codeql.swift.dataflow.FlowSteps`
`9`	`9`
`10`	`10`	`/**`
`11`		- * A model for `Collection` members that permit taint flow.
	`11`	+ * A model for `Collection` and related Swift class members that permit taint flow.
`12`	`12`	`*/`
`13`	`13`	`private class CollectionSummaries extends SummaryModelCsv {`
`14`	`14`	`override predicate row(string row) {`
`@@ -35,6 +35,9 @@ private class CollectionSummaries extends SummaryModelCsv {`
`35`	`35`	`";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",`
`36`	`36`	`";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint",`
`37`	`37`	`";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint",`
	`38`	`+ ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",`
	`39`	`+ ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0];Argument[-1];taint",`
	`40`	`+ ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue.OptionalSome;value",`
`38`	`41`	`]`
`39`	`42`	`}`
`40`	`43`	`}`