Swift: Model FilePath.

Author: geoffw0

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/FilePath.qll

@@ -3,9 +3,13 @@
  */
 
 import swift
+private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
 
-/** The struct `FilePath`. */
+/**
+ * The struct `FilePath`.
+ */
 class FilePath extends StructDecl {
   FilePath() { this.getFullName() = "FilePath" }
 }
@@ -15,6 +19,78 @@ class FilePath extends StructDecl {
  */
 private class FilePathSummaries extends SummaryModelCsv {
   override predicate row(string row) {
-    row = ";FilePath;true;init(stringLiteral:);(String);;Argument[0];ReturnValue;taint"
+    row =
+      [
+        ";FilePath;true;init(stringLiteral:);(String);;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(extendedGraphemeClusterLiteral:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(unicodeScalarLiteral:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(from:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(cString:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(platformString:);;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init(root:_:);;;Argument[0..1];ReturnValue;taint",
+        ";FilePath;true;init(root:components:);;;Argument[0..1];ReturnValue;taint",
+        ";FilePath;true;init();;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;init();;;Argument[0];ReturnValue;taint",
+        ";FilePath;true;encode(to:);;;Argument[-1];Argument[0];taint",
+        ";FilePath;true;withCString(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";FilePath;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";FilePath;true;append(_:);;;Argument[0];Argument[-1];taint",
+        ";FilePath;true;appending(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";FilePath;true;lexicallyNormalized();;;Argument[-1];ReturnValue;taint",
+        ";FilePath;true;lexicallyResolving(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";FilePath;true;push(_:);;;Argument[0];Argument[-1];taint",
+        ";FilePath;true;pushing(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";FilePath;true;removingLastComponent();;;Argument[-1];ReturnValue;taint",
+        ";FilePath;true;removingRoot();;;Argument[-1];ReturnValue;taint",
+        ";FilePath.Component;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FilePath.Component;true;init(platformString:);;;Argument[0];ReturnValue;taint",
+        ";FilePath.Component;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";FilePath.Root;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FilePath.Root;true;init(platformString:);;;Argument[0];ReturnValue;taint",
+        ";FilePath.Root;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0];taint"
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `FilePath` is tainted, certain fields are also
+ * tainted.
+ */
+private class FilePathFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  FilePathFieldsInheritTaint() {
+    exists(FieldDecl f | this.getField() = f |
+      (
+        f.getEnclosingDecl().(NominalTypeDecl) instanceof FilePath or
+        f.getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl() instanceof FilePath
+      ) and
+      f.getName() =
+        [
+          "description", "debugDescription", "components", "extension", "lastComponent", "root",
+          "stem", "string"
+        ]
+    )
+  }
+}
+
+/**
+ * A content implying that, if a `FilePath.Component` or `FilePath.Root` is tainted, certain fields
+ * are also tainted.
+ */
+private class FilePathComponentFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  FilePathComponentFieldsInheritTaint() {
+    exists(FieldDecl f | this.getField() = f |
+      (
+        f.getEnclosingDecl().(NominalTypeDecl).getFullName() =
+          ["FilePath.Component", "FilePath.Root"] or
+        f.getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getName() =
+          ["FilePath.Component", "FilePath.Root"]
+      ) and
+      f.getName() = ["extension", "stem", "string"]
+    )
   }
 }

swift/ql/test/library-tests/dataflow/taint/libraries/files.swift

@@ -107,24 +107,24 @@ func test_files(e1: Encoder) {
 	// --- FilePath.Root, FilePath.Component ---
 
 	sink(string: FilePath.Root("/")!.string)
-	sink(string: FilePath.Root(sourceString())!.string) // $ MISSING: tainted=
+	sink(string: FilePath.Root(sourceString())!.string) // $ tainted=110
 	sink(string: FilePath.Component("path")!.string)
-	sink(string: FilePath.Component(sourceString())!.string) // $ MISSING: tainted=
+	sink(string: FilePath.Component(sourceString())!.string) // $ tainted=112
 
 	// --- FilePath constructors ---
 
 	let cleanUrl = URL(string: "https://example.com")!
 	let taintedUrl = URL(string: sourceString())!
 
 	sink(filePath: FilePath("my/path"))
-	sink(filePath: FilePath(sourceString())) // $ MISSING: tainted=
+	sink(filePath: FilePath(sourceString())) // $ tainted=120
 	sink(filePath: FilePath(cleanUrl)!)
-	sink(filePath: FilePath(taintedUrl)!) // $ MISSING: tainted=
-	sink(filePath: FilePath(from: sourceDecoder())) // $ MISSING: tainted=
-	sink(filePath: FilePath(cString: sourceCCharArray())) // $ MISSING: tainted=
-	sink(filePath: FilePath(cString: sourceCString())) // $ MISSING: tainted=
+	sink(filePath: FilePath(taintedUrl)!) // $ tainted=117
+	sink(filePath: FilePath(from: sourceDecoder())) // $ tainted=123
+	sink(filePath: FilePath(cString: sourceCCharArray())) // $ tainted=124
+	sink(filePath: FilePath(cString: sourceCString())) // $ tainted=125
 	sink(filePath: FilePath(root: FilePath.Root("/"), [FilePath.Component("my")!, FilePath.Component("path")!]))
-	sink(filePath: FilePath(root: FilePath.Root(sourceString()), [FilePath.Component("my")!, FilePath.Component("path")!])) // $ MISSING: tainted=
+	sink(filePath: FilePath(root: FilePath.Root(sourceString()), [FilePath.Component("my")!, FilePath.Component("path")!])) // $ tainted=127
 	sink(filePath: FilePath(root: FilePath.Root("/"), [FilePath.Component("my")!, FilePath.Component(sourceString())!])) // $ MISSING: tainted=
 
 	// --- FilePath methods ---
@@ -133,28 +133,28 @@ func test_files(e1: Encoder) {
 	let tainted = FilePath(sourceString())
 
 	sink(filePath: clean)
-	sink(filePath: tainted) // $ MISSING: tainted=
+	sink(filePath: tainted) // $ tainted=133
 
 	sink(encoder: e1)
 	try! clean.encode(to: e1)
 	sink(encoder: e1)
 	try! tainted.encode(to: e1)
 	sink(encoder: e1) // $ MISSING: tainted=
 
-	sink(string: String(decoding: tainted)) // $ MISSING: tainted=
-	sink(string: String(validating: tainted)!) // $ MISSING: tainted=
+	sink(string: String(decoding: tainted)) // $ tainted=133
+	sink(string: String(validating: tainted)!) // $ tainted=133
 
 	sink(filePath: clean.lexicallyResolving(clean)!)
-	sink(filePath: tainted.lexicallyResolving(clean)!) // $ MISSING: tainted=
-	sink(filePath: clean.lexicallyResolving(tainted)!) // $ MISSING: tainted=
+	sink(filePath: tainted.lexicallyResolving(clean)!) // $ tainted=133
+	sink(filePath: clean.lexicallyResolving(tainted)!) // $ tainted=133
 
 	let _ = clean.withCString({
 		ptr in
 		sink(ptr: ptr)
 	})
 	let _ = tainted.withCString({
 		ptr in
-		sink(ptr: ptr) // $ MISSING: tainted=
+		sink(ptr: ptr) // $ tainted=133
 	})
 
 	let _ = clean.withPlatformString({
@@ -165,37 +165,37 @@ func test_files(e1: Encoder) {
 	})
 	let _ = tainted.withPlatformString({
 		ptr in
-		sink(ptr: ptr) // $ MISSING: tainted=
-		sink(string: String(platformString: ptr)) // $ MISSING: tainted=
-		sink(string: String(validatingPlatformString: ptr)!) // $ MISSING: tainted=
+		sink(ptr: ptr) // $ tainted=133
+		sink(string: String(platformString: ptr)) // $ tainted=133
+		sink(string: String(validatingPlatformString: ptr)!) // $ tainted=133
 	})
 
  	var fp1 = FilePath("")
 	sink(filePath: fp1)
 	fp1.append(sourceString())
-	sink(filePath: fp1) // $ MISSING: tainted=
+	sink(filePath: fp1) // $ tainted=175
 	fp1.append("")
-	sink(filePath: fp1) // $ MISSING: tainted=
+	sink(filePath: fp1) // $ tainted=175
 
 	sink(filePath: clean.appending(""))
-	sink(filePath: clean.appending(sourceString())) // $ MISSING: tainted=
-	sink(filePath: tainted.appending("")) // $ MISSING: tainted=
-	sink(filePath: tainted.appending(sourceString())) // $ MISSING: tainted=
+	sink(filePath: clean.appending(sourceString())) // $ tainted=181
+	sink(filePath: tainted.appending("")) // $ tainted=133
+	sink(filePath: tainted.appending(sourceString())) // $ tainted=133 tainted=183
 
 	// --- FilePath member variables ---
 
-	sink(string: tainted.description) // $ MISSING: tainted=
-	sink(string: tainted.debugDescription) // $ MISSING: tainted=
-	sink(string: tainted.extension!) // $ MISSING: tainted=
-	sink(string: tainted.stem!) // $ MISSING: tainted=
-	sink(string: tainted.string) // $ MISSING: tainted=
+	sink(string: tainted.description) // $ tainted=133
+	sink(string: tainted.debugDescription) // $ tainted=133
+	sink(string: tainted.extension!) // $ tainted=133
+	sink(string: tainted.stem!) // $ tainted=133
+	sink(string: tainted.string) // $ tainted=133
 
-	sink(component: tainted.lastComponent!) // $ MISSING: tainted=
-	sink(string: tainted.lastComponent!.string) // $ MISSING: tainted=
-	sink(root: tainted.root!) // $ MISSING: tainted=
-	sink(string: tainted.root!.string) // $ MISSING: tainted=
+	sink(component: tainted.lastComponent!) // $ tainted=133
+	sink(string: tainted.lastComponent!.string) // $ tainted=133
+	sink(root: tainted.root!) // $ tainted=133
+	sink(string: tainted.root!.string) // $ tainted=133
 
 	let taintedComponents = tainted.components
-	sink(componentView: taintedComponents) // $ MISSING: tainted=
-	sink(string: taintedComponents[taintedComponents.startIndex].string) // $ MISSING: tainted=
+	sink(componentView: taintedComponents) // $ tainted=133
+	sink(string: taintedComponents[taintedComponents.startIndex].string) // $ tainted=133
 }