Merge pull request github#13291 from geoffw0/correction

MathiasVP · web-flow · commit 7361ad977a5d · 2023-05-25T11:28:42.000-07:00
Swift: Promote some Data models to DataProtocol
diff --git a/swift/ql/lib/change-notes/2023-05-25-dataprotocol-models.md b/swift/ql/lib/change-notes/2023-05-25-dataprotocol-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some models for the `Data` class have been generalized to `DataProtocol` so that they apply more widely.
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Data.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Data.qll
@@ -26,9 +26,9 @@ private class DataSummaries extends SummaryModelCsv {
         ";Data;true;base64EncodedData(options:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;base64EncodedString(options:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;compactMap(_:);;;Argument[-1];ReturnValue;taint",
-        ";Data;true;copyBytes(to:);;;Argument[-1];Argument[0];taint",
-        ";Data;true;copyBytes(to:count:);;;Argument[-1];Argument[0];taint",
-        ";Data;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
+        ";DataProtocol;true;copyBytes(to:);;;Argument[-1];Argument[0];taint",
+        ";DataProtocol;true;copyBytes(to:count:);;;Argument[-1];Argument[0];taint",
+        ";DataProtocol;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
         ";Data;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",
         ";Data;true;map(_:);;;Argument[-1];ReturnValue;taint",
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift
@@ -7,7 +7,19 @@ protocol SortComparator {
 	associatedtype Compared
 }
 
-struct Data : RangeReplaceableCollection
+protocol DataProtocol {
+}
+extension DataProtocol {
+	func copyBytes(to: UnsafeMutableRawBufferPointer) {}
+	func copyBytes(to: UnsafeMutablePointer<UInt8>, count: Int) {}
+	func copyBytes(to: UnsafeMutablePointer<UInt8>, from: Range<Data.Index>) {}
+}
+extension UnsafeRawBufferPointer : DataProtocol { }
+extension Array : DataProtocol where Element == UInt8 { }
+
+protocol MutableDataProtocol : DataProtocol, RangeReplaceableCollection { }
+
+struct Data : MutableDataProtocol
 {
 	struct Base64EncodingOptions : OptionSet { let rawValue: Int }
 	struct Base64DecodingOptions : OptionSet { let rawValue: Int }
@@ -82,182 +94,193 @@ func taintThroughData() {
 	let dataTainted2 = Data(dataTainted)
 
 	sink(arg: dataClean)
-	sink(arg: dataTainted) // $ tainted=81
-	sink(arg: dataTainted2) // $ tainted=81
+	sink(arg: dataTainted) // $ tainted=93
+	sink(arg: dataTainted2) // $ tainted=93
 
 	// ";Data;true;init(base64Encoded:options:);;;Argument[0];ReturnValue;taint",
 	let dataTainted3 = Data(base64Encoded: source() as! Data, options: [])
-	sink(arg: dataTainted3) // $ tainted=89
+	sink(arg: dataTainted3) // $ tainted=101
 
 	// ";Data;true;init(buffer:);;;Argument[0];ReturnValue;taint",
 	let dataTainted4 = Data(buffer: source() as! UnsafeBufferPointer<UInt8>)
-	sink(arg: dataTainted4)  // $ tainted=93
+	sink(arg: dataTainted4)  // $ tainted=105
 	let dataTainted5 = Data(buffer: source() as! UnsafeMutablePointer<UInt8>)
-	sink(arg: dataTainted5)  // $ tainted=95
+	sink(arg: dataTainted5)  // $ tainted=107
 
 	// ";Data;true;init(bytes:count:);;;Argument[0];ReturnValue;taint",
 	let dataTainted6 = Data(bytes: source() as! UnsafeRawPointer, count: 0)
-	sink(arg: dataTainted6)  // $ tainted=99
+	sink(arg: dataTainted6)  // $ tainted=111
 
 	// ";Data;true;init(bytesNoCopy:count:deallocator:);;;Argument[0];ReturnValue;taint",
 	let dataTainted7 = Data(bytesNoCopy: source() as! UnsafeRawPointer, count: 0, deallocator: Data.Deallocator.none)
-	sink(arg: dataTainted7)  // $ tainted=103
+	sink(arg: dataTainted7)  // $ tainted=115
 
 	// ";Data;true;init(contentsOf:options:);;;Argument[0];ReturnValue;taint",
 	let urlTainted8 = source() as! URL
 	let dataTainted8 = Data(contentsOf: urlTainted8, options: [])
-	sink(arg: dataTainted8)  // $ tainted=107
+	sink(arg: dataTainted8)  // $ tainted=119
 
 	// ";Data;true;init(referencing:);;;Argument[0];ReturnValue;taint",
 	let dataTainted9 = Data(referencing: source() as! NSData)
-	sink(arg: dataTainted9)  // $ tainted=112
+	sink(arg: dataTainted9)  // $ tainted=124
 
 	// ";Data;true;append(_:);;;Argument[0];Argument[-1];taint",
 	let dataTainted10 = Data("")
 	dataTainted10.append(source() as! Data)
-	sink(arg: dataTainted10) // $ tainted=117
+	sink(arg: dataTainted10) // $ tainted=129
 
 	let dataTainted11 = Data("")
 	dataTainted11.append(source() as! UInt8)
-	sink(arg: dataTainted11) // $ tainted=121
+	sink(arg: dataTainted11) // $ tainted=133
 
 	let dataTainted12 = Data("")
 	dataTainted12.append(source() as! UnsafeBufferPointer<UInt8>)
-	sink(arg: dataTainted12) // $ tainted=125
+	sink(arg: dataTainted12) // $ tainted=137
 
 	// ";Data;true;append(_:count:);;;Argument[0];Argument[-1];taint",
 	let dataTainted13 = Data("")
 	dataTainted13.append(source() as! UnsafePointer<UInt8>, count: 0)
-	sink(arg: dataTainted13) // $ tainted=130
+	sink(arg: dataTainted13) // $ tainted=142
 
 	// ";Data;true;append(contentsOf:);;;Argument[0];Argument[-1];taint",
 	let dataTainted14 = Data("")
 	dataTainted14.append(contentsOf: source() as! [UInt8])
-	sink(arg: dataTainted14) // $ tainted=135
+	sink(arg: dataTainted14) // $ tainted=147
 
 	// ";Data;true;base64EncodedData(options:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted15 = source() as! Data
-	sink(arg: dataTainted15.base64EncodedData(options: [])) // $ tainted=139
+	sink(arg: dataTainted15.base64EncodedData(options: [])) // $ tainted=151
 
 	// ";Data;true;base64EncodedString(options:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted16 = source() as! Data
-	sink(arg: dataTainted16.base64EncodedString(options: [])) // $ tainted=143
+	sink(arg: dataTainted16.base64EncodedString(options: [])) // $ tainted=155
 
 	// ";Data;true;compactMap(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted17 = source() as! Data
 	let compactMapped: [Int] = dataTainted17.compactMap { str in Int(str) }
-	sink(arg: compactMapped) // $ tainted=147
+	sink(arg: compactMapped) // $ tainted=159
 
 	// ";Data;true;copyBytes(to:);;;Argument[-1];Argument[0];taint",
 	let dataTainted18 = source() as! Data
 	let pointerTainted18 = UnsafeMutableRawBufferPointer.allocate(byteCount: 0, alignment: 0)
 	dataTainted18.copyBytes(to: pointerTainted18)
-	sink(arg: pointerTainted18) // $ tainted=152
+	sink(arg: pointerTainted18) // $ tainted=164
 
 	// ";Data;true;copyBytes(to:count:);;;Argument[-1];Argument[0];taint",
 	let dataTainted19 = source() as! Data
 	let pointerTainted19 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted19.copyBytes(to: pointerTainted19, count: 0)
-	sink(arg: pointerTainted19) // $ tainted=158
+	sink(arg: pointerTainted19) // $ tainted=170
 
 	// ";Data;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
 	let dataTainted20 = source() as! Data
 	let pointerTainted20 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted20.copyBytes(to: pointerTainted20, from: 0..<1)
-	sink(arg: pointerTainted20) // $ tainted=164
+	sink(arg: pointerTainted20) // $ tainted=176
 
 	// ";Data;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted21 = source() as! Data
 	let flatMapped = dataTainted21.flatMap { Array(repeating: $0, count: 0) }
-	sink(arg: flatMapped) // $ tainted=170
+	sink(arg: flatMapped) // $ tainted=182
 
 	let dataTainted22 = source() as! Data
 	let flatMapped2 = dataTainted22.flatMap { str in Int(str) }
-	sink(arg: flatMapped2) // $ tainted=174
+	sink(arg: flatMapped2) // $ tainted=186
 
 	// ";Data;true;insert(_:at:);;;Argument[0];Argument[-1];taint",
 	let dataTainted23 = Data("")
 	dataTainted23.insert(source() as! UInt8, at: 0)
-	sink(arg: dataTainted23) // $ tainted=180
+	sink(arg: dataTainted23) // $ tainted=192
 
 	// ";Data;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",
 	let dataTainted24 = Data("")
 	dataTainted24.insert(contentsOf: source() as! [UInt8], at: 0)
-	sink(arg: dataTainted24) // $ tainted=185
+	sink(arg: dataTainted24) // $ tainted=197
 
 	// ";Data;true;map(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted25 = source() as! Data
 	let mapped = dataTainted25.map { $0 }
-	sink(arg: mapped) // $ tainted=189
+	sink(arg: mapped) // $ tainted=201
 
 	// ";Data;true;reduce(into:_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted26 = source() as! Data
 	let reduced = dataTainted26.reduce(into: [:]) { c, i in c[i, default: 0] += 1 }
-	sink(arg: reduced) // $ tainted=194
+	sink(arg: reduced) // $ tainted=206
 
 	// ";Data;true;replace(_:with:maxReplacements:);;;Argument[1];Argument[-1];taint",
 	let dataTainted27 = Data("")
 	dataTainted27.replace([0], with: source() as! [UInt8], maxReplacements: .max)
-	sink(arg: dataTainted27) // $ tainted=200
+	sink(arg: dataTainted27) // $ tainted=212
 
 	// ";Data;true;replaceSubrange(_:with:);;;Argument[1];Argument[-1];taint",
 	let dataTainted28 = Data("")
 	dataTainted28.replaceSubrange(1..<3, with: source() as! Data)
-	sink(arg: dataTainted28) // $ tainted=205
+	sink(arg: dataTainted28) // $ tainted=217
 
 	let dataTainted29 = Data("")
 	dataTainted29.replaceSubrange(1..<3, with: source() as! [UInt8])
-	sink(arg: dataTainted29) // $ tainted=209
+	sink(arg: dataTainted29) // $ tainted=221
 
 	let dataTainted30 = Data("")
 	dataTainted30.replaceSubrange(1..<3, with: source() as! UnsafeBufferPointer<UInt8>)
-	sink(arg: dataTainted30) // $ tainted=213
+	sink(arg: dataTainted30) // $ tainted=225
 
 	// ";Data;true;replaceSubrange(_:with:count:);;;Argument[1];Argument[-1];taint",
 	let dataTainted31 = Data("")
 	dataTainted31.replaceSubrange(1..<3, with: source() as! UnsafeRawPointer, count: 0)
-	sink(arg: dataTainted31) // $ tainted=218
+	sink(arg: dataTainted31) // $ tainted=230
 
 	// ";Data;true;replacing(_:with:maxReplacements:);;;Argument[1];Argument[-1];taint",
 	let dataTainted32 = Data("")
 	let _ = dataTainted32.replacing([0], with: source() as! [UInt8], maxReplacements: 0)
-	sink(arg: dataTainted32) // $ tainted=223
+	sink(arg: dataTainted32) // $ tainted=235
 
 	// ";Data;true;replacing(_:with:subrange:maxReplacements:);;;Argument[1];Argument[-1];taint",
 	let dataTainted33 = Data("")
 	let _ = dataTainted33.replacing([0], with: source() as! [UInt8], subrange: 1..<3, maxReplacements: 0)
-	sink(arg: dataTainted33) // $ tainted=228
+	sink(arg: dataTainted33) // $ tainted=240
 
 	// ";Data;true;reversed();;;Argument[-1];ReturnValue;taint",
 	let dataTainted34 = source() as! Data
-	sink(arg: dataTainted34.reversed()) // $ tainted=232
+	sink(arg: dataTainted34.reversed()) // $ tainted=244
 
 	// ";Data;true;sorted();;;Argument[-1];ReturnValue;taint",
 	let dataTainted35 = source() as! Data
-	sink(arg: dataTainted35.sorted()) // $ tainted=236
+	sink(arg: dataTainted35.sorted()) // $ tainted=248
 
 	// ";Data;true;sorted(by:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted36 = source() as! Data
-	sink(arg: dataTainted36.sorted{ _,_ in return false }) // $ tainted=240
+	sink(arg: dataTainted36.sorted{ _,_ in return false }) // $ tainted=252
 
 	// ";Data;true;sorted(using:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted37 = source() as! Data
-	sink(arg: dataTainted37.sorted(using: cmp()!)) // $ tainted=244
+	sink(arg: dataTainted37.sorted(using: cmp()!)) // $ tainted=256
 
 	// ";Data;true;shuffled();;;Argument[-1];ReturnValue;taint",
 	let dataTainted38 = source() as! Data
-	sink(arg: dataTainted38.shuffled()) // $ tainted=248
+	sink(arg: dataTainted38.shuffled()) // $ tainted=260
 
 	// ";Data;true;shuffled(using:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted39 = source() as! Data
-	var rng = rng()!
-	sink(arg: dataTainted39.shuffled(using: &rng)) // $ tainted=252
+	var myRng = rng()!
+	sink(arg: dataTainted39.shuffled(using: &myRng)) // $ tainted=264
 
 	// ";Data;true;trimmingPrefix(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted40 = source() as! Data
-	sink(arg: dataTainted40.trimmingPrefix([0])) // $ tainted=257
+	sink(arg: dataTainted40.trimmingPrefix([0])) // $ tainted=269
 
 	// ";Data;true;trimmingPrefix(while:);;;Argument[-1];ReturnValue;taint"
 	let dataTainted41 = source() as! Data
-	sink(arg: dataTainted41.trimmingPrefix { _ in false }) // $ tainted=261
+	sink(arg: dataTainted41.trimmingPrefix { _ in false }) // $ tainted=273
+
+	// ";DataProtocol;true;copyBytes(to:);;;Argument[-1];Argument[0];taint",
+	let dataTainted43 = source() as! UnsafeRawBufferPointer
+	let pointerTainted43 = UnsafeMutableRawBufferPointer.allocate(byteCount: 0, alignment: 0)
+	dataTainted43.copyBytes(to: pointerTainted43)
+	sink(arg: pointerTainted43) // $ tainted=277
+
+	let dataTainted44 = source() as! Array<UInt8>
+	let pointerTainted44 = UnsafeMutableRawBufferPointer.allocate(byteCount: 0, alignment: 0)
+	dataTainted44.copyBytes(to: pointerTainted44)
+	sink(arg: pointerTainted44) // $ tainted=282
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift
@@ -6,8 +6,8 @@ struct URL
 	init?(string: String) {}
 	init?(string: String, relativeTo: URL?) {}
 }
-
-struct Data {
+protocol DataProtocol { }
+struct Data : DataProtocol {
 	init<S>(_ elements: S) { count = 0 }
 
 	var count: Int

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Some models for the `Data` class have been generalized to `DataProtocol` so that they apply more widely.