Swift: Fix an issue with RegexTracking.qll using PotentialRegexEval rather than RegexEval.

geoffw0 · geoffw0 · commit 8a5f3e4825d0 · 2023-10-24T22:49:19.000+01:00
diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll
@@ -316,6 +316,12 @@ class RegexEval extends CallExpr instanceof PotentialRegexEval {
    */
   Expr getStringInput() { result = this.(PotentialRegexEval).getStringInput().asExpr() }
 
+  /**
+   * Gets a dataflow node for an options input that might contain parse mode
+   * flags (if any).
+   */
+  DataFlow::Node getAnOptionsInput() { result = this.(PotentialRegexEval).getAnOptionsInput() }
+
   /**
    * Gets a regular expression value that is evaluated here (if any can be identified).
    */
@@ -365,7 +371,7 @@ abstract class PotentialRegexEval extends CallExpr {
   abstract DataFlow::Node getStringInput();
 
   /**
-   * Gets a dataflow node for the options input that might contain parse mode
+   * Gets a dataflow node for an options input that might contain parse mode
    * flags (if any).
    */
   DataFlow::Node getAnOptionsInput() { none() }
diff --git a/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll b/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll
@@ -20,7 +20,7 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // evaluated directly as a regular expression
-    node = any(PotentialRegexEval eval).getRegexInput()
+    node.asExpr() = any(RegexEval eval).getRegexInput()
     or
     // used to create a regular expression object
     node = any(RegexCreation regexCreation).getStringInput()
@@ -41,7 +41,7 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // evaluation of the regex
-    node = any(PotentialRegexEval eval).getRegexInput()
+    node.asExpr() = any(RegexEval eval).getRegexInput()
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -67,8 +67,8 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node node, FlowState flowstate) {
     // evaluation of a regex
     (
-      node = any(PotentialRegexEval eval).getRegexInput() or
-      node = any(PotentialRegexEval eval).getAnOptionsInput()
+      node.asExpr() = any(RegexEval eval).getRegexInput() or
+      node = any(RegexEval eval).getAnOptionsInput()
     ) and
     exists(flowstate)
   }
diff --git a/swift/ql/test/library-tests/regex/parse.expected b/swift/ql/test/library-tests/regex/parse.expected
@@ -6334,21 +6334,11 @@ regex.swift:
 #  129| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
-#  130| [RegExpDot] .
-
-#  130| [RegExpStar] .*
-#-----| 0 -> [RegExpDot] .
-
 #  131| [RegExpDot] .
 
 #  131| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
-#  132| [RegExpDot] .
-
-#  132| [RegExpStar] .*
-#-----| 0 -> [RegExpDot] .
-
 #  136| [RegExpDot] .
 
 #  136| [RegExpStar] .*
@@ -6374,21 +6364,11 @@ regex.swift:
 #  153| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
-#  154| [RegExpDot] .
-
-#  154| [RegExpStar] .*
-#-----| 0 -> [RegExpDot] .
-
 #  155| [RegExpDot] .
 
 #  155| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
-#  156| [RegExpDot] .
-
-#  156| [RegExpStar] .*
-#-----| 0 -> [RegExpDot] .
-
 #  160| [RegExpDot] .
 
 #  160| [RegExpStar] .*
diff --git a/swift/ql/test/library-tests/regex/regex.swift b/swift/ql/test/library-tests/regex/regex.swift
@@ -127,9 +127,9 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	// --- StringProtocol ---
 
 	_ = input.range(of: ".*", options: .regularExpression, range: nil, locale: nil) // $ regex=.* input=input
-	_ = input.range(of: ".*", options: .literal, range: nil, locale: nil) // $ SPURIOUS: unevaluated-regex=.* (not a regular expression)
+	_ = input.range(of: ".*", options: .literal, range: nil, locale: nil) // (not a regular expression)
 	_ = input.replacingOccurrences(of: ".*", with: "", options: .regularExpression) // $ regex=.* input=input
-	_ = input.replacingOccurrences(of: ".*", with: "", options: .literal) // $ SPURIOUS: unevaluated-regex=.* (not a regular expression)
+	_ = input.replacingOccurrences(of: ".*", with: "", options: .literal) // (not a regular expression)
 
 	// --- NSRegularExpression ---
 
@@ -151,9 +151,9 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: regexOptions) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: regexOptions2) // $ regex=.* input=inputNS modes=IGNORECASE
-	_ = inputNS.range(of: ".*", options: .literal) // $ SPURIOUS: unevaluated-regex=.* (not a regular expression)
+	_ = inputNS.range(of: ".*", options: .literal) // (not a regular expression)
 	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .regularExpression, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input=inputNS
-	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // $ SPURIOUS: unevaluated-regex=.* (not a regular expression)
+	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // (not a regular expression)
 
 	// --- flow ---
 
