Swift: Update to a proper data flow config so we can add implicit reads from arrays at the sink.

Author: geoffw0

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -280,6 +280,12 @@ abstract class RegexEval extends CallExpr {
    */
   abstract DataFlow::Node getStringInput();
 
+  /**
+   * Gets a dataflow node for the options input that might contain parse mode
+   * flags (if any).
+   */
+  DataFlow::Node getAnOptionsInput() { none() }
+
   /**
    * Gets a regular expression value that is evaluated here (if any can be identified).
    */
@@ -367,14 +373,14 @@ private class AlwaysRegexEval extends RegexEval {
 
 /**
  * A call to a function that sometimes evaluates a regular expression, if
- * `options: .regularExpression` is set as an argument.
+ * `NSString.CompareOptions.regularExpression` is set as an `options` argument.
  */
-private class SometimesRegexEval extends RegexEval {
+private class NSStringCompareOptionsMaybeRegexEval extends RegexEval {
   DataFlow::Node regexInput;
   DataFlow::Node stringInput;
   DataFlow::Node optionsInput;
 
-  SometimesRegexEval() {
+  NSStringCompareOptionsMaybeRegexEval() {
     (
       this.getStaticTarget()
           .(Method)
@@ -391,18 +397,23 @@ private class SometimesRegexEval extends RegexEval {
     ) and
     regexInput.asExpr() = this.getArgument(0).getExpr() and
     stringInput.asExpr() = this.getQualifier() and
-    optionsInput.asExpr() = this.getArgumentWithLabel("options").getExpr() and
-    // flow from `.regularExpression` to `options` argument
+    optionsInput.asExpr() = this.getArgumentWithLabel("options").getExpr()
+  }
+
+  override DataFlow::Node getRegexInput() {
+    // check there is flow from a `NSString.CompareOptions.regularExpression` value to an `options` argument;
+    // if it isn't, the input won't be interpretted as a regular expression and we should discard it.
     exists(MemberRefExpr sourceValue |
       sourceValue
           .getMember()
           .(FieldDecl)
           .hasQualifiedName("NSString.CompareOptions", "regularExpression") and
-      DataFlow::localFlow(DataFlow::exprNode(sourceValue), optionsInput)
-    )
+      RegexEnableFlagFlow::flow(DataFlow::exprNode(sourceValue), optionsInput)
+    ) and
+    result = regexInput
   }
 
-  override DataFlow::Node getRegexInput() { result = regexInput }
-
   override DataFlow::Node getStringInput() { result = stringInput }
+
+  override DataFlow::Node getAnOptionsInput() { result = optionsInput }
 }

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -102,3 +102,31 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
 }
 
 module RegexParseModeFlow = DataFlow::GlobalWithState<RegexParseModeConfig>;
+
+/**
+ * A data flow configuration for tracking `NSString.CompareOptions.regularExpression`
+ * values from where they are created to the point of use.
+ */
+private module RegexEnableFlagConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // creation of a `NSString.CompareOptions.regularExpression` value
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "regularExpression")
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // use in a regex eval `options` argument
+    any(RegexEval eval).getAnOptionsInput() = node
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from collection content at the sink.
+    isSink(node) and
+    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
+  }
+}
+
+module RegexEnableFlagFlow = DataFlow::Global<RegexEnableFlagConfig>;

swift/ql/test/library-tests/regex/parse.expected

@@ -6349,11 +6349,21 @@ regex.swift:
 #  150| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
+#  151| [RegExpDot] .
+
+#  151| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
 #  152| [RegExpDot] .
 
 #  152| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
+#  153| [RegExpDot] .
+
+#  153| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
 #  155| [RegExpDot] .
 
 #  155| [RegExpStar] .*
@@ -6613,3 +6623,23 @@ regex.swift:
 
 #  246| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
+
+#  251| [RegExpDot] .
+
+#  251| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  252| [RegExpDot] .
+
+#  252| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  253| [RegExpDot] .
+
+#  253| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  254| [RegExpDot] .
+
+#  254| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .

swift/ql/test/library-tests/regex/regex.swift

@@ -148,9 +148,9 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	let regexOptions = NSString.CompareOptions.regularExpression
 	let regexOptions2 : NSString.CompareOptions = [.regularExpression, .caseInsensitive]
 	_ = inputNS.range(of: ".*", options: .regularExpression) // $ regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ MISSING: regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: regexOptions) // $ regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: regexOptions2) // $ MISSING: regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: regexOptions2) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: .literal) // (not a regular expression)
 	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .regularExpression, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input=inputNS
 	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // (not a regular expression)
@@ -248,8 +248,8 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	// parse modes set through other methods
 
 	let myOptions2 : NSString.CompareOptions = [.regularExpression, .caseInsensitive]
-    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ MISSING: regex=.* input=input modes=IGNORECASE
-    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ MISSING: regex=.* input=input modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ MISSING: regex=.* input="call to NSString.init(string:)" modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ MISSING: regex=.* input="call to NSString.init(string:)" modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ regex=.* input=input MISSING: modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ regex=.* input=input MISSING: modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
 }