Swift: Model numeric conversions.

Author: geoffw0

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll

@@ -0,0 +1,51 @@
+/**
+ * Provides models for `Numeric` and related Swift classes (such as `Int` and `Float`).
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `Numeric` and related class members and functions that permit taint flow.
+ */
+private class NumericSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";;false;numericCast(_:);;;Argument[0];ReturnValue;taint",
+        ";;false;unsafeDowncast(_:to:);;;Argument[0];ReturnValue;taint",
+        ";;false;unsafeBitCast(_:to:);;;Argument[0];ReturnValue;taint",
+        ";Numeric;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value",
+        ";Numeric;true;init(bitPattern:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(clamping:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(truncatingIfNeeded:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:format:lenient:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;formatted();;;Argument[-1];ReturnValue;taint",
+        ";BinaryInteger;true;formatted(_:);;;Argument[-1];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(littleEndian:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(bigEndian:);;;Argument[0];ReturnValue;taint",
+        ";FloatingPoint;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FloatingPoint;true;init(sign:exponent:significand:);;;Argument[1..2];ReturnValue;taint",
+        ";FloatingPoint;true;init(signOf:magnitudeOf:);;;Argument[1];ReturnValue;taint",
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `Numeric` is tainted, then some of its fields are
+ * tainted.
+ */
+private class NumericFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  NumericFieldsInheritTaint() {
+    this.getField().hasQualifiedName("FixedWidthInteger", ["littleEndian", "bigEndian"])
+    or
+    this.getField().hasQualifiedName(["Double", "Float", "Float80", "FloatingPoint"], ["exponent", "significand"])
+  }
+}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll

@@ -14,6 +14,7 @@ private import NsData
 private import NsObject
 private import NsString
 private import NsUrl
+private import Numeric
 private import Sequence
 private import Set
 private import String

swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected

@@ -16,6 +16,9 @@
 | conversions.swift:19:33:19:33 | self | conversions.swift:19:33:19:33 | SSA def(self) |
 | conversions.swift:20:22:20:22 | SSA def(self) | conversions.swift:20:22:20:38 | self[return] |
 | conversions.swift:20:22:20:22 | self | conversions.swift:20:22:20:22 | SSA def(self) |
+| conversions.swift:25:16:25:26 | call to sourceInt() | conversions.swift:25:12:25:27 | call to Self.init(_:) |
+| conversions.swift:26:18:26:28 | call to sourceInt() | conversions.swift:26:12:26:29 | call to Self.init(_:) |
+| conversions.swift:27:18:27:28 | call to sourceInt() | conversions.swift:27:12:27:29 | call to Float.init(_:) |
 | conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) |
 | conversions.swift:29:12:29:30 | call to String.init(_:) | conversions.swift:29:12:29:32 | .utf8 |
 | conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:30 | call to String.init(_:) |
@@ -27,21 +30,43 @@
 | conversions.swift:36:6:36:6 | v2 | conversions.swift:36:6:36:6 | SSA def(v2) |
 | conversions.swift:36:6:36:10 | ... as ... | conversions.swift:36:6:36:6 | v2 |
 | conversions.swift:36:18:36:41 | call to numericCast(_:) | conversions.swift:36:6:36:10 | ... as ... |
+| conversions.swift:36:30:36:40 | call to sourceInt() | conversions.swift:36:18:36:41 | call to numericCast(_:) |
 | conversions.swift:39:6:39:6 | SSA def(v4) | conversions.swift:40:12:40:12 | v4 |
 | conversions.swift:39:6:39:6 | v4 | conversions.swift:39:6:39:6 | SSA def(v4) |
 | conversions.swift:39:6:39:10 | ... as ... | conversions.swift:39:6:39:6 | v4 |
 | conversions.swift:39:17:39:57 | call to unsafeBitCast(_:to:) | conversions.swift:39:6:39:10 | ... as ... |
+| conversions.swift:39:31:39:41 | call to sourceInt() | conversions.swift:39:17:39:57 | call to unsafeBitCast(_:to:) |
 | conversions.swift:42:6:42:6 | SSA def(v5) | conversions.swift:43:12:43:12 | v5 |
 | conversions.swift:42:6:42:6 | v5 | conversions.swift:42:6:42:6 | SSA def(v5) |
 | conversions.swift:42:11:42:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:42:6:42:6 | v5 |
+| conversions.swift:42:36:42:46 | call to sourceInt() | conversions.swift:42:11:42:47 | call to Self.init(truncatingIfNeeded:) |
 | conversions.swift:45:6:45:6 | SSA def(v6) | conversions.swift:46:12:46:12 | v6 |
 | conversions.swift:45:6:45:6 | v6 | conversions.swift:45:6:45:6 | SSA def(v6) |
 | conversions.swift:45:11:45:39 | call to UInt.init(bitPattern:) | conversions.swift:45:6:45:6 | v6 |
+| conversions.swift:45:28:45:38 | call to sourceInt() | conversions.swift:45:11:45:39 | call to UInt.init(bitPattern:) |
 | conversions.swift:48:12:48:36 | call to Self.init(exactly:) | conversions.swift:48:12:48:37 | ...! |
+| conversions.swift:49:26:49:36 | call to sourceInt() | conversions.swift:49:12:49:37 | call to Self.init(clamping:) |
+| conversions.swift:50:36:50:46 | call to sourceInt() | conversions.swift:50:12:50:47 | call to Self.init(truncatingIfNeeded:) |
 | conversions.swift:51:12:51:41 | call to Self.init(_:radix:) | conversions.swift:51:12:51:42 | ...! |
+| conversions.swift:51:16:51:29 | call to sourceString() | conversions.swift:51:12:51:41 | call to Self.init(_:radix:) |
+| conversions.swift:53:30:53:40 | call to sourceInt() | conversions.swift:53:12:53:41 | call to Self.init(littleEndian:) |
+| conversions.swift:54:27:54:37 | call to sourceInt() | conversions.swift:54:12:54:38 | call to Self.init(bigEndian:) |
+| conversions.swift:55:12:55:22 | call to sourceInt() | conversions.swift:55:12:55:24 | .littleEndian |
+| conversions.swift:56:12:56:22 | call to sourceInt() | conversions.swift:56:12:56:24 | .bigEndian |
+| conversions.swift:61:18:61:30 | call to sourceFloat() | conversions.swift:61:12:61:31 | call to Float.init(_:) |
+| conversions.swift:62:18:62:30 | call to sourceFloat() | conversions.swift:62:12:62:31 | call to UInt8.init(_:) |
 | conversions.swift:63:19:63:31 | call to sourceFloat() | conversions.swift:63:12:63:32 | call to String.init(_:) |
 | conversions.swift:64:12:64:32 | call to String.init(_:) | conversions.swift:64:12:64:34 | .utf8 |
 | conversions.swift:64:19:64:31 | call to sourceFloat() | conversions.swift:64:12:64:32 | call to String.init(_:) |
+| conversions.swift:66:18:66:30 | call to sourceFloat() | conversions.swift:66:12:66:31 | call to Float.init(_:) |
+| conversions.swift:67:41:67:51 | call to sourceInt() | conversions.swift:67:12:67:70 | call to Float.init(sign:exponent:significand:) |
+| conversions.swift:67:67:67:67 | 0.0 | conversions.swift:67:12:67:70 | call to Float.init(sign:exponent:significand:) |
+| conversions.swift:68:41:68:41 | 0 | conversions.swift:68:12:68:70 | call to Float.init(sign:exponent:significand:) |
+| conversions.swift:68:57:68:69 | call to sourceFloat() | conversions.swift:68:12:68:70 | call to Float.init(sign:exponent:significand:) |
+| conversions.swift:69:54:69:54 | 0.0 | conversions.swift:69:12:69:57 | call to Float.init(signOf:magnitudeOf:) |
+| conversions.swift:70:44:70:56 | call to sourceFloat() | conversions.swift:70:12:70:57 | call to Float.init(signOf:magnitudeOf:) |
+| conversions.swift:72:12:72:24 | call to sourceFloat() | conversions.swift:72:12:72:26 | .exponent |
+| conversions.swift:73:12:73:24 | call to sourceFloat() | conversions.swift:73:12:73:26 | .significand |
 | conversions.swift:78:19:78:32 | call to sourceString() | conversions.swift:78:12:78:33 | call to String.init(_:) |
 | conversions.swift:80:6:80:6 | SSA def(ms1) | conversions.swift:81:12:81:12 | ms1 |
 | conversions.swift:80:6:80:6 | ms1 | conversions.swift:80:6:80:6 | SSA def(ms1) |
@@ -75,6 +100,7 @@
 | conversions.swift:98:6:98:6 | v3 | conversions.swift:98:6:98:6 | SSA def(v3) |
 | conversions.swift:98:6:98:10 | ... as ... | conversions.swift:98:6:98:6 | v3 |
 | conversions.swift:98:25:98:69 | call to unsafeDowncast(_:to:) | conversions.swift:98:6:98:10 | ... as ... |
+| conversions.swift:98:40:98:40 | parent | conversions.swift:98:25:98:69 | call to unsafeDowncast(_:to:) |
 | conversions.swift:99:12:99:12 | [post] v3 | conversions.swift:100:12:100:12 | v3 |
 | conversions.swift:99:12:99:12 | v3 | conversions.swift:100:12:100:12 | v3 |
 | simple.swift:12:13:12:13 | 1 | simple.swift:12:13:12:24 | ... .+(_:_:) ... |