Merge pull request github#12416 from geoffw0/contig

geoffw0 · web-flow · commit aedd073dad5c · 2023-07-25T14:05:07.000+01:00
Swift: Model Sequence.withContiguousStorageIfAvailable
diff --git a/swift/ql/lib/change-notes/2023-07-24-with-contiguous-storage.md b/swift/ql/lib/change-notes/2023-07-24-with-contiguous-storage.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added flow models for `Sequence.withContiguousStorageIfAvailable`.
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll
@@ -25,6 +25,8 @@ private class SequenceSummaries extends SummaryModelCsv {
         ";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
         ";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
         ";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue;taint",
       ]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll
@@ -118,9 +118,7 @@ private class DefaultUnsafeJsEvalAdditionalFlowStep extends UnsafeJsEvalAddition
     )
     or
     exists(CallExpr ce, Expr self, ClosureExpr closure |
-      ce.getStaticTarget()
-          .getName()
-          .matches(["withContiguousStorageIfAvailable(%)", "withUnsafeBufferPointer(%)"]) and
+      ce.getStaticTarget().getName().matches("withUnsafeBufferPointer(%)") and
       self = ce.getQualifier() and
       ce.getArgument(0).getExpr() = closure
     |
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -438,7 +438,7 @@ func taintThroughEncodings() {
   })
   tainted.withContiguousStorageIfAvailable({
     ptr in
-    sink(arg: ptr)
+    sink(arg: ptr) // $ tainted=366
     sink(arg: ptr.baseAddress!) // $ MISSING: tainted=366
   })
 }
@@ -599,3 +599,52 @@ func untaintedFields() {
   sink(arg: String.defaultCStringEncoding)
   sink(arg: tainted.isContiguousUTF8)
 }
+
+func callbackWithCleanPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr)
+
+  return 0
+}
+
+func callbackWithTaintedPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr) // $ tainted=617
+
+  return source()
+}
+
+func furtherTaintThroughCallbacks() {
+  let clean = ""
+  let tainted = source2()
+
+  // return values from the closure (1)
+  let result1 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  })
+  sink(arg: result1!)
+  let result2 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  })
+  sink(arg: result2!) // $ tainted=627
+
+  // return values from the closure (2)
+  if let result3 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  }) {
+    sink(arg: result3)
+  }
+  if let result4 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  }) {
+    sink(arg: result4) // $ MISSING: tainted=640
+  }
+
+  // using a non-closure function
+  let result5 = try? clean.withContiguousStorageIfAvailable(callbackWithCleanPointer)
+  sink(arg: result5!)
+  let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
+  sink(arg: result6!) // $ tainted=612
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +category: minorAnalysis
 +---
++
 +* Added flow models for `Sequence.withContiguousStorageIfAvailable`.
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ private class SequenceSummaries extends SummaryModelCsv {`
`25`	`25`	`";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",`
`26`	`26`	`";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",`
`27`	`27`	`";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",`
	`28`	`+ ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",`
	`29`	`+ ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[0].ReturnValue;ReturnValue;taint",`
`28`	`30`	`]`
`29`	`31`	`}`
`30`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -118,9 +118,7 @@ private class DefaultUnsafeJsEvalAdditionalFlowStep extends UnsafeJsEvalAddition`
`118`	`118`	`)`
`119`	`119`	`or`
`120`	`120`	`exists(CallExpr ce, Expr self, ClosureExpr closure \|`
`121`		`- ce.getStaticTarget()`
`122`		`- .getName()`
`123`		`- .matches(["withContiguousStorageIfAvailable(%)", "withUnsafeBufferPointer(%)"]) and`
	`121`	`+ ce.getStaticTarget().getName().matches("withUnsafeBufferPointer(%)") and`
`124`	`122`	`self = ce.getQualifier() and`
`125`	`123`	`ce.getArgument(0).getExpr() = closure`
`126`	`124`	`\|`