Swift: Naive model for regular expression evaluations through NSString and StringProtocol methods.

geoffw0 · geoffw0 · commit b5ff104a00cb · 2023-10-04T19:19:29.000+01:00
diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll
@@ -359,3 +359,38 @@ private class AlwaysRegexEval extends RegexEval {
 
   override Expr getStringInput() { result = stringInput }
 }
+
+/**
+ * A call to a function that sometimes evaluates a regular expression, if
+ * `options: .regularExpression` is set as an argument.
+ */
+private class SometimesRegexEval extends RegexEval {
+  Expr regexInput;
+  Expr stringInput;
+  Expr optionsInput;
+
+  SometimesRegexEval() {
+    (
+      this.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("StringProtocol",
+            ["range(of:options:range:locale:)", "replacingOccurrences(of:with:options:range:)"])
+      or
+      this.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("NSString",
+            [
+              "range(of:options:)", "range(of:options:range:)", "range(of:options:range:locale:)",
+              "replacingOccurrences(of:with:options:range:)"
+            ])
+    ) and
+    regexInput = this.getArgument(0).getExpr() and
+    stringInput = this.getQualifier() and
+    optionsInput = this.getArgumentWithLabel("options").getExpr()
+    // TODO: check options may have value `.regularExpression`
+  }
+
+  override Expr getRegexInput() { result = regexInput }
+
+  override Expr getStringInput() { result = stringInput }
+}
diff --git a/swift/ql/test/library-tests/regex/parse.expected b/swift/ql/test/library-tests/regex/parse.expected
@@ -6329,11 +6329,66 @@ regex.swift:
 #  112| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
+#  129| [RegExpDot] .
+
+#  129| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  130| [RegExpDot] .
+
+#  130| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  131| [RegExpDot] .
+
+#  131| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  132| [RegExpDot] .
+
+#  132| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
 #  136| [RegExpDot] .
 
 #  136| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
 
+#  150| [RegExpDot] .
+
+#  150| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  151| [RegExpDot] .
+
+#  151| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  152| [RegExpDot] .
+
+#  152| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  153| [RegExpDot] .
+
+#  153| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  154| [RegExpDot] .
+
+#  154| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  155| [RegExpDot] .
+
+#  155| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  156| [RegExpDot] .
+
+#  156| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
 #  160| [RegExpDot] .
 
 #  160| [RegExpStar] .*
@@ -6588,3 +6643,23 @@ regex.swift:
 
 #  246| [RegExpStar] .*
 #-----| 0 -> [RegExpDot] .
+
+#  251| [RegExpDot] .
+
+#  251| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  252| [RegExpDot] .
+
+#  252| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  253| [RegExpDot] .
+
+#  253| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
+
+#  254| [RegExpDot] .
+
+#  254| [RegExpStar] .*
+#-----| 0 -> [RegExpDot] .
diff --git a/swift/ql/test/library-tests/regex/regex.swift b/swift/ql/test/library-tests/regex/regex.swift
@@ -126,10 +126,10 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 
 	// --- StringProtocol ---
 
-	_ = input.range(of: ".*", options: .regularExpression, range: nil, locale: nil) // $ MISSING: regex=.* input=input
-	_ = input.range(of: ".*", options: .literal, range: nil, locale: nil) // (not a regular expression)
-	_ = input.replacingOccurrences(of: ".*", with: "", options: .regularExpression) // $ MISSING: regex=.* input=input
-	_ = input.replacingOccurrences(of: ".*", with: "", options: .literal) // (not a regular expression)
+	_ = input.range(of: ".*", options: .regularExpression, range: nil, locale: nil) // $ regex=.* input=input
+	_ = input.range(of: ".*", options: .literal, range: nil, locale: nil) // $ SPURIOUS: regex=.* input=input
+	_ = input.replacingOccurrences(of: ".*", with: "", options: .regularExpression) // $ regex=.* input=input
+	_ = input.replacingOccurrences(of: ".*", with: "", options: .literal) // $ SPURIOUS: regex=.* input=input
 
 	// --- NSRegularExpression ---
 
@@ -147,13 +147,13 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	let inputNS = NSString(string: "abcdef")
 	let regexOptions = NSString.CompareOptions.regularExpression
 	let regexOptions2 : NSString.CompareOptions = [.regularExpression, .caseInsensitive]
-	_ = inputNS.range(of: ".*", options: .regularExpression) // $ MISSING: regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ MISSING: regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: regexOptions) // $ MISSING: regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: regexOptions2) // $ MISSING: regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: .literal) // (not a regular expression)
-	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .regularExpression, range: NSMakeRange(0, inputNS.length)) // $ MISSING: regex=.* input=inputNS
-	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // (not a regular expression)
+	_ = inputNS.range(of: ".*", options: .regularExpression) // $ regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: regexOptions) // $ regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: regexOptions2) // $ regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: .literal) // $ SPURIOUS: regex=.* input=inputNS
+	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .regularExpression, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input=inputNS
+	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // $ SPURIOUS: regex=.* input=inputNS
 
 	// --- flow ---
 
@@ -248,8 +248,8 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	// parse modes set through other methods
 
 	let myOptions2 : NSString.CompareOptions = [.regularExpression, .caseInsensitive]
-    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ MISSING: regex=.* input=input modes=IGNORECASE
-    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ MISSING: regex=.* input=input modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ MISSING: regex=.* input=inputNS modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ MISSING: regex=.* input=inputNS modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ regex=.* input=input MISSING: modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ regex=.* input=input MISSING: modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected
@@ -7,7 +7,9 @@ edges
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString |
+| tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString |
+| tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr |
 | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString |
@@ -30,7 +32,9 @@ nodes
 | tests.swift:113:24:113:24 | taintedString | semmle.label | taintedString |
 | tests.swift:114:45:114:45 | taintedString | semmle.label | taintedString |
 | tests.swift:120:19:120:19 | taintedString | semmle.label | taintedString |
+| tests.swift:126:40:126:40 | taintedString | semmle.label | taintedString |
 | tests.swift:131:39:131:39 | taintedString | semmle.label | taintedString |
+| tests.swift:137:40:137:40 | taintedString | semmle.label | taintedString |
 | tests.swift:144:16:144:16 | remoteInput | semmle.label | remoteInput |
 | tests.swift:147:39:147:39 | regexStr | semmle.label | regexStr |
 | tests.swift:162:17:162:17 | taintedString | semmle.label | taintedString |
@@ -53,7 +57,9 @@ subpaths
 | tests.swift:113:24:113:24 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:113:24:113:24 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:114:45:114:45 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:114:45:114:45 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:120:19:120:19 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:120:19:120:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
+| tests.swift:126:40:126:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:126:40:126:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:131:39:131:39 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:131:39:131:39 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
+| tests.swift:137:40:137:40 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:137:40:137:40 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:144:16:144:16 | remoteInput | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:144:16:144:16 | remoteInput | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:147:39:147:39 | regexStr | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:147:39:147:39 | regexStr | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
 | tests.swift:162:17:162:17 | taintedString | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | tests.swift:162:17:162:17 | taintedString | This regular expression is constructed from a $@. | tests.swift:95:22:95:46 | call to String.init(contentsOf:) | user-provided value |
diff --git a/swift/ql/test/query-tests/Security/CWE-730/tests.swift b/swift/ql/test/query-tests/Security/CWE-730/tests.swift
@@ -123,7 +123,7 @@ func regexInjectionTests(cond: Bool, varString: String, myUrl: URL) throws {
 	// --- StringProtocol ---
 
 	_ = inputVar.replacingOccurrences(of: constString, with: "", options: .regularExpression)
-	_ = inputVar.replacingOccurrences(of: taintedString, with: "", options: .regularExpression) // BAD [NOT DETECTED]
+	_ = inputVar.replacingOccurrences(of: taintedString, with: "", options: .regularExpression) // BAD
 
 	// --- NSRegularExpression ---
 
@@ -134,7 +134,7 @@ func regexInjectionTests(cond: Bool, varString: String, myUrl: URL) throws {
 
 	let nsString = NSString(string: varString)
 	_ = nsString.replacingOccurrences(of: constString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length))
-	_ = nsString.replacingOccurrences(of: taintedString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) // BAD [NOT DETECTED]
+	_ = nsString.replacingOccurrences(of: taintedString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) // BAD
 
 	// --- from the qhelp ---
 
