Swift: Test flow through various conversions.

geoffw0 · geoffw0 · commit e86ccf8498e7 · 2023-08-09T23:05:45.000+01:00
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected
@@ -1,3 +1,82 @@
+| conversions.swift:9:7:9:7 | SSA def(self) | conversions.swift:9:7:9:7 | self[return] |
+| conversions.swift:9:7:9:7 | SSA def(self) | conversions.swift:9:7:9:7 | self[return] |
+| conversions.swift:9:7:9:7 | self | conversions.swift:9:7:9:7 | SSA def(self) |
+| conversions.swift:9:7:9:7 | self | conversions.swift:9:7:9:7 | SSA def(self) |
+| conversions.swift:12:7:12:7 | SSA def(self) | conversions.swift:12:7:12:7 | self[return] |
+| conversions.swift:12:7:12:7 | self | conversions.swift:12:7:12:7 | SSA def(self) |
+| conversions.swift:12:36:12:36 | SSA def(self) | conversions.swift:12:36:12:36 | self[return] |
+| conversions.swift:12:36:12:36 | self | conversions.swift:12:36:12:36 | SSA def(self) |
+| conversions.swift:15:7:15:7 | SSA def(self) | conversions.swift:15:7:15:7 | self[return] |
+| conversions.swift:15:7:15:7 | self | conversions.swift:15:7:15:7 | SSA def(self) |
+| conversions.swift:16:11:16:11 | SSA def(self) | conversions.swift:16:11:16:42 | self[return] |
+| conversions.swift:16:11:16:11 | self | conversions.swift:16:11:16:11 | SSA def(self) |
+| conversions.swift:18:28:18:28 | SSA def(self) | conversions.swift:18:28:18:44 | self[return] |
+| conversions.swift:18:28:18:28 | self | conversions.swift:18:28:18:28 | SSA def(self) |
+| conversions.swift:19:33:19:33 | SSA def(self) | conversions.swift:19:33:19:49 | self[return] |
+| conversions.swift:19:33:19:33 | self | conversions.swift:19:33:19:33 | SSA def(self) |
+| conversions.swift:20:22:20:22 | SSA def(self) | conversions.swift:20:22:20:38 | self[return] |
+| conversions.swift:20:22:20:22 | self | conversions.swift:20:22:20:22 | SSA def(self) |
+| conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) |
+| conversions.swift:29:12:29:30 | call to String.init(_:) | conversions.swift:29:12:29:32 | .utf8 |
+| conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:30 | call to String.init(_:) |
+| conversions.swift:30:20:30:33 | call to sourceString() | conversions.swift:30:20:30:35 | .utf8 |
+| conversions.swift:32:9:32:9 | SSA def(v) | conversions.swift:33:13:33:13 | v |
+| conversions.swift:32:9:32:9 | v | conversions.swift:32:9:32:9 | SSA def(v) |
+| conversions.swift:32:13:32:23 | call to sourceInt() | conversions.swift:32:5:32:9 | let ...? |
+| conversions.swift:36:6:36:6 | SSA def(v2) | conversions.swift:37:12:37:12 | v2 |
+| conversions.swift:36:6:36:6 | v2 | conversions.swift:36:6:36:6 | SSA def(v2) |
+| conversions.swift:36:6:36:10 | ... as ... | conversions.swift:36:6:36:6 | v2 |
+| conversions.swift:36:18:36:41 | call to numericCast(_:) | conversions.swift:36:6:36:10 | ... as ... |
+| conversions.swift:39:6:39:6 | SSA def(v4) | conversions.swift:40:12:40:12 | v4 |
+| conversions.swift:39:6:39:6 | v4 | conversions.swift:39:6:39:6 | SSA def(v4) |
+| conversions.swift:39:6:39:10 | ... as ... | conversions.swift:39:6:39:6 | v4 |
+| conversions.swift:39:17:39:57 | call to unsafeBitCast(_:to:) | conversions.swift:39:6:39:10 | ... as ... |
+| conversions.swift:42:6:42:6 | SSA def(v5) | conversions.swift:43:12:43:12 | v5 |
+| conversions.swift:42:6:42:6 | v5 | conversions.swift:42:6:42:6 | SSA def(v5) |
+| conversions.swift:42:11:42:47 | call to Self.init(truncatingIfNeeded:) | conversions.swift:42:6:42:6 | v5 |
+| conversions.swift:45:6:45:6 | SSA def(v6) | conversions.swift:46:12:46:12 | v6 |
+| conversions.swift:45:6:45:6 | v6 | conversions.swift:45:6:45:6 | SSA def(v6) |
+| conversions.swift:45:11:45:39 | call to UInt.init(bitPattern:) | conversions.swift:45:6:45:6 | v6 |
+| conversions.swift:48:12:48:36 | call to Self.init(exactly:) | conversions.swift:48:12:48:37 | ...! |
+| conversions.swift:51:12:51:41 | call to Self.init(_:radix:) | conversions.swift:51:12:51:42 | ...! |
+| conversions.swift:63:19:63:31 | call to sourceFloat() | conversions.swift:63:12:63:32 | call to String.init(_:) |
+| conversions.swift:64:12:64:32 | call to String.init(_:) | conversions.swift:64:12:64:34 | .utf8 |
+| conversions.swift:64:19:64:31 | call to sourceFloat() | conversions.swift:64:12:64:32 | call to String.init(_:) |
+| conversions.swift:78:19:78:32 | call to sourceString() | conversions.swift:78:12:78:33 | call to String.init(_:) |
+| conversions.swift:80:6:80:6 | SSA def(ms1) | conversions.swift:81:12:81:12 | ms1 |
+| conversions.swift:80:6:80:6 | ms1 | conversions.swift:80:6:80:6 | SSA def(ms1) |
+| conversions.swift:80:12:80:26 | call to MyString.init(_:) | conversions.swift:80:12:80:27 | ...! |
+| conversions.swift:80:12:80:27 | ...! | conversions.swift:80:6:80:6 | ms1 |
+| conversions.swift:81:12:81:12 | [post] ms1 | conversions.swift:82:12:82:12 | ms1 |
+| conversions.swift:81:12:81:12 | ms1 | conversions.swift:82:12:82:12 | ms1 |
+| conversions.swift:82:12:82:12 | [post] ms1 | conversions.swift:83:12:83:12 | ms1 |
+| conversions.swift:82:12:82:12 | ms1 | conversions.swift:83:12:83:12 | ms1 |
+| conversions.swift:83:12:83:12 | [post] ms1 | conversions.swift:84:12:84:12 | ms1 |
+| conversions.swift:83:12:83:12 | ms1 | conversions.swift:84:12:84:12 | ms1 |
+| conversions.swift:86:6:86:6 | SSA def(ms2) | conversions.swift:87:12:87:12 | ms2 |
+| conversions.swift:86:6:86:6 | ms2 | conversions.swift:86:6:86:6 | SSA def(ms2) |
+| conversions.swift:86:12:86:35 | call to MyString.init(_:) | conversions.swift:86:12:86:36 | ...! |
+| conversions.swift:86:12:86:36 | ...! | conversions.swift:86:6:86:6 | ms2 |
+| conversions.swift:87:12:87:12 | [post] ms2 | conversions.swift:88:12:88:12 | ms2 |
+| conversions.swift:87:12:87:12 | ms2 | conversions.swift:88:12:88:12 | ms2 |
+| conversions.swift:88:12:88:12 | [post] ms2 | conversions.swift:89:12:89:12 | ms2 |
+| conversions.swift:88:12:88:12 | ms2 | conversions.swift:89:12:89:12 | ms2 |
+| conversions.swift:89:12:89:12 | [post] ms2 | conversions.swift:90:12:90:12 | ms2 |
+| conversions.swift:89:12:89:12 | ms2 | conversions.swift:90:12:90:12 | ms2 |
+| conversions.swift:94:6:94:6 | SSA def(parent) | conversions.swift:95:12:95:12 | parent |
+| conversions.swift:94:6:94:6 | parent | conversions.swift:94:6:94:6 | SSA def(parent) |
+| conversions.swift:94:6:94:15 | ... as ... | conversions.swift:94:6:94:6 | parent |
+| conversions.swift:94:31:94:44 | call to sourceString() | conversions.swift:94:6:94:15 | ... as ... |
+| conversions.swift:95:12:95:12 | [post] parent | conversions.swift:96:12:96:12 | parent |
+| conversions.swift:95:12:95:12 | parent | conversions.swift:96:12:96:12 | parent |
+| conversions.swift:96:12:96:12 | [post] parent | conversions.swift:98:40:98:40 | parent |
+| conversions.swift:96:12:96:12 | parent | conversions.swift:98:40:98:40 | parent |
+| conversions.swift:98:6:98:6 | SSA def(v3) | conversions.swift:99:12:99:12 | v3 |
+| conversions.swift:98:6:98:6 | v3 | conversions.swift:98:6:98:6 | SSA def(v3) |
+| conversions.swift:98:6:98:10 | ... as ... | conversions.swift:98:6:98:6 | v3 |
+| conversions.swift:98:25:98:69 | call to unsafeDowncast(_:to:) | conversions.swift:98:6:98:10 | ... as ... |
+| conversions.swift:99:12:99:12 | [post] v3 | conversions.swift:100:12:100:12 | v3 |
+| conversions.swift:99:12:99:12 | v3 | conversions.swift:100:12:100:12 | v3 |
 | simple.swift:12:13:12:13 | 1 | simple.swift:12:13:12:24 | ... .+(_:_:) ... |
 | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... |
 | simple.swift:13:13:13:20 | call to source() | simple.swift:13:13:13:24 | ... .+(_:_:) ... |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected
@@ -1,4 +1,13 @@
 edges
+| conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) |
+| conversions.swift:29:12:29:30 | call to String.init(_:) | conversions.swift:29:12:29:32 | .utf8 |
+| conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:30 | call to String.init(_:) |
+| conversions.swift:63:19:63:31 | call to sourceFloat() | conversions.swift:63:12:63:32 | call to String.init(_:) |
+| conversions.swift:64:12:64:32 | call to String.init(_:) | conversions.swift:64:12:64:34 | .utf8 |
+| conversions.swift:64:19:64:31 | call to sourceFloat() | conversions.swift:64:12:64:32 | call to String.init(_:) |
+| conversions.swift:78:19:78:32 | call to sourceString() | conversions.swift:78:12:78:33 | call to String.init(_:) |
+| conversions.swift:94:31:94:44 | call to sourceString() | conversions.swift:95:12:95:12 | parent |
+| conversions.swift:94:31:94:44 | call to sourceString() | conversions.swift:96:12:96:12 | parent |
 | file://:0:0:0:0 | self [first] | file://:0:0:0:0 | .first |
 | file://:0:0:0:0 | self [second] | file://:0:0:0:0 | .second |
 | file://:0:0:0:0 | value | file://:0:0:0:0 | [post] self [first] |
@@ -77,6 +86,24 @@ edges
 | try.swift:18:18:18:25 | call to source() | try.swift:18:18:18:25 | call to source() [some:0] |
 | try.swift:18:18:18:25 | call to source() [some:0] | try.swift:18:13:18:25 | try? ... [some:0] |
 nodes
+| conversions.swift:24:12:24:22 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:28:12:28:30 | call to String.init(_:) | semmle.label | call to String.init(_:) |
+| conversions.swift:28:19:28:29 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:29:12:29:30 | call to String.init(_:) | semmle.label | call to String.init(_:) |
+| conversions.swift:29:12:29:32 | .utf8 | semmle.label | .utf8 |
+| conversions.swift:29:19:29:29 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:60:12:60:24 | call to sourceFloat() | semmle.label | call to sourceFloat() |
+| conversions.swift:63:12:63:32 | call to String.init(_:) | semmle.label | call to String.init(_:) |
+| conversions.swift:63:19:63:31 | call to sourceFloat() | semmle.label | call to sourceFloat() |
+| conversions.swift:64:12:64:32 | call to String.init(_:) | semmle.label | call to String.init(_:) |
+| conversions.swift:64:12:64:34 | .utf8 | semmle.label | .utf8 |
+| conversions.swift:64:19:64:31 | call to sourceFloat() | semmle.label | call to sourceFloat() |
+| conversions.swift:77:12:77:25 | call to sourceString() | semmle.label | call to sourceString() |
+| conversions.swift:78:12:78:33 | call to String.init(_:) | semmle.label | call to String.init(_:) |
+| conversions.swift:78:19:78:32 | call to sourceString() | semmle.label | call to sourceString() |
+| conversions.swift:94:31:94:44 | call to sourceString() | semmle.label | call to sourceString() |
+| conversions.swift:95:12:95:12 | parent | semmle.label | parent |
+| conversions.swift:96:12:96:12 | parent | semmle.label | parent |
 | file://:0:0:0:0 | .first | semmle.label | .first |
 | file://:0:0:0:0 | .second | semmle.label | .second |
 | file://:0:0:0:0 | [post] self [first] | semmle.label | [post] self [first] |
@@ -200,6 +227,16 @@ subpaths
 | stringinterpolation.swift:28:14:28:21 | call to source() | stringinterpolation.swift:7:6:7:6 | value | file://:0:0:0:0 | [post] self [second] | stringinterpolation.swift:28:2:28:2 | [post] p2 [second] |
 | stringinterpolation.swift:31:21:31:21 | p2 [second] | stringinterpolation.swift:7:6:7:6 | self [second] | file://:0:0:0:0 | .second | stringinterpolation.swift:31:21:31:24 | .second |
 #select
+| conversions.swift:24:12:24:22 | call to sourceInt() | conversions.swift:24:12:24:22 | call to sourceInt() | conversions.swift:24:12:24:22 | call to sourceInt() | result |
+| conversions.swift:28:12:28:30 | call to String.init(_:) | conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) | result |
+| conversions.swift:29:12:29:32 | .utf8 | conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:32 | .utf8 | result |
+| conversions.swift:60:12:60:24 | call to sourceFloat() | conversions.swift:60:12:60:24 | call to sourceFloat() | conversions.swift:60:12:60:24 | call to sourceFloat() | result |
+| conversions.swift:63:12:63:32 | call to String.init(_:) | conversions.swift:63:19:63:31 | call to sourceFloat() | conversions.swift:63:12:63:32 | call to String.init(_:) | result |
+| conversions.swift:64:12:64:34 | .utf8 | conversions.swift:64:19:64:31 | call to sourceFloat() | conversions.swift:64:12:64:34 | .utf8 | result |
+| conversions.swift:77:12:77:25 | call to sourceString() | conversions.swift:77:12:77:25 | call to sourceString() | conversions.swift:77:12:77:25 | call to sourceString() | result |
+| conversions.swift:78:12:78:33 | call to String.init(_:) | conversions.swift:78:19:78:32 | call to sourceString() | conversions.swift:78:12:78:33 | call to String.init(_:) | result |
+| conversions.swift:95:12:95:12 | parent | conversions.swift:94:31:94:44 | call to sourceString() | conversions.swift:95:12:95:12 | parent | result |
+| conversions.swift:96:12:96:12 | parent | conversions.swift:94:31:94:44 | call to sourceString() | conversions.swift:96:12:96:12 | parent | result |
 | simple.swift:12:13:12:24 | ... .+(_:_:) ... | simple.swift:12:17:12:24 | call to source() | simple.swift:12:13:12:24 | ... .+(_:_:) ... | result |
 | simple.swift:13:13:13:24 | ... .+(_:_:) ... | simple.swift:13:13:13:20 | call to source() | simple.swift:13:13:13:24 | ... .+(_:_:) ... | result |
 | simple.swift:14:13:14:24 | ... .-(_:_:) ... | simple.swift:14:17:14:24 | call to source() | simple.swift:14:13:14:24 | ... .-(_:_:) ... | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift
@@ -0,0 +1,101 @@
+
+func sourceInt() -> Int { 0 }
+func sourceFloat() -> Float { 0.0 }
+func sourceString() -> String { "" }
+func sink(arg: Any) { }
+
+// ---
+
+class MyParentClass {
+}
+
+class MyChildClass : MyParentClass {
+}
+
+class MyString : LosslessStringConvertible, CustomStringConvertible, CustomDebugStringConvertible {
+	required init?(_ description: String) { }
+
+	var description: String { get { return "" } }
+	var debugDescription: String { get { return "" } }
+	var clean: String { get { return "" } }
+}
+
+func testConversions() {
+	sink(arg: sourceInt()) // $ tainted=24
+	sink(arg: Int(sourceInt())) // $ MISSING: tainted=
+	sink(arg: UInt8(sourceInt())) // $ MISSING: tainted=
+	sink(arg: Float(sourceInt())) // $ MISSING: tainted=
+	sink(arg: String(sourceInt())) // $ tainted=28
+	sink(arg: String(sourceInt()).utf8) // $ tainted=29
+	sink(arg: [UInt8](sourceString().utf8)) // $ MISSING: tainted=
+
+	if let v = sourceInt() as? UInt {
+		sink(arg: v) // $ MISSING: tainted=
+	}
+
+	let v2: UInt8 = numericCast(sourceInt())
+	sink(arg: v2) // $ MISSING: tainted=
+
+	let v4: UInt = unsafeBitCast(sourceInt(), to: UInt.self)
+	sink(arg: v4) // $ MISSING: tainted=
+
+	let v5 = UInt(truncatingIfNeeded: sourceInt())
+	sink(arg: v5) // $ MISSING: tainted=
+
+	let v6 = UInt(bitPattern: sourceInt())
+	sink(arg: v6) // $ MISSING: tainted=
+
+	sink(arg: Int(exactly: sourceInt())!) // $ MISSING: tainted=
+	sink(arg: Int(clamping: sourceInt())) // $ MISSING: tainted=
+	sink(arg: Int(truncatingIfNeeded: sourceInt())) // $ MISSING: tainted=
+	sink(arg: Int(sourceString(), radix: 10)!) // $ MISSING: tainted=
+
+	sink(arg: Int(littleEndian: sourceInt())) // $ MISSING: tainted=
+	sink(arg: Int(bigEndian: sourceInt())) // $ MISSING: tainted=
+	sink(arg: sourceInt().littleEndian) // $ MISSING: tainted=
+	sink(arg: sourceInt().bigEndian) // $ MISSING: tainted=
+
+	// ---
+
+	sink(arg: sourceFloat()) // $ tainted=60
+	sink(arg: Float(sourceFloat())) // $ MISSING: tainted=
+	sink(arg: UInt8(sourceFloat())) // $ MISSING: tainted=
+	sink(arg: String(sourceFloat())) // $ tainted=63
+	sink(arg: String(sourceFloat()).utf8) // $ tainted=64
+
+	sink(arg: Float(sourceFloat())) // MISSING: tainted=
+	sink(arg: Float(sign: .plus, exponent: sourceInt(), significand: 0.0)) // MISSING: tainted=
+	sink(arg: Float(sign: .plus, exponent: 0, significand: sourceFloat())) // MISSING: tainted=
+	sink(arg: Float(signOf: sourceFloat(), magnitudeOf: 0.0)) // (good)
+	sink(arg: Float(signOf: 0.0, magnitudeOf: sourceFloat())) // MISSING: tainted=
+
+	sink(arg: sourceFloat().exponent) // $ MISSING: tainted=
+	sink(arg: sourceFloat().significand) // $ MISSING: tainted=
+
+	// ---
+
+	sink(arg: sourceString()) // $ tainted=77
+	sink(arg: String(sourceString())) // $ tainted=78
+
+	let ms1 = MyString("abc")!
+	sink(arg: ms1)
+	sink(arg: ms1.description)
+	sink(arg: ms1.debugDescription)
+	sink(arg: ms1.clean)
+
+	let ms2 = MyString(sourceString())!
+	sink(arg: ms2) // $ MISSING: tainted=
+	sink(arg: ms2.description) // $ MISSING: tainted=
+	sink(arg: ms2.debugDescription) // $ MISSING: tainted=
+	sink(arg: ms2.clean)
+
+	// ---
+
+	let parent : MyParentClass = sourceString() as! MyChildClass
+	sink(arg: parent) // $ tainted=94
+	sink(arg: parent as! MyChildClass) // $ tainted=94
+
+	let v3: MyChildClass = unsafeDowncast(parent, to: MyChildClass.self)
+	sink(arg: v3) // $ MISSING: tainted=
+	sink(arg: v3 as! MyParentClass) // $ MISSING: tainted=
+}
