Swift: More robust OptionalSomePattern flow.

geoffw0 · geoffw0 · commit effe3762b8cf · 2023-08-10T08:49:46.000+01:00
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -182,6 +182,11 @@ private module Cached {
     //   retaining this case increases robustness of flow).
     nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
     or
+    // read of an optional .some member via `let x: T = y: T?` pattern matching
+    // note: similar to `ForceValueExpr` this is ideally a content `readStep` but
+    //   in practice we sometimes have taint on the optional itself.
+    nodeTo.asPattern() = nodeFrom.asPattern().(OptionalSomePattern).getSubPattern()
+    or
     // flow through `?` and `?.`
     nodeFrom.asExpr() = nodeTo.asExpr().(BindOptionalExpr).getSubExpr()
     or
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected
@@ -23,6 +23,7 @@
 | conversions.swift:29:12:29:30 | call to String.init(_:) | conversions.swift:29:12:29:32 | .utf8 |
 | conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:30 | call to String.init(_:) |
 | conversions.swift:30:20:30:33 | call to sourceString() | conversions.swift:30:20:30:35 | .utf8 |
+| conversions.swift:32:5:32:9 | let ...? | conversions.swift:32:9:32:9 | v |
 | conversions.swift:32:9:32:9 | SSA def(v) | conversions.swift:33:13:33:13 | v |
 | conversions.swift:32:9:32:9 | v | conversions.swift:32:9:32:9 | SSA def(v) |
 | conversions.swift:32:13:32:23 | call to sourceInt() | conversions.swift:32:5:32:9 | let ...? |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected
@@ -5,6 +5,7 @@ edges
 | conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) |
 | conversions.swift:29:12:29:30 | call to String.init(_:) | conversions.swift:29:12:29:32 | .utf8 |
 | conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:30 | call to String.init(_:) |
+| conversions.swift:32:13:32:23 | call to sourceInt() | conversions.swift:33:13:33:13 | v |
 | conversions.swift:36:18:36:41 | call to numericCast(_:) | conversions.swift:37:12:37:12 | v2 |
 | conversions.swift:36:30:36:40 | call to sourceInt() | conversions.swift:36:18:36:41 | call to numericCast(_:) |
 | conversions.swift:39:17:39:57 | call to unsafeBitCast(_:to:) | conversions.swift:40:12:40:12 | v4 |
@@ -131,6 +132,8 @@ nodes
 | conversions.swift:29:12:29:30 | call to String.init(_:) | semmle.label | call to String.init(_:) |
 | conversions.swift:29:12:29:32 | .utf8 | semmle.label | .utf8 |
 | conversions.swift:29:19:29:29 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:32:13:32:23 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:33:13:33:13 | v | semmle.label | v |
 | conversions.swift:36:18:36:41 | call to numericCast(_:) | semmle.label | call to numericCast(_:) |
 | conversions.swift:36:30:36:40 | call to sourceInt() | semmle.label | call to sourceInt() |
 | conversions.swift:37:12:37:12 | v2 | semmle.label | v2 |
@@ -322,6 +325,7 @@ subpaths
 | conversions.swift:27:12:27:29 | call to Float.init(_:) | conversions.swift:27:18:27:28 | call to sourceInt() | conversions.swift:27:12:27:29 | call to Float.init(_:) | result |
 | conversions.swift:28:12:28:30 | call to String.init(_:) | conversions.swift:28:19:28:29 | call to sourceInt() | conversions.swift:28:12:28:30 | call to String.init(_:) | result |
 | conversions.swift:29:12:29:32 | .utf8 | conversions.swift:29:19:29:29 | call to sourceInt() | conversions.swift:29:12:29:32 | .utf8 | result |
+| conversions.swift:33:13:33:13 | v | conversions.swift:32:13:32:23 | call to sourceInt() | conversions.swift:33:13:33:13 | v | result |
 | conversions.swift:37:12:37:12 | v2 | conversions.swift:36:30:36:40 | call to sourceInt() | conversions.swift:37:12:37:12 | v2 | result |
 | conversions.swift:40:12:40:12 | v4 | conversions.swift:39:31:39:41 | call to sourceInt() | conversions.swift:40:12:40:12 | v4 | result |
 | conversions.swift:43:12:43:12 | v5 | conversions.swift:42:36:42:46 | call to sourceInt() | conversions.swift:43:12:43:12 | v5 | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift
@@ -30,7 +30,7 @@ func testConversions() {
 	sink(arg: [UInt8](sourceString().utf8)) // $ MISSING: tainted=
 
 	if let v = sourceInt() as? UInt {
-		sink(arg: v) // $ MISSING: tainted=
+		sink(arg: v) // $ tainted=32
 	}
 
 	let v2: UInt8 = numericCast(sourceInt())

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func testConversions() {`
`30`	`30`	`sink(arg: [UInt8](sourceString().utf8)) // $ MISSING: tainted=`
`31`	`31`
`32`	`32`	`if let v = sourceInt() as? UInt {`
`33`		`- sink(arg: v) // $ MISSING: tainted=`
	`33`	`+ sink(arg: v) // $ tainted=32`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`let v2: UInt8 = numericCast(sourceInt())`