Swift: Support mode flags through NSString.CompareOptions.

geoffw0 · geoffw0 · commit fa10dbea9f25 · 2023-10-05T10:45:59.000+01:00
diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll
@@ -126,7 +126,8 @@ private newtype TRegexParseMode =
   MkDotAll() or // dot matches all characters, including line terminators
   MkMultiLine() or // `^` and `$` also match beginning and end of lines
   MkUnicodeBoundary() or // Unicode UAX 29 word boundary mode
-  MkUnicode() // Unicode matching
+  MkUnicode() or // Unicode matching
+  MkAnchoredStart() // match must begin at start of string
 
 /**
  * A regular expression parse mode flag.
@@ -147,6 +148,8 @@ class RegexParseMode extends TRegexParseMode {
     this = MkUnicodeBoundary() and result = "UNICODEBOUNDARY"
     or
     this = MkUnicode() and result = "UNICODE"
+    or
+    this = MkAnchoredStart() and result = "ANCHOREDSTART"
   }
 
   /**
@@ -262,6 +265,34 @@ class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep
   }
 }
 
+/**
+ * An additional flow step for `NSString.CompareOptions`.
+ */
+class NSStringRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+
+  override predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet) {
+    // `NSString.CompareOptions` values (these are typically combined with
+    // `NSString.CompareOptions.regularExpression`, then passed into a `StringProtocol`
+    // or `NSString` method).
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "caseInsensitive") and
+    mode = MkIgnoreCase() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "anchored") and
+    mode = MkAnchoredStart() and
+    isSet = true
+  }
+}
+
 /**
  * A call that evaluates a regular expression. For example, the call to `firstMatch` in:
  * ```
@@ -309,7 +340,10 @@ abstract class RegexEval extends CallExpr {
       // parse mode flag is set
       any(RegexAdditionalFlowStep s).setsParseMode(setNode, result, true) and
       // reaches this eval
-      RegexParseModeFlow::flow(setNode, this.getRegexInput())
+      (
+        RegexParseModeFlow::flow(setNode, this.getRegexInput()) or
+        RegexParseModeFlow::flow(setNode, this.getAnOptionsInput())
+      )
     )
   }
 }
diff --git a/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll b/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll
@@ -66,7 +66,10 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
 
   predicate isSink(DataFlow::Node node, FlowState flowstate) {
     // evaluation of a regex
-    node = any(RegexEval eval).getRegexInput() and
+    (
+      node = any(RegexEval eval).getRegexInput() or
+      node = any(RegexEval eval).getAnOptionsInput()
+    ) and
     exists(flowstate)
   }
 
diff --git a/swift/ql/test/library-tests/regex/regex.swift b/swift/ql/test/library-tests/regex/regex.swift
@@ -150,7 +150,7 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	_ = inputNS.range(of: ".*", options: .regularExpression) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: [.regularExpression]) // $ regex=.* input=inputNS
 	_ = inputNS.range(of: ".*", options: regexOptions) // $ regex=.* input=inputNS
-	_ = inputNS.range(of: ".*", options: regexOptions2) // $ regex=.* input=inputNS
+	_ = inputNS.range(of: ".*", options: regexOptions2) // $ regex=.* input=inputNS modes=IGNORECASE
 	_ = inputNS.range(of: ".*", options: .literal) // (not a regular expression)
 	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .regularExpression, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input=inputNS
 	_ = inputNS.replacingOccurrences(of: ".*", with: "", options: .literal, range: NSMakeRange(0, inputNS.length)) // (not a regular expression)
@@ -248,8 +248,8 @@ func myRegexpMethodsTests(b: Bool, str_unknown: String) throws {
 	// parse modes set through other methods
 
 	let myOptions2 : NSString.CompareOptions = [.regularExpression, .caseInsensitive]
-    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ regex=.* input=input MISSING: modes=IGNORECASE
-    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ regex=.* input=input MISSING: modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
-    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" MISSING: modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive]) // $ regex=.* input=input modes=IGNORECASE
+    _ = input.replacingOccurrences(of: ".*", with: "", options: myOptions2) // $ regex=.* input=input modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: [.regularExpression, .caseInsensitive], range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" modes=IGNORECASE
+    _ = NSString(string: "abc").replacingOccurrences(of: ".*", with: "", options: myOptions2, range: NSMakeRange(0, inputNS.length)) // $ regex=.* input="call to NSString.init(string:)" modes=IGNORECASE
 }
