From 6f0f73974ac4cd8b2487a72530c07f2817b4a8fe Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 14:43:53 +0000 Subject: [PATCH 1/5] Swift: Update dropFirst / dropLast / reversed models for Swift 6. --- .../codeql/swift/frameworks/StandardLibrary/Collection.qll | 6 ++++++ .../dataflow/taint/libraries/TaintInline.expected | 2 -- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index a8cf7b1dcd1c..26512f61736e 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -21,7 +21,9 @@ private class CollectionSummaries extends SummaryModelCsv { ";Collection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;dropFirst(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint", ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint", ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint", @@ -38,9 +40,13 @@ private class CollectionSummaries extends SummaryModelCsv { ";RangeReplaceableCollection;true;insert(_:at:);;;Argument[0];Argument[-1];taint", ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1];Argument[-1];taint", ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;value", + ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint", ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;reversed();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index b321acf94e33..d7ab587c67a0 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,8 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:237:35:238:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:244:33:245:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:270:40:271:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:271:40:272:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:272:42:273:1 | // $ tainted=217\n | Missing result: tainted=217 | From be1264983806f98609e37ca8c6dfab21dc385619 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:29:25 +0000 Subject: [PATCH 2/5] Swift: Update joined models for Swift 6. --- .../lib/codeql/swift/frameworks/StandardLibrary/Collection.qll | 2 ++ .../lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll | 1 + .../dataflow/taint/libraries/TaintInline.expected | 3 --- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 26512f61736e..6a5b1bdb777e 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -43,6 +43,8 @@ private class CollectionSummaries extends SummaryModelCsv { ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint", + ";BidirectionalCollection;true;joined(separator:);;;Argument[-1].CollectionElement;ReturnValue;taint", + ";BidirectionalCollection;true;joined(separator:);;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll index 1c7774bc2640..efe8d785222c 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll @@ -45,6 +45,7 @@ private class SequenceSummaries extends SummaryModelCsv { ";Sequence;true;joined();;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";Sequence;true;joined(separator:);;;Argument[0..-1];ReturnValue;taint", ";Sequence;true;joined(separator:);;;Argument[-1].CollectionElement;ReturnValue;taint", + ";Sequence;true;joined(separator:);;;Argument[-1].CollectionElement.CollectionElement;ReturnValue.CollectionElement;value", ";Sequence;true;first(where:);;;Argument[-1].CollectionElement;ReturnValue;value", ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index d7ab587c67a0..0953cc40f2b8 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,9 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:270:40:271:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:271:40:272:1 | // $ tainted=217\n | Missing result: tainted=217 | -| string.swift:272:42:273:1 | // $ tainted=217\n | Missing result: tainted=217 | | string.swift:586:19:587:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:587:27:588:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | From 954fbc44bff03f5a8c8d9148189042724b82da0a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 16:03:24 +0000 Subject: [PATCH 3/5] Swift: Update prefix / suffix models for Swift 6. --- .../codeql/swift/frameworks/StandardLibrary/Collection.qll | 4 ++++ .../dataflow/taint/libraries/TaintInline.expected | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index 6a5b1bdb777e..fe229de028e0 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -49,6 +49,10 @@ private class CollectionSummaries extends SummaryModelCsv { ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1];ReturnValue;taint", ";BidirectionalCollection;true;reversed();;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";BidirectionalCollection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", + ";BidirectionalCollection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;value", ";MutableCollection;true;withContiguousMutableStorageIfAvailable(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value", diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected index 0953cc40f2b8..bbe166c67ca4 100644 --- a/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected +++ b/swift/ql/test/library-tests/dataflow/taint/libraries/TaintInline.expected @@ -1,8 +1,6 @@ testFailures | optionset.swift:60:49:61:1 | // $ tainted=60\n | Missing result: tainted=60 | | optionset.swift:65:58:66:1 | // $ tainted=65\n | Missing result: tainted=65 | -| string.swift:586:19:587:1 | // $ tainted=565\n | Missing result: tainted=565 | -| string.swift:587:27:588:1 | // $ tainted=565\n | Missing result: tainted=565 | | string.swift:599:35:600:1 | // $ tainted=599\n | Missing result: tainted=599 | | string.swift:605:30:606:1 | // $ tainted=605\n | Missing result: tainted=605 | failures From f3ea75d27c79da66df470f47a9ca7ba97d684ad6 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 15:22:10 +0000 Subject: [PATCH 4/5] Swift: Further modelling updates / gap filling that doesn't seem to affect tests. --- .../frameworks/StandardLibrary/Collection.qll | 15 +++++++++++++++ .../swift/frameworks/StandardLibrary/String.qll | 8 +++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll index fe229de028e0..2d1c83d0c811 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll @@ -15,20 +15,35 @@ private class CollectionSummaries extends SummaryModelCsv { row = [ ";Collection;true;prefix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(through:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(through:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(upTo:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(upTo:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;prefix(while:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;prefix(while:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;suffix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;suffix(from:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;suffix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropFirst(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint", ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;flatMap(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;flatMap(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint", ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint", ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint", ";Collection;true;popFirst();;;Argument[-1];ReturnValue;taint", ";Collection;true;randomElement();;;Argument[-1].CollectionElement;ReturnValue.OptionalSome;value", + ";Collection;true;randomElement(using:);;;Argument[-1].CollectionElement;ReturnValue.OptionalSome;value", + ";Collection;true;trimmingPrefix(_:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;trimmingPrefix(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", + ";Collection;true;trimmingPrefix(while:);;;Argument[-1];ReturnValue;taint", + ";Collection;true;trimmingPrefix(while:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(_:);;;Argument[0];ReturnValue.CollectionElement;taint", ";RangeReplaceableCollection;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value", ";RangeReplaceableCollection;true;init(repeating:count:);;;Argument[0];ReturnValue.CollectionElement;value", diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll index eae5f78bb7f5..e04feacf0253 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll @@ -167,12 +167,18 @@ private class StringFieldsInheritTaint extends TaintInheritingContent, "precomposedStringWithCompatibilityMapping", "removingPercentEncoding" ] or - namedTypeDecl.getFullName() = "CustomStringConvertible" and + namedTypeDecl.getFullName() = ["CustomStringConvertible"] and fieldDecl.getName() = "description" or namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and fieldDecl.getName() = "debugDescription" or + namedTypeDecl.getFullName() = "CustomTestStringConvertible" and + fieldDecl.getName() = "testDescription" + or + namedTypeDecl.getFullName() = "CustomURLRepresentationParameterConvertible" and + fieldDecl.getName() = "urlRepresentationParameter" + or namedTypeDecl.getFullName() = "Substring" and fieldDecl.getName() = "base" ) and From 24c4e87f44203b3a0f1338dee746256b1006e066 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 1 Nov 2024 16:30:15 +0000 Subject: [PATCH 5/5] Swift: Fix stray []. --- swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll index e04feacf0253..b773177f1523 100644 --- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll +++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll @@ -167,7 +167,7 @@ private class StringFieldsInheritTaint extends TaintInheritingContent, "precomposedStringWithCompatibilityMapping", "removingPercentEncoding" ] or - namedTypeDecl.getFullName() = ["CustomStringConvertible"] and + namedTypeDecl.getFullName() = "CustomStringConvertible" and fieldDecl.getName() = "description" or namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and