Swift: Extend Numeric models.

geoffw0 · geoffw0 · commit 0c534b69ebb5 · 2023-10-02T11:59:25.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll
@@ -17,21 +17,59 @@ private class NumericSummaries extends SummaryModelCsv {
         ";;false;numericCast(_:);;;Argument[0];ReturnValue;taint",
         ";;false;unsafeDowncast(_:to:);;;Argument[0];ReturnValue;taint",
         ";;false;unsafeBitCast(_:to:);;;Argument[0];ReturnValue;taint",
+        ";;false;numericCast(_:);;;Argument[0];ReturnValue;taint",
+        ";;false;min(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";;false;min(_:_:_:_:);;;Argument[0..2];ReturnValue;taint",
+        ";;false;min(_:_:_:_:);;;Argument[3].CollectionElement;ReturnValue;taint",
+        ";;false;max(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";;false;max(_:_:_:_:);;;Argument[0..2];ReturnValue;taint",
+        ";;false;max(_:_:_:_:);;;Argument[3].CollectionElement;ReturnValue;taint",
+        ";;false;abs(_:);;;Argument[0];ReturnValue;taint",
         ";Numeric;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value",
-        ";Numeric;true;init(bitPattern:);;;Argument[0];ReturnValue;taint",
+        ";Numeric;true;init(bitPattern:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc.
+        ";Numeric;true;init(truncating:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc.
         ";BinaryInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
         ";BinaryInteger;true;init(clamping:);;;Argument[0];ReturnValue;taint",
         ";BinaryInteger;true;init(truncatingIfNeeded:);;;Argument[0];ReturnValue;taint",
         ";BinaryInteger;true;init(_:format:lenient:);;;Argument[0];ReturnValue;taint",
         ";BinaryInteger;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
         ";BinaryInteger;true;formatted();;;Argument[-1];ReturnValue;taint",
         ";BinaryInteger;true;formatted(_:);;;Argument[-1];ReturnValue;taint",
-        ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue;taint",
+        ";BinaryInteger;true;quotientAndRemainder(dividingBy:);;;Argument[-1..0];ReturnValue.TupleElement[0..1];taint",
+        ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue.OptionalSome;taint",
         ";FixedWidthInteger;true;init(littleEndian:);;;Argument[0];ReturnValue;taint",
         ";FixedWidthInteger;true;init(bigEndian:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;addingReportingOverflow(_:);;;Argument[-1..0];ReturnValue.TupleElement[0];taint",
+        ";FixedWidthInteger;true;subtractingReportingOverflow(_:);;;Argument[-1..0];ReturnValue.TupleElement[0];taint",
+        ";FixedWidthInteger;true;multipliedReportingOverflow(by:);;;Argument[-1..0];ReturnValue.TupleElement[0];taint",
+        ";FixedWidthInteger;true;dividedReportingOverflow(by:);;;Argument[-1..0];ReturnValue.TupleElement[0];taint",
+        ";FixedWidthInteger;true;remainderReportingOverflow(dividingBy:);;;Argument[-1..0];ReturnValue.TupleElement[0];taint",
+        ";FixedWidthInteger;true;dividingFullWidth(_:);;;Argument[-1];ReturnValue.TupleElement[0..1];taint",
+        ";FixedWidthInteger;true;dividingFullWidth(_:);;;Argument[1].TupleElement[0..1];ReturnValue.TupleElement[0..1];taint",
+        ";FixedWidthInteger;true;multipliedFullWidth(by:);;;Argument[-1..0];ReturnValue.TupleElement[0..1];taint",
         ";FloatingPoint;true;init(_:);;;Argument[0];ReturnValue;taint",
         ";FloatingPoint;true;init(sign:exponent:significand:);;;Argument[1..2];ReturnValue;taint",
         ";FloatingPoint;true;init(signOf:magnitudeOf:);;;Argument[1];ReturnValue;taint",
+        ";FloatingPoint;true;addProduct(_:_:);;;Argument[-1..1];Argument[-1];taint",
+        ";FloatingPoint;true;addingProduct(_:_:);;;Argument[-1..1];ReturnValue;taint",
+        ";FloatingPoint;true;formRemainder(dividingBy:);;;Argument[-1..0];Argument[-1];taint",
+        ";FloatingPoint;true;remainder(dividingBy:);;;Argument[-1..0];ReturnValue;taint",
+        ";FloatingPoint;true;formTruncatingRemainder(dividingBy:);;;Argument[-1..0];Argument[-1];taint",
+        ";FloatingPoint;true;truncatingRemainder(dividingBy:);;;Argument[-1..0];ReturnValue;taint",
+        ";FloatingPoint;true;rounded();;;Argument[-1];ReturnValue;taint",
+        ";FloatingPoint;true;rounded(_:);;;Argument[-1];ReturnValue;taint",
+        ";FloatingPoint;true;squareRoot();;;Argument[-1];ReturnValue;taint",
+        ";FloatingPoint;true;maximum(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";FloatingPoint;true;maximumMagnitude(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";FloatingPoint;true;minimum(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";FloatingPoint;true;minimumMagnitude(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";BinaryFloatingPoint;true;init(sign:exponentBitPattern:significandBitPattern:);;;Argument[0..2];ReturnValue;taint",
+        ";BinaryFloatingPoint;true;init(_:format:lenient:);;;Argument[0];ReturnValue;taint",
+        ";BinaryFloatingPoint;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
+        ";BinaryFloatingPoint;true;formatted();;;Argument[-1];ReturnValue;taint",
+        ";BinaryFloatingPoint;true;formatted(_:);;;Argument[-1];ReturnValue;taint",
+        ";Strideable;true;advanced(by:);;;Argument[-1..0];ReturnValue;taint",
+        ";Strideable;true;distance(to:);;;Argument[-1..0];ReturnValue;taint",
       ]
   }
 }
@@ -44,10 +82,40 @@ private class NumericFieldsInheritTaint extends TaintInheritingContent,
   DataFlow::Content::FieldContent
 {
   NumericFieldsInheritTaint() {
-    this.getField().hasQualifiedName("FixedWidthInteger", ["littleEndian", "bigEndian"])
-    or
-    this.getField()
-        .hasQualifiedName(["Double", "Float", "Float80", "FloatingPoint"],
-          ["exponent", "significand"])
+    exists(string className, string fieldName |
+      (
+        (
+          className = "FixedWidthInteger" and
+          fieldName = ["littleEndian", "bigEndian"]
+        )
+        or
+        (
+          className = ["Double", "Float", "Float80", "FloatingPoint"] and
+          fieldName = ["exponent", "significand"]
+        )
+        or
+        (
+          className = "BinaryInteger" and
+          fieldName = "words"
+        )
+        or
+        (
+          className = "Numeric" and
+          fieldName = ["magnitude", "byteSwapped"]
+        )
+        or
+        (
+          className = "BinaryFloatingPoint" and
+          fieldName = ["binade", "exponentBitPattern", "significandBitPattern"]
+        )
+      ) and
+      exists(FieldDecl fieldDecl, Decl declaringDecl, TypeDecl namedTypeDecl |
+        namedTypeDecl.getFullName() = className and
+        fieldDecl.getName() = fieldName and
+        declaringDecl.getAMember() = fieldDecl and
+        declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and
+        this.getField() = fieldDecl
+      )
+    )
   }
 }
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected
@@ -60,19 +60,23 @@
 | conversions.swift:63:6:63:6 | SSA def(v7) | conversions.swift:64:12:64:12 | v7 |
 | conversions.swift:63:6:63:6 | v7 | conversions.swift:63:6:63:6 | SSA def(v7) |
 | conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:63:6:63:6 | v7 |
+| conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:63:11:63:26 | call to abs(_:) |
 | conversions.swift:66:6:66:6 | SSA def(v8) | conversions.swift:67:12:67:12 | v8 |
 | conversions.swift:66:6:66:6 | v8 | conversions.swift:66:6:66:6 | SSA def(v8) |
 | conversions.swift:66:18:66:18 | 0 | conversions.swift:66:6:66:6 | v8 |
 | conversions.swift:67:12:67:12 | [post] v8 | conversions.swift:68:12:68:12 | v8 |
 | conversions.swift:67:12:67:12 | v8 | conversions.swift:68:12:68:12 | v8 |
 | conversions.swift:68:12:68:12 | [post] v8 | conversions.swift:69:12:69:12 | v8 |
+| conversions.swift:68:12:68:12 | v8 | conversions.swift:68:12:68:29 | call to advanced(by:) |
 | conversions.swift:68:12:68:12 | v8 | conversions.swift:69:12:69:12 | v8 |
+| conversions.swift:68:28:68:28 | 1 | conversions.swift:68:12:68:29 | call to advanced(by:) |
+| conversions.swift:69:12:69:12 | v8 | conversions.swift:69:12:69:39 | call to advanced(by:) |
+| conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) |
 | conversions.swift:71:12:71:36 | call to Self.init(exactly:) | conversions.swift:71:12:71:37 | ...! |
 | conversions.swift:72:12:72:39 | call to Self.init(exactly:) | conversions.swift:72:12:72:40 | ...! |
 | conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) |
 | conversions.swift:74:36:74:46 | call to sourceInt() | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) |
 | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) | conversions.swift:75:12:75:42 | ...! |
-| conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) |
 | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) |
 | conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) |
 | conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian |
@@ -131,6 +135,8 @@
 | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand |
 | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent |
 | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand |
+| conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped |
+| conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped |
 | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) |
 | conversions.swift:138:6:138:6 | SSA def(ms1) | conversions.swift:139:12:139:12 | ms1 |
 | conversions.swift:138:6:138:6 | ms1 | conversions.swift:138:6:138:6 | SSA def(ms1) |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/core/Taint.expected
@@ -23,14 +23,17 @@ edges
 | conversions.swift:57:36:57:46 | call to sourceInt() | conversions.swift:57:11:57:47 | call to Self.init(truncatingIfNeeded:) |
 | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | conversions.swift:61:12:61:12 | v6 |
 | conversions.swift:60:28:60:38 | call to sourceInt() | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) |
+| conversions.swift:63:11:63:26 | call to abs(_:) | conversions.swift:64:12:64:12 | v7 |
+| conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:63:11:63:26 | call to abs(_:) |
+| conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) |
 | conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] | conversions.swift:71:12:71:37 | ...! |
 | conversions.swift:71:25:71:35 | call to sourceInt() | conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] |
 | conversions.swift:72:12:72:39 | call to Self.init(exactly:) [some:0] | conversions.swift:72:12:72:40 | ...! |
 | conversions.swift:72:28:72:38 | call to sourceInt() | conversions.swift:72:12:72:39 | call to Self.init(exactly:) [some:0] |
 | conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) |
 | conversions.swift:74:36:74:46 | call to sourceInt() | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) |
-| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) | conversions.swift:75:12:75:42 | ...! |
-| conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) |
+| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | conversions.swift:75:12:75:42 | ...! |
+| conversions.swift:75:16:75:29 | call to sourceString() | conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] |
 | conversions.swift:77:30:77:40 | call to sourceInt() | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) |
 | conversions.swift:78:27:78:37 | call to sourceInt() | conversions.swift:78:12:78:38 | call to Self.init(bigEndian:) |
 | conversions.swift:79:12:79:22 | call to sourceInt() | conversions.swift:79:12:79:24 | .littleEndian |
@@ -56,6 +59,8 @@ edges
 | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand |
 | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent |
 | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand |
+| conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped |
+| conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped |
 | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) |
 | conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:144:12:144:35 | call to MyString.init(_:) [some:0] |
 | conversions.swift:144:12:144:35 | call to MyString.init(_:) | conversions.swift:145:12:145:12 | ms2 |
@@ -200,6 +205,11 @@ nodes
 | conversions.swift:60:11:60:39 | call to UInt.init(bitPattern:) | semmle.label | call to UInt.init(bitPattern:) |
 | conversions.swift:60:28:60:38 | call to sourceInt() | semmle.label | call to sourceInt() |
 | conversions.swift:61:12:61:12 | v6 | semmle.label | v6 |
+| conversions.swift:63:11:63:26 | call to abs(_:) | semmle.label | call to abs(_:) |
+| conversions.swift:63:15:63:25 | call to sourceInt() | semmle.label | call to sourceInt() |
+| conversions.swift:64:12:64:12 | v7 | semmle.label | v7 |
+| conversions.swift:69:12:69:39 | call to advanced(by:) | semmle.label | call to advanced(by:) |
+| conversions.swift:69:28:69:38 | call to sourceInt() | semmle.label | call to sourceInt() |
 | conversions.swift:71:12:71:36 | call to Self.init(exactly:) [some:0] | semmle.label | call to Self.init(exactly:) [some:0] |
 | conversions.swift:71:12:71:37 | ...! | semmle.label | ...! |
 | conversions.swift:71:25:71:35 | call to sourceInt() | semmle.label | call to sourceInt() |
@@ -210,7 +220,7 @@ nodes
 | conversions.swift:73:26:73:36 | call to sourceInt() | semmle.label | call to sourceInt() |
 | conversions.swift:74:12:74:47 | call to Self.init(truncatingIfNeeded:) | semmle.label | call to Self.init(truncatingIfNeeded:) |
 | conversions.swift:74:36:74:46 | call to sourceInt() | semmle.label | call to sourceInt() |
-| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) | semmle.label | call to Self.init(_:radix:) |
+| conversions.swift:75:12:75:41 | call to Self.init(_:radix:) [some:0] | semmle.label | call to Self.init(_:radix:) [some:0] |
 | conversions.swift:75:12:75:42 | ...! | semmle.label | ...! |
 | conversions.swift:75:16:75:29 | call to sourceString() | semmle.label | call to sourceString() |
 | conversions.swift:77:12:77:41 | call to Self.init(littleEndian:) | semmle.label | call to Self.init(littleEndian:) |
@@ -261,6 +271,10 @@ nodes
 | conversions.swift:128:12:128:27 | .exponent | semmle.label | .exponent |
 | conversions.swift:129:12:129:25 | call to sourceDouble() | semmle.label | call to sourceDouble() |
 | conversions.swift:129:12:129:27 | .significand | semmle.label | .significand |
+| conversions.swift:130:12:130:23 | call to sourceUInt() | semmle.label | call to sourceUInt() |
+| conversions.swift:130:12:130:25 | .byteSwapped | semmle.label | .byteSwapped |
+| conversions.swift:131:12:131:25 | call to sourceUInt64() | semmle.label | call to sourceUInt64() |
+| conversions.swift:131:12:131:27 | .byteSwapped | semmle.label | .byteSwapped |
 | conversions.swift:135:12:135:25 | call to sourceString() | semmle.label | call to sourceString() |
 | conversions.swift:136:12:136:33 | call to String.init(_:) | semmle.label | call to String.init(_:) |
 | conversions.swift:136:19:136:32 | call to sourceString() | semmle.label | call to sourceString() |
@@ -434,6 +448,8 @@ subpaths
 | conversions.swift:55:12:55:12 | v4 | conversions.swift:54:31:54:41 | call to sourceInt() | conversions.swift:55:12:55:12 | v4 | result |
 | conversions.swift:58:12:58:12 | v5 | conversions.swift:57:36:57:46 | call to sourceInt() | conversions.swift:58:12:58:12 | v5 | result |
 | conversions.swift:61:12:61:12 | v6 | conversions.swift:60:28:60:38 | call to sourceInt() | conversions.swift:61:12:61:12 | v6 | result |
+| conversions.swift:64:12:64:12 | v7 | conversions.swift:63:15:63:25 | call to sourceInt() | conversions.swift:64:12:64:12 | v7 | result |
+| conversions.swift:69:12:69:39 | call to advanced(by:) | conversions.swift:69:28:69:38 | call to sourceInt() | conversions.swift:69:12:69:39 | call to advanced(by:) | result |
 | conversions.swift:71:12:71:37 | ...! | conversions.swift:71:25:71:35 | call to sourceInt() | conversions.swift:71:12:71:37 | ...! | result |
 | conversions.swift:72:12:72:40 | ...! | conversions.swift:72:28:72:38 | call to sourceInt() | conversions.swift:72:12:72:40 | ...! | result |
 | conversions.swift:73:12:73:37 | call to Self.init(clamping:) | conversions.swift:73:26:73:36 | call to sourceInt() | conversions.swift:73:12:73:37 | call to Self.init(clamping:) | result |
@@ -462,6 +478,8 @@ subpaths
 | conversions.swift:127:12:127:28 | .significand | conversions.swift:127:12:127:26 | call to sourceFloat80() | conversions.swift:127:12:127:28 | .significand | result |
 | conversions.swift:128:12:128:27 | .exponent | conversions.swift:128:12:128:25 | call to sourceDouble() | conversions.swift:128:12:128:27 | .exponent | result |
 | conversions.swift:129:12:129:27 | .significand | conversions.swift:129:12:129:25 | call to sourceDouble() | conversions.swift:129:12:129:27 | .significand | result |
+| conversions.swift:130:12:130:25 | .byteSwapped | conversions.swift:130:12:130:23 | call to sourceUInt() | conversions.swift:130:12:130:25 | .byteSwapped | result |
+| conversions.swift:131:12:131:27 | .byteSwapped | conversions.swift:131:12:131:25 | call to sourceUInt64() | conversions.swift:131:12:131:27 | .byteSwapped | result |
 | conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | conversions.swift:135:12:135:25 | call to sourceString() | result |
 | conversions.swift:136:12:136:33 | call to String.init(_:) | conversions.swift:136:19:136:32 | call to sourceString() | conversions.swift:136:12:136:33 | call to String.init(_:) | result |
 | conversions.swift:145:12:145:12 | ms2 | conversions.swift:144:21:144:34 | call to sourceString() | conversions.swift:145:12:145:12 | ms2 | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift b/swift/ql/test/library-tests/dataflow/taint/core/conversions.swift
@@ -61,12 +61,12 @@ func testConversions() {
 	sink(arg: v6) // $ tainted=60
 
 	let v7 = abs(sourceInt())
-	sink(arg: v7) // $ MISSING: tainted=63
+	sink(arg: v7) // $ tainted=63
 
 	let v8 = UInt64(0)
 	sink(arg: v8)
 	sink(arg: v8.advanced(by: 1))
-	sink(arg: v8.advanced(by: sourceInt())) // $ MISSING: tainted=69
+	sink(arg: v8.advanced(by: sourceInt())) // $ tainted=69
 
 	sink(arg: Int(exactly: sourceInt())!) // $ tainted=71
 	sink(arg: UInt32(exactly: sourceInt())!) // $ tainted=72
@@ -127,8 +127,8 @@ func testConversions() {
 	sink(arg: sourceFloat80().significand) // $ tainted=127
 	sink(arg: sourceDouble().exponent) // $ tainted=128
 	sink(arg: sourceDouble().significand) // $ tainted=129
-	sink(arg: sourceUInt().byteSwapped) // $ MISSING: tainted=130
-	sink(arg: sourceUInt64().byteSwapped) // $ MISSING: tainted=131
+	sink(arg: sourceUInt().byteSwapped) // $ tainted=130
+	sink(arg: sourceUInt64().byteSwapped) // $ tainted=131
 
 	// ---
 
