Swift: Model .base, withUTF8(_:).

geoffw0 · geoffw0 · commit 613c7b24b54c · 2023-10-16T10:17:32.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -125,6 +125,9 @@ private class StringSummaries extends SummaryModelCsv {
         ";String;true;enumerated();;;Argument[-1];ReturnValue;taint",
         ";String;true;encode(to:);;;Argument[-1];Argument[0];taint",
         ";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";Substring;true;withUTF8(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";Substring;true;withUTF8(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1];taint",
+        ";Substring;true;withUTF8(_:);;;Argument[0].ReturnValue;ReturnValue;value",
       ]
   }
 }
@@ -154,6 +157,9 @@ private class StringFieldsInheritTaint extends TaintInheritingContent,
         or
         namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and
         fieldDecl.getName() = "debugDescription"
+        or
+        namedTypeDecl.getFullName() = "Substring" and
+        fieldDecl.getName() = "base"
       ) and
       declaringDecl.getAMember() = fieldDecl and
       declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -655,7 +655,7 @@ func testSubstringMembers() {
 
   let sub1 = tainted[..<tainted.index(tainted.endIndex, offsetBy: -5)]
   sink(arg: sub1) // $ tainted=654
-  sink(arg: sub1.base) // $ MISSING: tainted=
+  sink(arg: sub1.base) // $ tainted=654
   sink(arg: sub1.utf8) // $ tainted=654
   sink(arg: sub1.capitalized) // $ tainted=654
   sink(arg: sub1.description) // $ tainted=654
@@ -664,10 +664,10 @@ func testSubstringMembers() {
   sink(arg: sub2) // $ tainted=654
   let result1 = sub2.withUTF8({
     buffer in
-    sink(arg: buffer[0]) // $ MISSING: tainted=
+    sink(arg: buffer[0]) // $ tainted=654
     return source()
   })
-  sink(arg: result1) // $ MISSING: tainted=
+  sink(arg: result1) // $ tainted=668
 
   let sub3 = Substring(sub2.utf8)
   sink(arg: sub3) // $ tainted=654

Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,9 @@ private class StringSummaries extends SummaryModelCsv {`
`125`	`125`	`";String;true;enumerated();;;Argument[-1];ReturnValue;taint",`
`126`	`126`	`";String;true;encode(to:);;;Argument[-1];Argument[0];taint",`
`127`	`127`	`";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",`
	`128`	`+ ";Substring;true;withUTF8(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",`
	`129`	`+ ";Substring;true;withUTF8(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1];taint",`
	`130`	`+ ";Substring;true;withUTF8(_:);;;Argument[0].ReturnValue;ReturnValue;value",`
`128`	`131`	`]`
`129`	`132`	`}`
`130`	`133`	`}`
`@@ -154,6 +157,9 @@ private class StringFieldsInheritTaint extends TaintInheritingContent,`
`154`	`157`	`or`
`155`	`158`	`namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and`
`156`	`159`	`fieldDecl.getName() = "debugDescription"`
	`160`	`+ or`
	`161`	`+ namedTypeDecl.getFullName() = "Substring" and`
	`162`	`+ fieldDecl.getName() = "base"`
`157`	`163`	`) and`
`158`	`164`	`declaringDecl.getAMember() = fieldDecl and`
`159`	`165`	`declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and`