Swift: Add imprecise init(data:) model.

geoffw0 · geoffw0 · commit 6e5c28534688 · 2023-11-27T19:23:40.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll b/swift/ql/lib/codeql/swift/frameworks/Heuristic.qll
@@ -6,6 +6,7 @@
 import swift
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.FlowSteps
 
 /**
  * An initializer call `ce` that has a "contentsOf" argument, along with a
@@ -51,3 +52,21 @@ private class InitializerContentsOfLocalSource extends LocalFlowSource {
 
   override string getSourceType() { result = "contentsOf initializer" }
 }
+
+/**
+ * An imprecise flow step for an initializer call with a "data" argument.  For
+ * example:
+ * ```
+ * let mc = MyClass(data: taintedData)
+ * ```
+ */
+private class InitializerFromDataStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(InitializerCallExpr ce, Argument arg |
+      ce.getAnArgument() = arg and
+      arg.getLabel() = "data" and
+      node1.asExpr() = arg.getExpr() and
+      node2.asExpr() = ce
+    )
+  }
+}
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/custom.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/custom.swift
@@ -44,10 +44,10 @@ func testCustom() {
 	let tainted2 = MyContainer(data: source("data2"), flags: 123)
 	sink(arg: clean)
 	sink(arg: clean[0])
-	sink(arg: tainted) // $ MISSING: tainted=data1
-	sink(arg: tainted[0]) // $ MISSING: tainted=data1
-	sink(arg: tainted2) // $ MISSING: tainted=data2
-	sink(arg: tainted2[0]) // $ MISSING: tainted=data2
+	sink(arg: tainted) // $ tainted=data1
+	sink(arg: tainted[0]) // $ tainted=data1
+	sink(arg: tainted2) // $ tainted=data2
+	sink(arg: tainted2[0]) // $ tainted=data2
 
 	var mc1 = MyContainer()
 	mc1.append(Data(0))
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/ui.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/ui.swift
@@ -91,7 +91,7 @@ func testUIImage(scale: CGFloat) {
     let taintedData = source("UIImage") as! Data
 
     sink(UIImage(data: Data(0))!)
-    sink(UIImage(data: Data(taintedData))!) // $ MISSING: tainted=UIImage
+    sink(UIImage(data: Data(taintedData))!) // $ tainted=UIImage
     sink(UIImage(data: Data(0), scale: scale)!)
-    sink(UIImage(data: Data(taintedData), scale: scale)!) // $ MISSING: tainted=UIImage
+    sink(UIImage(data: Data(taintedData), scale: scale)!) // $ tainted=UIImage
 }

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ func testUIImage(scale: CGFloat) {`
`91`	`91`	`let taintedData = source("UIImage") as! Data`
`92`	`92`
`93`	`93`	`sink(UIImage(data: Data(0))!)`
`94`		`- sink(UIImage(data: Data(taintedData))!) // $ MISSING: tainted=UIImage`
	`94`	`+ sink(UIImage(data: Data(taintedData))!) // $ tainted=UIImage`
`95`	`95`	`sink(UIImage(data: Data(0), scale: scale)!)`
`96`		`- sink(UIImage(data: Data(taintedData), scale: scale)!) // $ MISSING: tainted=UIImage`
	`96`	`+ sink(UIImage(data: Data(taintedData), scale: scale)!) // $ tainted=UIImage`
`97`	`97`	`}`