Merge pull request #13698 from geoffw0/url2

Swift: Expand taint models for URL

Author: geoffw0

swift/ql/lib/change-notes/2023-07-06-url-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added detail to the taint model for `URL`.

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Url.qll

@@ -35,6 +35,36 @@ private class UrlRequestFieldsInheritTaint extends TaintInheritingContent,
   }
 }
 
+/**
+ * A content implying that, if a `URLResource` is tainted, then its fields `name`
+ * and `subdirectory` are tainted.
+ */
+private class UrlResourceFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  UrlResourceFieldsInheritTaint() {
+    this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "URLResource" and
+    this.getField().getName() = ["name", "subdirectory"]
+  }
+}
+
+/**
+ * A content implying that, if a `URLResourceValues` is tainted, then certain
+ * fields are tainted.
+ */
+private class UrlResourceValuesFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  UrlResourceValuesFieldsInheritTaint() {
+    this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "URLResourceValues" and
+    this.getField().getName() =
+      [
+        "name", "path", "canonicalPath", "localizedLabel", "localizedName", "parentDirectory",
+        "thumbnail"
+      ]
+  }
+}
+
 /**
  * A model for `URL` members that are sources of remote flow.
  */
@@ -49,14 +79,74 @@ private class UrlRemoteFlowSource extends SourceModelCsv {
 }
 
 /**
- * A model for `URL` members that permit taint flow.
+ * A model for `URL` and related class members that permit taint flow.
  */
 private class UrlSummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
         ";URL;true;init(string:);(String);;Argument[0];ReturnValue;taint",
-        ";URL;true;init(string:relativeTo:);(String,URL?);;Argument[0,1];ReturnValue;taint"
+        ";URL;true;init(string:relativeTo:);(String,URL?);;Argument[0..1];ReturnValue;taint",
+        ";URL;true;init(fileURLWithPath:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(fileURLWithPath:isDirectory:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(fileURLWithPath:relativeTo:);;;Argument[0..1];ReturnValue;taint",
+        ";URL;true;init(fileURLWithPath:isDirectory:relativeTo:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(fileURLWithPath:isDirectory:relativeTo:);;;Argument[2];ReturnValue;taint",
+        ";URL;true;init(fileURLWithFileSystemRepresentation:isDirectory:relativeTo:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(fileURLWithFileSystemRepresentation:isDirectory:relativeTo:);;;Argument[2];ReturnValue;taint",
+        ";URL;true;init(fileReferenceLiteralResourceName:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(_:isDirectory:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(resolvingBookmarkData:options:relativeTo:bookmarkDataIsStale:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(resolvingBookmarkData:options:relativeTo:bookmarkDataIsStale:);;;Argument[2];ReturnValue;taint",
+        ";URL;true;init(resolvingAliasFileAt:options:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(resource:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(dataRepresentation:relativeTo:isAbsolute:);;;Argument[0..1];ReturnValue;taint",
+        ";URL;true;init(_:strategy:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(filePath:directoryHint:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(filePath:directoryHint:relativeTo:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;init(filePath:directoryHint:relativeTo:);;;Argument[2];ReturnValue;taint",
+        ";URL;true;init(for:in:appropriateFor:create:);;;Argument[0..2];ReturnValue;taint",
+        ";URL;true;init(string:encodingInvalidCharacters:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;resourceValues(forKeys:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;setResourceValues(_:);;;Argument[0];Argument[-1];taint",
+        ";URL;true;setTemporaryResourceValue(_:forKey:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;withUnsafeFileSystemRepresentation(_:);;;Argument[-1],Argument[0].Parameter[0];ReturnValue;taint",
+        ";URL;true;withUnsafeFileSystemRepresentation(_:);;;Argument[0].ReturnValue;ReturnValue;taint",
+        ";URL;true;resolvingSymlinksInPath();;;Argument[-1];ReturnValue;taint",
+        ";URL;true;appendPathComponent(_:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;appendPathComponent(_:isDirectory:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;appendPathComponent(_:conformingTo:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;appendingPathComponent(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appendingPathComponent(_:isDirectory:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appendingPathComponent(_:conformingTo:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appendPathExtension(_:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;appendingPathExtension(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;deletingLastPathComponent();;;Argument[-1];ReturnValue;taint",
+        ";URL;true;deletingPathExtension();;;Argument[-1];ReturnValue;taint",
+        ";URL;true;bookmarkData(options:includingResourceValuesForKeys:relativeTo:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;bookmarkData(options:includingResourceValuesForKeys:relativeTo:);;;Argument[1..2];ReturnValue;taint",
+        ";URL;true;bookmarkData(withContentsOf:);;;Argument[0];ReturnValue;taint",
+        ";URL;true;resourceValues(forKeys:fromBookmarkData:);;;Argument[1];ReturnValue;taint",
+        ";URL;true;promisedItemResourceValues(forKeys:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;append(component:directoryHint:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;append(components:directoryHint:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;append(path:directoryHint:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;append(queryItems:);;;Argument[-1..0];Argument[-1];taint",
+        ";URL;true;appending(component:directoryHint:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appending(components:directoryHint:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appending(path:directoryHint:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;appending(queryItems:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;formatted();;;Argument[-1];ReturnValue;taint",
+        ";URL;true;formatted(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";URL;true;fragment(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;host(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;password(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;path(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;query(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;user(percentEncoded:);;;Argument[-1];ReturnValue;taint",
+        ";URL;true;homeDirectory(forUser:);;;Argument[0];ReturnValue;taint",
+        ";URLResource;true;init(name:subdirectory:locale:bundle:);;;Argument[0..1];ReturnValue;taint",
       ]
   }
 }

swift/ql/test/library-tests/dataflow/taint/libraries/CONSISTENCY/CfgConsistency.expected

@@ -0,0 +1,2 @@
+deadEnd
+| url.swift:493:2:493:28 | call to sink(any:) |