hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Understand overflow binary arithmetic operations.

Browse Source
This commit is contained in:
Geoffrey White
2023-03-02 11:59:37 +00:00
parent 53f52df809
commit 1206b73d87
6 changed files with 54 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
swift/ql/lib/codeql/swift/elements/expr/ArithmeticOperation.qll
View File

@@ -45,30 +45,33 @@ class BinaryArithmeticOperation extends BinaryExpr {
* An add expression.
* ```
* a + b
* a &+ b
* ```
*/
class AddExpr extends BinaryExpr {
AddExpr() { this.getStaticTarget().getName() = "+(_:_:)" }
AddExpr() { this.getStaticTarget().getName() = ["+(_:_:)", "&+(_:_:)"] }
}
/**
* A subtract expression.
* ```
* a - b
* a &- b
* ```
*/
class SubExpr extends BinaryExpr {
SubExpr() { this.getStaticTarget().getName() = "-(_:_:)" }
SubExpr() { this.getStaticTarget().getName() = ["-(_:_:)", "&-(_:_:)"] }
}
/**
* A multiply expression.
* ```
* a * b
* a &* b
* ```
*/
class MulExpr extends BinaryExpr {
MulExpr() { this.getStaticTarget().getName() = "*(_:_:)" }
MulExpr() { this.getStaticTarget().getName() = ["*(_:_:)", "&*(_:_:)"] }
}
/**

12
swift/ql/test/library-tests/dataflow/taint/core/LocalTaint.expected
View File

@@ -19,6 +19,18 @@
| simple.swift:21:13:21:20 | call to source() | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
| simple.swift:21:24:21:24 | 100 | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
| simple.swift:23:14:23:21 | call to source() | simple.swift:23:13:23:21 | call to -(_:) |
| simple.swift:27:13:27:13 | 1 | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
| simple.swift:27:18:27:25 | call to source() | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
| simple.swift:28:13:28:20 | call to source() | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
| simple.swift:28:25:28:25 | 1 | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
| simple.swift:29:13:29:13 | 1 | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
| simple.swift:29:18:29:25 | call to source() | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
| simple.swift:30:13:30:20 | call to source() | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
| simple.swift:30:25:30:25 | 1 | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
| simple.swift:31:13:31:13 | 2 | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
| simple.swift:31:18:31:25 | call to source() | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
| simple.swift:32:13:32:20 | call to source() | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
| simple.swift:32:25:32:25 | 2 | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
| simple.swift:36:7:36:7 | SSA def(a) | simple.swift:37:13:37:13 | a |
| simple.swift:36:11:36:11 | 0 | simple.swift:36:7:36:7 | SSA def(a) |
| simple.swift:37:13:37:13 | [post] a | simple.swift:38:3:38:3 | a |

24
swift/ql/test/library-tests/dataflow/taint/core/Taint.expected
View File

@@ -10,6 +10,12 @@ edges
| simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... |
| simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... |
| simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) |
| simple.swift:27:18:27:25 | call to source() : | simple.swift:27:13:27:25 | ... .&+(_:_:) ... |
| simple.swift:28:13:28:20 | call to source() : | simple.swift:28:13:28:25 | ... .&+(_:_:) ... |
| simple.swift:29:18:29:25 | call to source() : | simple.swift:29:13:29:25 | ... .&-(_:_:) ... |
| simple.swift:30:13:30:20 | call to source() : | simple.swift:30:13:30:25 | ... .&-(_:_:) ... |
| simple.swift:31:18:31:25 | call to source() : | simple.swift:31:13:31:25 | ... .&*(_:_:) ... |
| simple.swift:32:13:32:20 | call to source() : | simple.swift:32:13:32:25 | ... .&*(_:_:) ... |
| simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a |
| simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a |
| simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b |
@@ -48,6 +54,18 @@ nodes
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | semmle.label | ... .%(_:_:) ... |
| simple.swift:23:13:23:21 | call to -(_:) | semmle.label | call to -(_:) |
| simple.swift:23:14:23:21 | call to source() : | semmle.label | call to source() : |
| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
| simple.swift:27:18:27:25 | call to source() : | semmle.label | call to source() : |
| simple.swift:28:13:28:20 | call to source() : | semmle.label | call to source() : |
| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | semmle.label | ... .&+(_:_:) ... |
| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
| simple.swift:29:18:29:25 | call to source() : | semmle.label | call to source() : |
| simple.swift:30:13:30:20 | call to source() : | semmle.label | call to source() : |
| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | semmle.label | ... .&-(_:_:) ... |
| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
| simple.swift:31:18:31:25 | call to source() : | semmle.label | call to source() : |
| simple.swift:32:13:32:20 | call to source() : | semmle.label | call to source() : |
| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | semmle.label | ... .&*(_:_:) ... |
| simple.swift:40:8:40:15 | call to source() : | semmle.label | call to source() : |
| simple.swift:41:13:41:13 | a | semmle.label | a |
| simple.swift:43:13:43:13 | a | semmle.label | a |
@@ -86,6 +104,12 @@ subpaths
| simple.swift:20:13:20:26 | ... .%(_:_:) ... | simple.swift:20:19:20:26 | call to source() : | simple.swift:20:13:20:26 | ... .%(_:_:) ... | result |
| simple.swift:21:13:21:24 | ... .%(_:_:) ... | simple.swift:21:13:21:20 | call to source() : | simple.swift:21:13:21:24 | ... .%(_:_:) ... | result |
| simple.swift:23:13:23:21 | call to -(_:) | simple.swift:23:14:23:21 | call to source() : | simple.swift:23:13:23:21 | call to -(_:) | result |
| simple.swift:27:13:27:25 | ... .&+(_:_:) ... | simple.swift:27:18:27:25 | call to source() : | simple.swift:27:13:27:25 | ... .&+(_:_:) ... | result |
| simple.swift:28:13:28:25 | ... .&+(_:_:) ... | simple.swift:28:13:28:20 | call to source() : | simple.swift:28:13:28:25 | ... .&+(_:_:) ... | result |
| simple.swift:29:13:29:25 | ... .&-(_:_:) ... | simple.swift:29:18:29:25 | call to source() : | simple.swift:29:13:29:25 | ... .&-(_:_:) ... | result |
| simple.swift:30:13:30:25 | ... .&-(_:_:) ... | simple.swift:30:13:30:20 | call to source() : | simple.swift:30:13:30:25 | ... .&-(_:_:) ... | result |
| simple.swift:31:13:31:25 | ... .&*(_:_:) ... | simple.swift:31:18:31:25 | call to source() : | simple.swift:31:13:31:25 | ... .&*(_:_:) ... | result |
| simple.swift:32:13:32:25 | ... .&*(_:_:) ... | simple.swift:32:13:32:20 | call to source() : | simple.swift:32:13:32:25 | ... .&*(_:_:) ... | result |
| simple.swift:41:13:41:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:41:13:41:13 | a | result |
| simple.swift:43:13:43:13 | a | simple.swift:40:8:40:15 | call to source() : | simple.swift:43:13:43:13 | a | result |
| simple.swift:49:13:49:13 | b | simple.swift:48:8:48:15 | call to source() : | simple.swift:49:13:49:13 | b | result |

12
swift/ql/test/library-tests/dataflow/taint/core/simple.swift
View File

@@ -24,12 +24,12 @@ func taintThroughArithmetic() {
// overflow operators
sink(arg: 1 &+ source()) // $ MISSING: tainted=
sink(arg: source() &+ 1) // $ MISSING: tainted=
sink(arg: 1 &- source()) // $ MISSING: tainted=
sink(arg: source() &- 1) // $ MISSING: tainted=
sink(arg: 2 &* source()) // $ MISSING: tainted=
sink(arg: source() &* 2) // $ MISSING: tainted=
sink(arg: 1 &+ source()) // $ tainted=27
sink(arg: source() &+ 1) // $ tainted=28
sink(arg: 1 &- source()) // $ tainted=29
sink(arg: source() &- 1) // $ tainted=30
sink(arg: 2 &* source()) // $ tainted=31
sink(arg: source() &* 2) // $ tainted=32
}
func taintThroughAssignmentArithmetic() {

3
swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.expected
View File

@@ -5,3 +5,6 @@
| arithmeticoperation.swift:10:6:10:10 | ... .%(_:_:) ... | BinaryArithmeticOperation, RemExpr |
| arithmeticoperation.swift:11:6:11:7 | call to -(_:) | UnaryArithmeticOperation, UnaryMinusExpr |
| arithmeticoperation.swift:12:6:12:7 | call to +(_:) | UnaryArithmeticOperation, UnaryPlusExpr |
| arithmeticoperation.swift:15:8:15:13 | ... .&+(_:_:) ... | AddExpr, BinaryArithmeticOperation |
| arithmeticoperation.swift:16:8:16:13 | ... .&-(_:_:) ... | BinaryArithmeticOperation, SubExpr |
| arithmeticoperation.swift:17:8:17:13 | ... .&*(_:_:) ... | BinaryArithmeticOperation, MulExpr |

6
swift/ql/test/library-tests/elements/expr/arithmeticoperation/arithmeticoperation.swift
View File

@@ -12,7 +12,7 @@ func test(c: Bool, x: Int, y: Int, z: Int) {
v = +x;
// arithmetic operations with overflow
v = x &+ y; // NOT DETECTED
v = x &- y; // NOT DETECTED
v = x &* y; // NOT DETECTED
v = x &+ y;
v = x &- y;
v = x &* y;
}