Swift: Use PointerType in data flow's 'modifiable' predicate.

2026-05-02 12:15:17 +02:00 · 2023-03-03 11:03:43 +00:00
parent 3249cee1c9
commit 234f17b578
4 changed files with 12 additions and 11 deletions
--- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
+++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -7,6 +7,7 @@ private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.BasicBlocks
 private import codeql.swift.dataflow.FlowSummary as FlowSummary
 private import codeql.swift.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import codeql.swift.frameworks.StandardLibrary.PointerTypes

 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
@@ -212,7 +213,7 @@ private predicate modifiable(Argument arg) {
  or
  arg.getExpr().getType() instanceof NominalType
  or
-  arg.getLabel() = "ptr"
+  arg.getExpr().getType() instanceof PointerType
 }

 predicate modifiableParam(ParamDecl param) {
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/data.swift
@@ -158,13 +158,13 @@ func taintThroughData() {
 	let dataTainted19 = source() as! Data
 	let pointerTainted19 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted19.copyBytes(to: pointerTainted19, count: 0)
-	sink(arg: pointerTainted19) // $ MISSING: tainted=158
+	sink(arg: pointerTainted19) // $ tainted=158

 	// ";Data;true;copyBytes(to:from:);;;Argument[-1];Argument[0];taint",
 	let dataTainted20 = source() as! Data
 	let pointerTainted20 = UnsafeMutablePointer<UInt8>.allocate(capacity: 0)
 	dataTainted20.copyBytes(to: pointerTainted20, from: 0..<1)
-	sink(arg: pointerTainted20) // $ MISSING: tainted=164
+	sink(arg: pointerTainted20) // $ tainted=164

 	// ";Data;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
 	let dataTainted21 = source() as! Data
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/nsstring.swift
@@ -318,14 +318,14 @@ func taintThroughInterpolatedStrings() {
  harmless.getCharacters(ptr1, range: myRange)
  sink(arg: ptr1)
  sourceNSString().getCharacters(ptr1, range: myRange)
-  sink(arg: ptr1) // $ MISSING: tainted=
+  sink(arg: ptr1) // $ tainted=320

  var ptr2 = (nil as UnsafeMutablePointer<unichar>?)!
  sink(arg: ptr2)
  harmless.getCharacters(ptr2)
  sink(arg: ptr2)
  sourceNSString().getCharacters(ptr2)
-  sink(arg: ptr2) // $ MISSING: tainted=
+  sink(arg: ptr2) // $ tainted=327

  var ptr3 = (nil as UnsafeMutableRawPointer?)!
  sink(arg: ptr3)
@@ -339,14 +339,14 @@ func taintThroughInterpolatedStrings() {
  harmless.getCString(ptr4, maxLength: 128, encoding: 0)
  sink(arg: ptr4)
  sourceNSString().getCString(ptr4, maxLength: 128, encoding: 0)
-  sink(arg: ptr4) // $ MISSING: tainted=
+  sink(arg: ptr4) // $ tainted=341

  var ptr5 = (nil as UnsafeMutablePointer<CChar>?)!
  sink(arg: ptr5)
  harmless.getCString(ptr5)
  sink(arg: ptr5)
  sourceNSString().getCString(ptr5)
-  sink(arg: ptr5) // $ MISSING: tainted=
+  sink(arg: ptr5) // $ tainted=348

  sink(arg: harmless.enumerateLines({
    line, stop in
@@ -363,10 +363,10 @@ func taintThroughInterpolatedStrings() {
  var outLongest = (nil as AutoreleasingUnsafeMutablePointer<NSString?>?)!
  var outArray = (nil as AutoreleasingUnsafeMutablePointer<NSArray?>?)!
  if (str10.completePath(into: outLongest, caseSensitive: false, matchesInto: outArray, filterTypes: nil) > 0) {
-    sink(arg: outLongest) // $ MISSING: tainted=
+    sink(arg: outLongest) // $ tainted=362
    sink(arg: outLongest.pointee) // $ MISSING: tainted=
    sink(arg: outLongest.pointee!) // $ MISSING: tainted=
-    sink(arg: outArray) // $ MISSING: tainted=
+    sink(arg: outArray) // $ tainted=362
    sink(arg: outArray.pointee) // $ MISSING: tainted=
    sink(arg: outArray.pointee!) // $ MISSING: tainted=
  }
@@ -374,7 +374,7 @@ func taintThroughInterpolatedStrings() {
  var str11 = sourceNSString()
  var outBuffer = (nil as UnsafeMutablePointer<CChar>?)!
  if (str11.getFileSystemRepresentation(outBuffer, maxLength: 256)) {
-    sink(arg: outBuffer) // $ MISSING: tainted=
+    sink(arg: outBuffer) // $ tainted=374
    sink(arg: outBuffer.pointee) // $ MISSING: tainted=
  }

--- a/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
@@ -96,6 +96,6 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {

  taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value

-  sink(arg: ptr.pointee) // $ tainted=87
+  sink(arg: ptr.pointee) // $ MISSING: tainted=87
  sink(arg: ptr)
 }