hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 15:25:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15052 from geoffw0/pointermodels

Browse Source 
Swift: Expand models for UnsafePointer and friends
This commit is contained in:
Geoffrey White
2023-12-14 14:46:48 +00:00
committed by GitHub
parent 9cb0bb2fc9 36d0148aa1
commit 3193ceb3f9
7 changed files with 240 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
swift/ql/lib/change-notes/2023-12-08-pointermodels.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Expanded flow models for `UnsafePointer` and similar classes.

125
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
View File

@@ -4,7 +4,9 @@
*/
import swift
private import codeql.swift.dataflow.DataFlow
private import codeql.swift.dataflow.ExternalFlow
private import codeql.swift.dataflow.FlowSteps
/**
* A Swift unsafe typed pointer type such as `UnsafePointer`,
@@ -69,41 +71,162 @@ private class PointerSummaries extends SummaryModelCsv {
";UnsafePointer;true;withMemoryRebound(to:capacity:_:);;;Argument[-1].CollectionElement;Argument[2].Parameter[0].CollectionElement;taint",
";UnsafePointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].ReturnValue;ReturnValue;value",
// ---
";UnsafeMutablePointer;true;init(mutating:);;;Argument[0];ReturnValue;taint",
";UnsafeMutablePointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutablePointer;true;init(_:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.CollectionElement;value",
";UnsafeMutablePointer;true;init(mutating:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutablePointer;true;init(mutating:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.CollectionElement;value",
";UnsafeMutablePointer;true;assign(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;assign(repeating:count:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;initialize(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;initialize(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;initialize(repeating:count:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;initialize(to:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;initialize(to:count:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;move();;;Argument[-1].CollectionElement;ReturnValue;value",
";UnsafeMutablePointer;true;moveAssign(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;moveInitialize(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;moveUpdate(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;update(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;update(repeating:count:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutablePointer;true;withMemoryRebound(to:capacity:_:);;;Argument[-1].CollectionElement;Argument[2].Parameter[0].CollectionElement;taint",
";UnsafeMutablePointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutablePointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].ReturnValue;ReturnValue;value",
// ---
";UnsafeBufferPointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeBufferPointer;true;init(rebasing:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeBufferPointer;true;init(start:count:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeBufferPointer;true;withMemoryRebound(to:_:);;;Argument[-1].CollectionElement;Argument[1].Parameter[0].CollectionElement;taint",
";UnsafeBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].ReturnValue;ReturnValue;value",
// ---
";UnsafeMutableBufferPointer;true;init(mutating:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableBufferPointer;true;init(rebasing:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableBufferPointer;true;init(start:count:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableBufferPointer;true;assign(repeating:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;initialize(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;initialize(from:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;initialize(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;initialize(repeating:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;initializeElement(at:to:);;;Argument[1];Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;moveElement(from:);;;Argument[-1].CollectionElement;ReturnValue;value",
";UnsafeMutableBufferPointer;true;moveInitialize(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;moveUpdate(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;update(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;update(from:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;update(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1].CollectionElement;value",
";UnsafeMutableBufferPointer;true;withMemoryRebound(to:_:);;;Argument[-1].CollectionElement;Argument[1].Parameter[0].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].ReturnValue;ReturnValue;value",
// ---
";UnsafeRawPointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeRawPointer;true;init(_:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.CollectionElement;value",
";UnsafeRawPointer;true;alignedDown(for:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawPointer;true;alignedDown(toMultipleOf:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawPointer;true;alignedUp(for:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawPointer;true;alignedUp(toMultipleOf:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawPointer;true;load(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeRawPointer;true;loadUnaligned(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeRawPointer;true;withMemoryRebound(to:capacity:_:);;;Argument[-1].CollectionElement;Argument[2].Parameter[0].CollectionElement;taint",
";UnsafeRawPointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].ReturnValue;ReturnValue;value",
";UnsafeRawPointer;true;assumingMemoryBound(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawPointer;true;bindMemory(to:capacity:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
// ---
";UnsafeMutableRawPointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableRawPointer;true;init(_:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.CollectionElement;value",
";UnsafeMutableRawPointer;true;init(mutating:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableRawPointer;true;init(mutating:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.OptionalSome.CollectionElement;value",
";UnsafeMutableRawPointer;true;alignedDown(for:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;alignedDown(toMultipleOf:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;alignedUp(for:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;alignedUp(toMultipleOf:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;copyBytes(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;copyMemory(from:count:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:at:count:to:);;;Argument[3];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:at:count:to:);;;Argument[3];ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:from:count:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:from:count:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:repeating:count:);;;Argument[1];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:repeating:count:);;;Argument[1];ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:to:);;;Argument[1];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;initializeMemory(as:to:);;;Argument[1];ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;load(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeMutableRawPointer;true;loadUnaligned(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeMutableRawPointer;true;moveInitializeMemory(as:from:count:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;moveInitializeMemory(as:from:count:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;storeBytes(of:toByteOffset:as:);;;Argument[0];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;withMemoryRebound(to:capacity:_:);;;Argument[-1].CollectionElement;Argument[2].Parameter[0].CollectionElement;taint",
";UnsafeMutableRawPointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawPointer;true;withMemoryRebound(to:capacity:_:);;;Argument[2].ReturnValue;ReturnValue;value",
";UnsafeMutableRawPointer;true;assumingMemoryBound(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawPointer;true;bindMemory(to:capacity:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
// ---
";UnsafeRawBufferPointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeRawBufferPointer;true;init(rebasing:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeRawBufferPointer;true;init(start:count:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawBufferPointer;true;load(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeRawBufferPointer;true;loadUnaligned(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeRawBufferPointer;true;withMemoryRebound(to:_:);;;Argument[-1].CollectionElement;Argument[1].Parameter[0].CollectionElement;taint",
";UnsafeRawBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].ReturnValue;ReturnValue;value",
";UnsafeRawBufferPointer;true;assumingMemoryBound(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeRawBufferPointer;true;bindMemory(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
// ---
";UnsafeMutableRawBufferPointer;true;init(_:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableRawBufferPointer;true;init(mutating:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableRawBufferPointer;true;init(rebasing:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";UnsafeMutableRawBufferPointer;true;init(start:count:);;;Argument[0].OptionalSome.CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;copyBytes(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableRawBufferPointer;true;copyMemory(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;ReturnValue.TupleElement[0,1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;ReturnValue.TupleElement[0,1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:repeating:);;;Argument[1];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;initializeMemory(as:repeating:);;;Argument[1];ReturnValue.TupleElement[0,1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;load(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeMutableRawBufferPointer;true;loadUnaligned(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";UnsafeMutableRawBufferPointer;true;moveInitializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;moveInitializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;storeBytes(of:toByteOffset:as:);;;Argument[0];Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;withMemoryRebound(to:_:);;;Argument[-1].CollectionElement;Argument[1].Parameter[0].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;withMemoryRebound(to:_:);;;Argument[1].ReturnValue;ReturnValue;value",
";UnsafeMutableRawBufferPointer;true;assumingMemoryBound(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
";UnsafeMutableRawBufferPointer;true;bindMemory(to:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;taint",
// ---
";Slice;true;init(base:bounds:);;;Argument[0].CollectionElement;ReturnValue.CollectionElement;value",
";Slice;true;copyBytes(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;initialize(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;initialize(from:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0,1].CollectionElement;taint",
";Slice;true;initialize(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;initialize(repeating:);;;Argument[0];Argument[-1].CollectionElement;value",
";Slice;true;initializeElement(at:to:);;;Argument[1];Argument[-1].CollectionElement;value",
";Slice;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;initializeMemory(as:from:);;;Argument[1].CollectionElement;ReturnValue.TupleElement[0,1].CollectionElement;taint",
";Slice;true;initializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;initializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";Slice;true;initializeMemory(as:repeating:);;;Argument[1];Argument[-1].CollectionElement;taint",
";Slice;true;initializeMemory(as:repeating:);;;Argument[1];ReturnValue.CollectionElement;taint",
";Slice;true;insert(_:at:);;;Argument[0];Argument[-1].CollectionElement;value",
";Slice;true;insert(contentsOf:at:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;load(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";Slice;true;loadUnaligned(fromByteOffset:as:);;;Argument[-1].CollectionElement;ReturnValue;taint",
";Slice;true;moveElement(from:);;;Argument[-1].CollectionElement;ReturnValue;value",
";Slice;true;moveInitialize(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;moveInitializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;moveInitializeMemory(as:fromContentsOf:);;;Argument[1].CollectionElement;ReturnValue.CollectionElement;taint",
";Slice;true;moveUpdate(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;remove(at:);;;Argument[-1].CollectionElement;ReturnValue;value",
";Slice;true;replaceSubrange(_:with:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;storeBytes(of:toByteOffset:as:);;;Argument[0];Argument[-1].CollectionElement;taint",
";Slice;true;update(from:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;update(from:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0].CollectionElement;taint",
";Slice;true;update(fromContentsOf:);;;Argument[0].CollectionElement;Argument[-1].CollectionElement;value",
";Slice;true;update(repeating:);;;Argument[0];Argument[-1].CollectionElement;value",
";Slice;true;withContiguousMutableStorageIfAvailable(to:_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
";Slice;true;withContiguousMutableStorageIfAvailable(to:_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;withContiguousMutableStorageIfAvailable(to:_:);;;Argument[0].ReturnValue;ReturnValue;value",
";Slice;true;withMemoryRebound(to:_:);;;Argument[-1].CollectionElement;Argument[1].Parameter[0].CollectionElement;taint",
";Slice;true;withMemoryRebound(to:_:);;;Argument[1].Parameter[0].CollectionElement;Argument[-1].CollectionElement;taint",
";Slice;true;withMemoryRebound(to:_:);;;Argument[1].ReturnValue;ReturnValue;value",

4
swift/ql/test/library-tests/dataflow/taint/libraries/int.swift
View File

@@ -106,8 +106,8 @@ func taintThroughMutablePointer() {
sink(arg: ptr5) // $ tainted=array5write
sink(arg: ptr5[0]) // $ tainted=array5write
ptr4.copyBytes(from: ptr5)
sink(arg: ptr4)
sink(arg: ptr4[0]) // $ MISSING: tainted=array5write
sink(arg: ptr4) // $ tainted=array5write
sink(arg: ptr4[0]) // $ tainted=array5write
return source("return5")
})
sink(arg: return5) // $ tainted=return5

4
swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
View File

@@ -464,11 +464,11 @@ func taintFromUInt8Array() {
sink(arg: buffer[0])
sink(arg: taintedUInt8Values[0]) // $ tainted=450
let _ = buffer.initialize(from: taintedUInt8Values)
sink(arg: buffer[0]) // $ MISSING: tainted=450
sink(arg: buffer[0]) // $ tainted=450
return 256
}
)
sink(arg: r2) // $ MISSING: tainted=450
sink(arg: r2) // $ tainted=450
let r3 = String(unsafeUninitializedCapacity: 256, initializingUTF8With: {
(buffer: UnsafeMutableBufferPointer<UInt8>) -> Int in
sink(arg: buffer[0])

106
swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
View File

@@ -203,3 +203,109 @@ func testManualMemoryManagement() {
})
sink(arg: r6) // $ tainted=r6
}
// ---
func testUnsafePointers() {
let ptr1 = UnsafeMutablePointer<Int>.allocate(capacity: 1024)
ptr1.initialize(repeating: 0, count: 1024)
sink(arg: ptr1[0])
ptr1.initialize(repeating: sourceInt("ptr1"), count: 1024)
sink(arg: ptr1[0]) // $ tainted=ptr1
let ptr2 = UnsafeMutablePointer<Int>.allocate(capacity: 1)
ptr2.initialize(to: 0)
sink(arg: ptr2.pointee)
ptr2.initialize(to: sourceInt("ptr2"))
sink(arg: ptr2.pointee) // $ MISSING: tainted=ptr2
sink(arg: ptr2.move()) // $ tainted=ptr2
let ptr3 = UnsafeMutablePointer<Int>.allocate(capacity: 1024)
ptr3.initialize(repeating: 0, count: 1024)
sink(arg: ptr3[0])
ptr3.assign(repeating: sourceInt("ptr3"), count: 1024)
sink(arg: ptr3[0]) // $ tainted=ptr3
let ptr4 = UnsafeMutablePointer<Int>.allocate(capacity: 1024)
ptr4.initialize(repeating: 0, count: 1024)
ptr4.update(from: ptr1, count: 512)
sink(arg: ptr4[0]) // $ tainted=ptr1
}
func testRawPointers() {
let raw1 = UnsafeMutableRawPointer.allocate(byteCount: 1024, alignment: 4)
raw1.initializeMemory(as: Int.self, repeating: 0, count: 1024)
sink(arg: raw1.load(fromByteOffset: 0, as: Int.self))
raw1.initializeMemory(as: Int.self, repeating: sourceInt("raw1"), count: 1024)
sink(arg: raw1.load(fromByteOffset: 0, as: Int.self)) // $ tainted=raw1
let raw2 = UnsafeMutableRawPointer.allocate(byteCount: 1024, alignment: 4)
raw2.initializeMemory(as: Int.self, repeating: 0, count: 1024)
//raw2.storeBytes(of: 0, toByteOffset: 0, as: Int.self) --- this line fails on Linux
sink(arg: raw2.load(fromByteOffset: 0, as: Int.self))
//raw2.storeBytes(of: sourceInt("raw2"), toByteOffset: 0, as: Int.self) --- this line fails on Linux
sink(arg: raw2.load(fromByteOffset: 0, as: Int.self)) // $ MISSING: tainted=raw2
let raw3 = UnsafeRawPointer(raw1)
sink(arg: raw3.load(fromByteOffset: 0, as: Int.self)) // $ tainted=raw1
let raw4 = UnsafeRawBufferPointer(start: raw3, count: MemoryLayout<Int>.size)
sink(arg: raw4[0]) // $ tainted=raw1
}
func testRawPointerConversion() {
let i1 = sourceInt("i1")
withUnsafeBytes(of: i1, {
ptr in // UnsafeRawBufferPointer
sink(arg: ptr[0]) // $ tainted=i1
let ptr2 = UnsafeRawBufferPointer(ptr)
sink(arg: ptr2[0]) // $ tainted=i1
let ptr3 = UnsafeMutableRawBufferPointer(mutating: ptr)
sink(arg: ptr3[0]) // $ tainted=i1
let ptr4 = UnsafeMutableRawBufferPointer.allocate(byteCount: 8, alignment: 0)
ptr4.copyBytes(from: ptr)
sink(arg: ptr4[0]) // $ tainted=i1
let ptr5 = UnsafeMutableRawBufferPointer.allocate(byteCount: 8, alignment: 0)
ptr5.copyMemory(from: ptr)
sink(arg: ptr5[0]) // $ tainted=i1
let i = ptr.load(fromByteOffset: 0, as: Int.self)
sink(arg: i) // $ tainted=i1
})
var i2 = sourceInt("i2")
withUnsafeMutableBytes(of: &i2, {
ptr in // UnsafeMutableRawBufferPointer
sink(arg: ptr[0]) // $ tainted=i2
let ptr2 = UnsafeRawBufferPointer(ptr)
sink(arg: ptr2[0]) // $ tainted=i2
let ptr3 = UnsafeMutableRawBufferPointer(ptr)
sink(arg: ptr3[0]) // $ tainted=i2
})
}
func testSlice() {
let buffer = UnsafeMutableBufferPointer<Int>.allocate(capacity: 1024)
buffer.initialize(repeating: 0)
sink(arg: buffer[0])
buffer[0] = sourceInt("buffer")
sink(arg: buffer[0]) // $ tainted=buffer
let slice = Slice(base: buffer, bounds: 0 ..< 10)
sink(arg: slice[0]) // $ tainted=buffer
sink(arg: slice.base[0]) // $ MISSING: tainted=buffer
let buffer2 = UnsafeMutableBufferPointer(rebasing: slice)
sink(arg: buffer2[0]) // $ tainted=buffer
let buffer3 = UnsafeMutableBufferPointer<Int>.allocate(capacity: 1024)
buffer3.initialize(repeating: 0)
sink(arg: buffer3[0])
buffer3[10 ..< 20] = buffer[0 ..< 10]
sink(arg: buffer3[0]) // $ tainted=buffer
}

2
swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.expected
View File

@@ -1,2 +1,2 @@
failures
testFailures
failures

2
swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
View File

@@ -418,7 +418,7 @@ func test(buffer1: UnsafeMutablePointer<UInt8>, buffer2: UnsafeMutablePointer<UI
_ = sqlite3_open_v2(remoteString, &db, 0, nil) // $ hasPathInjection=289
sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: "myFile.sqlite3").utf8String) // GOOD
sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ hasPathInjection=289
sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ MISSING: hasPathInjection=289
// SQLite.swift