Merge branch 'main' into redsun82/gen-file-docs

swift/ql/lib/codeql/swift/controlflow/internal/ControlFlowGraphImpl.qll

@@ -1417,6 +1417,15 @@ module Exprs {
     }
   }
 
+  /** Control-flow for a `SingleValueStmtExpr`. See the QLDoc for `SingleValueStmtExpr` for the semantics of a `SingleValueStmtExpr`. */
+  private class SingleValueStmtExprTree extends AstStandardPostOrderTree {
+    override SingleValueStmtExpr ast;
+
+    final override ControlFlowElement getChildElement(int i) {
+      i = 0 and result.asAstNode() = ast.getStmt()
+    }
+  }
+
   private class OpaqueValueExprTree extends AstLeafTree {
     override OpaqueValueExpr ast;
   }

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -1075,12 +1075,12 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     c.isSingleton(any(Content::CollectionContent ac))
   )
   or
-  // array assignment `a[n] = x`
+  // subscript assignment `a[n] = x`
   exists(AssignExpr assign, SubscriptExpr subscript |
     node1.asExpr() = assign.getSource() and
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = subscript.getBase() and
     subscript = assign.getDest() and
-    subscript.getBase().getType() instanceof ArrayType and
+    not any(DictionarySubscriptNode n).getExpr() = subscript and
     c.isSingleton(any(Content::CollectionContent ac))
   )
   or

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll

@@ -32,8 +32,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs)
   // So when the node is a `PostUpdateNode` we allow any sequence of implicit read steps of an appropriate
   // type to make sure we arrive at the sink with an empty access path.
   exists(NominalTypeDecl d, Decl cx |
-    node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getType().getUnderlyingType() =
-      d.getType().getABaseType*() and
+    node.(DataFlow::PostUpdateNode)
+        .getPreUpdateNode()
+        .asExpr()
+        .getType()
+        .getUnderlyingType()
+        .getABaseType*() = d.getType() and
     cx.asNominalTypeDecl() = d and
     cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
   )

swift/ql/lib/codeql/swift/elements.qll

@@ -164,6 +164,7 @@ import codeql.swift.elements.expr.ProtocolMetatypeToObjectExpr
 import codeql.swift.elements.expr.RebindSelfInInitializerExpr
 import codeql.swift.elements.expr.RegexLiteralExpr
 import codeql.swift.elements.expr.SequenceExpr
+import codeql.swift.elements.expr.SingleValueStmtExpr
 import codeql.swift.elements.expr.StringLiteralExpr
 import codeql.swift.elements.expr.StringToPointerExpr
 import codeql.swift.elements.expr.SubscriptExpr

swift/ql/lib/codeql/swift/elements/expr/SingleValueStmtExpr.qll

@@ -0,0 +1,8 @@
+// generated by codegen/codegen.py, remove this comment if you wish to edit this file
+/**
+ * This module provides a hand-modifiable wrapper around the generated class `SingleValueStmtExpr`.
+ */
+
+private import codeql.swift.generated.expr.SingleValueStmtExpr
+
+class SingleValueStmtExpr extends Generated::SingleValueStmtExpr { }

swift/ql/lib/codeql/swift/elements/expr/SingleValueStmtExprConstructor.qll

@@ -0,0 +1,14 @@
+// generated by codegen/codegen.py, remove this comment if you wish to edit this file
+/**
+ *  This module defines the hook used internally to tweak the characteristic predicate of
+ *  `SingleValueStmtExpr` synthesized instances.
+ *  INTERNAL: Do not use.
+ */
+
+private import codeql.swift.generated.Raw
+
+/**
+ *  The characteristic predicate of `SingleValueStmtExpr` synthesized instances.
+ *  INTERNAL: Do not use.
+ */
+predicate constructSingleValueStmtExpr(Raw::SingleValueStmtExpr id) { any() }

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Data.qll

@@ -45,9 +45,6 @@ private class DataSummaries extends SummaryModelCsv {
         ";Data;true;shuffled(using:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;trimmingPrefix(_:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;trimmingPrefix(while:);;;Argument[-1];ReturnValue;taint",
-        ";Data;true;withUnsafeBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
-        ";Data;true;withUnsafeBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
-        ";Data;true;withUnsafeBytes(_:);;;Argument[0].ReturnValue;ReturnValue;value",
         ";Data;true;withUnsafeMutableBytes(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
         ";Data;true;withUnsafeMutableBytes(_:);;;Argument[-1].CollectionElement;Argument[0].Parameter[0].CollectionElement;taint",
         ";Data;true;withUnsafeMutableBytes(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1].CollectionElement;value",

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/FilePath.qll

@@ -31,8 +31,10 @@ private class FilePathSummaries extends SummaryModelCsv {
         ";FilePath;true;init(root:_:);;;Argument[0..1];ReturnValue;taint",
         ";FilePath;true;init(root:components:);;;Argument[0..1];ReturnValue;taint",
         ";FilePath;true;encode(to:);;;Argument[-1];Argument[0];taint",
-        ";FilePath;true;withCString(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
-        ";FilePath;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";FilePath;true;withCString(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";FilePath;true;withCString(_:);;;Argument[0].ReturnValue;ReturnValue;taint",
+        ";FilePath;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";FilePath;true;withPlatformString(_:);;;Argument[0].ReturnValue;ReturnValue;taint",
         ";FilePath;true;append(_:);;;Argument[0];Argument[-1];taint",
         ";FilePath;true;appending(_:);;;Argument[-1..0];ReturnValue;taint",
         ";FilePath;true;lexicallyNormalized();;;Argument[-1];ReturnValue;taint",

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsString.qll

@@ -83,7 +83,7 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;lowercased(with:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;uppercased(with:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;capitalized(with:);;;Argument[-1];ReturnValue;taint",
-        ";NSString;true;components(separatedBy:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;components(separatedBy:);;;Argument[-1];ReturnValue.CollectionElement;taint",
         ";NSString;true;trimmingCharacters(in:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;substring(from:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;substring(with:);;;Argument[-1];ReturnValue;taint",
@@ -102,14 +102,15 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;stringEncoding(for:encodingOptions:convertedString:usedLossyCompression:);;;Argument[0];Argument[2];taint",
         ";NSString;true;data(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;data(using:allowLossyConversion:);;;Argument[-1];ReturnValue;taint",
-        ";NSString;true;path(withComponents:);;;Argument[0];ReturnValue;taint",
+        ";NSString;true;path(withComponents:);;;Argument[0].CollectionElement;ReturnValue;taint",
         ";NSString;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[0];taint",
         ";NSString;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[2];taint",
         ";NSString;true;getFileSystemRepresentation(_:maxLength:);;;Argument[-1];Argument[0];taint",
         ";NSString;true;appendingPathComponent(_:);;;Argument[-1..0];ReturnValue;taint",
         ";NSString;true;appendingPathComponent(_:conformingTo:);;;Argument[-1..0];ReturnValue;taint",
         ";NSString;true;appendingPathExtension(_:);;;Argument[-1..0];ReturnValue;taint",
-        ";NSString;true;strings(byAppendingPaths:);;;Argument[-1..0];ReturnValue;taint",
+        ";NSString;true;strings(byAppendingPaths:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;strings(byAppendingPaths:);;;Argument[0].CollectionElement;ReturnValue;taint",
         ";NSString;true;addingPercentEncoding(withAllowedCharacters:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;string(withCString:);;;Argument[0];ReturnValue;taint",
         ";NSString;true;string(withCString:length:);;;Argument[0];ReturnValue;taint",
@@ -118,6 +119,10 @@ private class NsStringSummaries extends SummaryModelCsv {
         ";NSString;true;addingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;replacingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
         ";NSString;true;applyTransform(_:reverse:range:updatedRange:);;;Argument[-1];ReturnValue;taint",
+        ";NSString;true;enumerateLines(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";NSString;true;enumerateSubstrings(in:options:using:);;;Argument[-1];Argument[2].Parameter[0].OptionalSome;taint",
+        ";NSString;true;enumerateSubstrings(in:options:using:);;;Argument[2].Parameter[0].OptionalSome;Argument[-1];taint",
+        ";NSString;true;enumerateLinguisticTags(in:scheme:options:orthography:using:);;;Argument[-1];Argument[4].Parameter[0].OptionalSome;taint",
         ";NSMutableString;true;append(_:);;;Argument[0];Argument[-1];taint",
         ";NSMutableString;true;insert(_:at:);;;Argument[0];Argument[-1];taint",
         ";NSMutableString;true;replaceCharacters(in:with:);;;Argument[1];Argument[-1];taint",

swift/ql/lib/codeql/swift/generated/ParentChild.qll

@@ -1749,6 +1749,24 @@ private module Impl {
     )
   }
 
+  private Element getImmediateChildOfSingleValueStmtExpr(
+    SingleValueStmtExpr e, int index, string partialPredicateCall
+  ) {
+    exists(int b, int bExpr, int n, int nStmt |
+      b = 0 and
+      bExpr = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfExpr(e, i, _)) | i) and
+      n = bExpr and
+      nStmt = n + 1 and
+      (
+        none()
+        or
+        result = getImmediateChildOfExpr(e, index - b, partialPredicateCall)
+        or
+        index = n and result = e.getStmt() and partialPredicateCall = "Stmt()"
+      )
+    )
+  }
+
   private Element getImmediateChildOfSuperRefExpr(
     SuperRefExpr e, int index, string partialPredicateCall
   ) {
@@ -4981,6 +4999,8 @@ private module Impl {
     or
     result = getImmediateChildOfSequenceExpr(e, index, partialAccessor)
     or
+    result = getImmediateChildOfSingleValueStmtExpr(e, index, partialAccessor)
+    or
     result = getImmediateChildOfSuperRefExpr(e, index, partialAccessor)
     or
     result = getImmediateChildOfTapExpr(e, index, partialAccessor)

swift/ql/lib/codeql/swift/generated/Raw.qll

@@ -1571,6 +1571,19 @@ module Raw {
     Expr getElement(int index) { sequence_expr_elements(this, index, result) }
   }
 
+  /**
+   * INTERNAL: Do not use.
+   * An expression that wraps a statement which produces a single value.
+   */
+  class SingleValueStmtExpr extends @single_value_stmt_expr, Expr {
+    override string toString() { result = "SingleValueStmtExpr" }
+
+    /**
+     * Gets the statement of this single value statement expression.
+     */
+    Stmt getStmt() { single_value_stmt_exprs(this, result) }
+  }
+
   /**
    * INTERNAL: Do not use.
    */

swift/ql/lib/codeql/swift/generated/Synth.qll

@@ -579,6 +579,10 @@ module Synth {
      * INTERNAL: Do not use.
      */
     TSequenceExpr(Raw::SequenceExpr id) { constructSequenceExpr(id) } or
+    /**
+     * INTERNAL: Do not use.
+     */
+    TSingleValueStmtExpr(Raw::SingleValueStmtExpr id) { constructSingleValueStmtExpr(id) } or
     /**
      * INTERNAL: Do not use.
      */
@@ -1172,8 +1176,8 @@ module Synth {
         TOneWayExpr or TOpaqueValueExpr or TOpenExistentialExpr or TOptionalEvaluationExpr or
         TOtherInitializerRefExpr or TOverloadedDeclRefExpr or
         TPropertyWrapperValuePlaceholderExpr or TRebindSelfInInitializerExpr or TSequenceExpr or
-        TSuperRefExpr or TTapExpr or TTupleElementExpr or TTupleExpr or TTypeExpr or
-        TUnresolvedDeclRefExpr or TUnresolvedDotExpr or TUnresolvedMemberExpr or
+        TSingleValueStmtExpr or TSuperRefExpr or TTapExpr or TTupleElementExpr or TTupleExpr or
+        TTypeExpr or TUnresolvedDeclRefExpr or TUnresolvedDotExpr or TUnresolvedMemberExpr or
         TUnresolvedPatternExpr or TUnresolvedSpecializeExpr or TVarargExpansionExpr;
 
   /**
@@ -2373,6 +2377,15 @@ module Synth {
   cached
   TSequenceExpr convertSequenceExprFromRaw(Raw::Element e) { result = TSequenceExpr(e) }
 
+  /**
+   * INTERNAL: Do not use.
+   * Converts a raw element to a synthesized `TSingleValueStmtExpr`, if possible.
+   */
+  cached
+  TSingleValueStmtExpr convertSingleValueStmtExprFromRaw(Raw::Element e) {
+    result = TSingleValueStmtExpr(e)
+  }
+
   /**
    * INTERNAL: Do not use.
    * Converts a raw element to a synthesized `TStringLiteralExpr`, if possible.
@@ -3656,6 +3669,8 @@ module Synth {
     or
     result = convertSequenceExprFromRaw(e)
     or
+    result = convertSingleValueStmtExprFromRaw(e)
+    or
     result = convertSuperRefExprFromRaw(e)
     or
     result = convertTapExprFromRaw(e)
@@ -5178,6 +5193,15 @@ module Synth {
   cached
   Raw::Element convertSequenceExprToRaw(TSequenceExpr e) { e = TSequenceExpr(result) }
 
+  /**
+   * INTERNAL: Do not use.
+   * Converts a synthesized `TSingleValueStmtExpr` to a raw DB element, if possible.
+   */
+  cached
+  Raw::Element convertSingleValueStmtExprToRaw(TSingleValueStmtExpr e) {
+    e = TSingleValueStmtExpr(result)
+  }
+
   /**
    * INTERNAL: Do not use.
    * Converts a synthesized `TStringLiteralExpr` to a raw DB element, if possible.
@@ -6461,6 +6485,8 @@ module Synth {
     or
     result = convertSequenceExprToRaw(e)
     or
+    result = convertSingleValueStmtExprToRaw(e)
+    or
     result = convertSuperRefExprToRaw(e)
     or
     result = convertTapExprToRaw(e)

swift/ql/lib/codeql/swift/generated/SynthConstructors.qll

@@ -131,6 +131,7 @@ import codeql.swift.elements.expr.ProtocolMetatypeToObjectExprConstructor
 import codeql.swift.elements.expr.RebindSelfInInitializerExprConstructor
 import codeql.swift.elements.expr.RegexLiteralExprConstructor
 import codeql.swift.elements.expr.SequenceExprConstructor
+import codeql.swift.elements.expr.SingleValueStmtExprConstructor
 import codeql.swift.elements.expr.StringLiteralExprConstructor
 import codeql.swift.elements.expr.StringToPointerExprConstructor
 import codeql.swift.elements.expr.SubscriptExprConstructor

swift/ql/lib/codeql/swift/generated/expr/SingleValueStmtExpr.qll

@@ -0,0 +1,31 @@
+// generated by codegen/codegen.py
+/**
+ * This module provides the generated definition of `SingleValueStmtExpr`.
+ * INTERNAL: Do not import directly.
+ */
+
+private import codeql.swift.generated.Synth
+private import codeql.swift.generated.Raw
+import codeql.swift.elements.expr.Expr
+import codeql.swift.elements.stmt.Stmt
+
+module Generated {
+  /**
+   * An expression that wraps a statement which produces a single value.
+   * INTERNAL: Do not reference the `Generated::SingleValueStmtExpr` class directly.
+   * Use the subclass `SingleValueStmtExpr`, where the following predicates are available.
+   */
+  class SingleValueStmtExpr extends Synth::TSingleValueStmtExpr, Expr {
+    override string getAPrimaryQlClass() { result = "SingleValueStmtExpr" }
+
+    /**
+     * Gets the statement of this single value statement expression.
+     */
+    Stmt getStmt() {
+      result =
+        Synth::convertStmtFromRaw(Synth::convertSingleValueStmtExprToRaw(this)
+              .(Raw::SingleValueStmtExpr)
+              .getStmt())
+    }
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -57,6 +57,26 @@ private class CoreDataStore extends CleartextStorageDatabaseSink {
   }
 }
 
+/**
+ * The Realm database `RealmSwiftObject` type. Also matches the Realm `Object`
+ * type, which may or may not be a type alias for `RealmSwiftObject`.
+ */
+class RealmSwiftObject extends Type {
+  RealmSwiftObject() {
+    this.getName() = "RealmSwiftObject"
+    or
+    this.getName() = "Object" and
+    this.(NominalType).getDeclaration().getModule().getName() = "RealmSwift"
+  }
+}
+
+/**
+ * A class that inherits from `RealmSwiftObject`.
+ */
+class RealmSwiftObjectType extends Type {
+  RealmSwiftObjectType() { this.getUnderlyingType().getABaseType*() instanceof RealmSwiftObject }
+}
+
 /**
  * A `DataFlow::Node` that is an expression stored with the Realm database
  * library.
@@ -66,10 +86,9 @@ private class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlo
     // any write into a class derived from `RealmSwiftObject` is a sink. For
     // example in `realmObj.data = sensitive` the post-update node corresponding
     // with `realmObj.data` is a sink.
-    exists(NominalType t, Expr e |
-      t.getUnderlyingType().getABaseType*().getName() = "RealmSwiftObject" and
+    exists(Expr e |
       this.getPreUpdateNode().asExpr() = e and
-      e.getFullyConverted().getType() = t and
+      e.getFullyConverted().getType() instanceof RealmSwiftObjectType and
       not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
     )
   }

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -34,8 +34,10 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     // for example in `realmObj.data = sensitive`.
     isSink(node) and
     exists(NominalTypeDecl d, Decl cx |
-      d.getType().getUnderlyingType().getABaseType*().getName() =
-        ["NSManagedObject", "RealmSwiftObject"] and
+      (
+        d.getType().getUnderlyingType().getABaseType*().getName() = "NSManagedObject" or
+        d.getType() instanceof RealmSwiftObjectType
+      ) and
       cx.asNominalTypeDecl() = d and
       c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
     )