Swift: Update the taint aspect of the flowsources test to use sinks like the regular taint test.

2026-04-26 01:05:15 +02:00 · 2023-07-24 19:17:51 +01:00
parent 05cb429635
commit 374c157afe
2 changed files with 33 additions and 29 deletions
--- a/swift/ql/test/library-tests/dataflow/flowsources/FlowSourcesInline.ql
+++ b/swift/ql/test/library-tests/dataflow/flowsources/FlowSourcesInline.ql
@@ -4,13 +4,18 @@ import FlowConfig
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.DataFlow

-module TaintReachConfiguration implements DataFlow::ConfigSig {
+module TestConfiguration implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof FlowSource }

-  predicate isSink(DataFlow::Node sink) { any() }
+  predicate isSink(DataFlow::Node sink) {
+    exists(CallExpr sinkCall |
+      sinkCall.getStaticTarget().getName().matches("sink%") and
+      sinkCall.getAnArgument().getExpr() = sink.asExpr()
+    )
+  }
 }

-module TaintReachFlow = TaintTracking::Global<TaintReachConfiguration>;
+module TestFlow = TaintTracking::Global<TestConfiguration>;

 string describe(FlowSource source) {
  source instanceof RemoteFlowSource and result = "remote"
@@ -29,16 +34,13 @@ module FlowSourcesTest implements TestSig {
      tag = "source" and
      value = describe(source)
    )
-  }
-
-  predicate hasOptionalResult(Location location, string element, string tag, string value) {
-    // this is not really what the "flowsources" test is about, but sometimes it's helpful to
-    // confirm that taint reaches certain obvious points in the flow source test code.
-    exists(DataFlow::Node n |
-      TaintReachFlow::flowTo(n) and
-      location = n.getLocation() and
-      location.getFile().getBaseName() != "" and
-      element = n.toString() and
+    or
+    exists(DataFlow::Node source, DataFlow::Node sink |
+      // this is not really what the "flowsources" test is about, but sometimes it's helpful to
+      // have sinks and confirm that taint reaches obvious points in the flow source test code.
+      TestFlow::flow(source, sink) and
+      location = sink.getLocation() and
+      element = sink.toString() and
      tag = "tainted" and
      value = ""
    )
--- a/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift
+++ b/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift
@@ -62,6 +62,8 @@ protocol UISceneDelegate {
    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>)
 }

+func sink(arg: Any) {}
+
 // --- tests ---

 class AppDelegate: UIApplicationDelegate {
@@ -92,35 +94,35 @@ class SceneDelegate : UISceneDelegate {
    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
      for userActivity in options.userActivities {
        let x = userActivity.webpageURL
-        x // $ MISSING: tainted
+        sink(arg: x) // $ MISSING: tainted
        let y = userActivity.referrerURL
-        y // $ MISSING: tainted
+        sink(arg: y) // $ MISSING: tainted
      }

      for urlContext in options.urlContexts {
        let z = urlContext.url
-        z // $ MISSING: tainted
+        sink(arg: z) // $ MISSING: tainted
      }
    }

    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
      let x = `continue`.webpageURL
-      x // $ tainted
+      sink(arg: x) // $ tainted
      let y = `continue`.referrerURL
-      y // $ tainted
+      sink(arg: y) // $ tainted
    }

    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
      let x = didUpdate.webpageURL
-      x // $ tainted
+      sink(arg: x) // $ tainted
      let y = didUpdate.referrerURL
-      y // $ tainted
+      sink(arg: y) // $ tainted
    }

    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
      for openURLContext in openURLContexts {
        let x = openURLContext.url
-        x // $ MISSING: tainted
+        sink(arg: x) // $ MISSING: tainted
      }
    }
 }
@@ -131,35 +133,35 @@ extension Extended : UISceneDelegate {
    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
      for userActivity in options.userActivities {
        let x = userActivity.webpageURL
-        x // $ MISSING: tainted
+        sink(arg: x) // $ MISSING: tainted
        let y = userActivity.referrerURL
-        y // $ MISSING: tainted
+        sink(arg: y) // $ MISSING: tainted
      }

      for urlContext in options.urlContexts {
        let z = urlContext.url
-        z // $ MISSING: tainted
+        sink(arg: z) // $ MISSING: tainted
      }
    }

    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
      let x = `continue`.webpageURL
-      x // $ tainted
+      sink(arg: x) // $ tainted
      let y = `continue`.referrerURL
-      y // $ tainted
+      sink(arg: y) // $ tainted
    }

    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
      let x = didUpdate.webpageURL
-      x // $ tainted
+      sink(arg: x) // $ tainted
      let y = didUpdate.referrerURL
-      y // $ tainted
+      sink(arg: y) // $ tainted
    }

    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
      for openURLContext in openURLContexts {
        let x = openURLContext.url
-        x // $ MISSING: tainted
+        sink(arg: x) // $ MISSING: tainted
      }
    }
 }