Swift: Model update(repeating:), to support the tests.

2026-04-26 17:25:19 +02:00 · 2023-07-26 15:18:23 +01:00
parent 315cb32f6c
commit 49d1556c29
2 changed files with 16 additions and 6 deletions
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
@@ -4,6 +4,7 @@
 */

 import swift
+private import codeql.swift.dataflow.ExternalFlow

 /**
 * A Swift unsafe typed pointer type such as `UnsafePointer`,
@@ -57,3 +58,12 @@ class CVaListPointerType extends NominalType {
 class ManagedBufferPointerType extends BoundGenericType {
  ManagedBufferPointerType() { this.getName().matches("ManagedBufferPointer<%") }
 }
+
+/**
+ * A model for `UnsafePointer` and related Swift class members that permit taint flow.
+ */
+private class PointerSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";UnsafeMutableBufferPointer;true;update(repeating:);;;Argument[0];Argument[-1];taint"
+  }
+}
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/int.swift
@@ -45,8 +45,8 @@ func taintThroughMutablePointer() {
  let return1 = myArray1.withUnsafeMutableBufferPointer({
    buffer in
    buffer.update(repeating: source())
-    sink(arg: buffer)
-    sink(arg: buffer[0]) // $ MISSING: tainted=47
+    sink(arg: buffer) // $ tainted=47
+    sink(arg: buffer[0]) // $ tainted=47
    sink(arg: buffer.baseAddress!.pointee) // $ MISSING: tainted=47
    return source()
  })
@@ -81,8 +81,8 @@ func taintThroughMutablePointer() {
  let return3 = myArray3.withContiguousMutableStorageIfAvailable({
    ptr in
    ptr.update(repeating: source())
-    sink(arg: ptr)
-    sink(arg: ptr[0]) // $ MISSING: tainted=83
+    sink(arg: ptr) // $ tainted=83
+    sink(arg: ptr[0]) // $ tainted=83
    return source()
  })
  sink(arg: return3!) // $ MISSING: tainted=83
@@ -129,8 +129,8 @@ func taintThroughMutablePointer() {
  let return6 = myMutableBuffer.withContiguousMutableStorageIfAvailable({
    ptr in
    ptr.update(repeating: source2())
-    sink(arg: ptr)
-    sink(arg: ptr[0]) // $ MISSING: tainted=131
+    sink(arg: ptr) // $ tainted=131
+    sink(arg: ptr[0]) // $ tainted=131
    return source()
  })
  sink(arg: return6!) // $ MISSING: tainted=134