Swift: Model RawRepresentable.

2026-05-05 05:35:13 +02:00 · 2023-10-13 14:44:49 +01:00
parent 228aaee0bf
commit 4e29ed5ff0
3 changed files with 40 additions and 4 deletions
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides models the `RawRepresentable` Swift class.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `RawRepresentable` class members that permit taint flow.
+ */
+private class RawRepresentableSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint"
+  }
+}
+
+/**
+ * A content implying that, if an `RawRepresentable` is tainted, then
+ * the `rawValue` field is tainted as well.
+ */
+private class RawRepresentableFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  RawRepresentableFieldsInheritTaint() {
+    exists(FieldDecl fieldDecl, Decl declaringDecl, TypeDecl namedTypeDecl |
+      namedTypeDecl.getFullName() = "RawRepresentable" and
+      fieldDecl.getName() = "rawValue" and
+      declaringDecl.getAMember() = fieldDecl and
+      declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and
+      this.getField() = fieldDecl
+    )
+  }
+}
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll
@@ -17,6 +17,7 @@ private import NsObject
 private import NsString
 private import NsUrl
 private import Numeric
+private import RawRepresentable
 private import PointerTypes
 private import Sequence
 private import Set
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/optionset.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/optionset.swift
@@ -36,11 +36,11 @@ func testRawRepresentable() {

  sink(arg: rr1)
  sink(arg: rr2)
-  sink(arg: rr3) // $ MISSING: tainted=
+  sink(arg: rr3) // $ tainted=35

  sink(arg: rr1.rawValue)
  sink(arg: rr2.rawValue)
-  sink(arg: rr3.rawValue) // $ MISSING: tainted=
+  sink(arg: rr3.rawValue) // $ tainted=35
 }

 // ---
@@ -57,10 +57,10 @@ func testOptionSet() {
 	sink(arg: MyOptionSet.red)
 	sink(arg: MyOptionSet([.red, .green]))
 	sink(arg: MyOptionSet(rawValue: 0))
-	sink(arg: MyOptionSet(rawValue: sourceUInt())) // $ MISSING: tainted=
+	sink(arg: MyOptionSet(rawValue: sourceUInt())) // $ tainted=60

 	sink(arg: MyOptionSet.red.rawValue)
 	sink(arg: MyOptionSet([.red, .green]).rawValue)
 	sink(arg: MyOptionSet(rawValue: 0).rawValue)
-	sink(arg: MyOptionSet(rawValue: sourceUInt()).rawValue) // $ MISSING: tainted=
+	sink(arg: MyOptionSet(rawValue: sourceUInt()).rawValue) // $ tainted=65
 }