Swift: Add some more test cases, including handling return propagation.

2026-04-26 17:25:19 +02:00 · 2023-07-21 13:24:48 +01:00
parent 7c0c820684
commit 52e84ba12b
2 changed files with 50 additions and 1 deletions
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll
@@ -25,7 +25,7 @@ private class SequenceSummaries extends SummaryModelCsv {
        ";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
        ";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
        ";Sequence;true;first(where:);;;Argument[-1];ReturnValue;taint",
-        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint",
+        ";Sequence;true;withContiguousStorageIfAvailable(_:);;;Argument[-1];Argument[0].Parameter[0];taint"
      ]
  }
 }
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -599,3 +599,52 @@ func untaintedFields() {
  sink(arg: String.defaultCStringEncoding)
  sink(arg: tainted.isContiguousUTF8)
 }
+
+func callbackWithCleanPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr)
+
+  return 0
+}
+
+func callbackWithTaintedPointer(ptr: UnsafeBufferPointer<String.Element>) throws -> Int {
+  sink(arg: ptr) // $ tainted=617
+
+  return source()
+}
+
+func furtherTaintThroughCallbacks() {
+  let clean = ""
+  let tainted = source2()
+
+  // return values from the closure (1)
+  let result1 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  })
+  sink(arg: result1!)
+  let result2 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  })
+  sink(arg: result2!) // $ MISSING: tainted=627
+
+  // return values from the closure (2)
+  if let result3 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return 0
+  }) {
+    sink(arg: result3)
+  }
+  if let result4 = clean.withContiguousStorageIfAvailable({
+    ptr in
+    return source()
+  }) {
+    sink(arg: result4) // $ MISSING: tainted=640
+  }
+
+  // using a non-closure function
+  let result5 = try? clean.withContiguousStorageIfAvailable(callbackWithCleanPointer)
+  sink(arg: result5!)
+  let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
+  sink(arg: result6!) // $ MISSING: tainted=612
+}