From dcba1b9913d11cde35188137603d7a1a3569b7fe Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 16 Oct 2023 09:07:27 +0100
Subject: [PATCH 1/5] Swift: Tests for Substring.

---
 .../dataflow/taint/libraries/string.swift     | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
index 5a4f6ce20c0..f0fb425fa27 100644
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -648,3 +648,32 @@ func furtherTaintThroughCallbacks() {
   let result6 = try? tainted.withContiguousStorageIfAvailable(callbackWithTaintedPointer)
   sink(arg: result6!) // $ tainted=612
 }
+
+func testSubstringMembers() {
+  let clean = ""
+  let tainted = source2()
+
+  let sub1 = tainted[..<tainted.index(tainted.endIndex, offsetBy: -5)]
+  sink(arg: sub1) // $ tainted=654
+  sink(arg: sub1.base) // $ MISSING: tainted=
+  sink(arg: sub1.utf8) // $ MISSING: tainted=
+  sink(arg: sub1.capitalized) // $ tainted=654
+  sink(arg: sub1.description) // $ tainted=654
+
+  var sub2 = tainted[tainted.index(tainted.startIndex, offsetBy: 5)...]
+  sink(arg: sub2) // $ tainted=654
+  let result1 = sub2.withUTF8({
+    buffer in
+    sink(arg: buffer[0]) // $ MISSING: tainted=
+    return source()
+  })
+  sink(arg: result1) // $ MISSING: tainted=
+
+  let sub3 = Substring(sub2.utf8)
+  sink(arg: sub3) // $ MISSING: tainted=
+
+  var sub4 = clean.prefix(10)
+  sink(arg: sub4)
+  sub4.replaceSubrange(..<clean.endIndex, with: sub1)
+  sink(arg: sub4) // $ MISSING: tainted=
+}

From c6f2a2936bd2184ae74a628b0e98248c62e85c70 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 16 Oct 2023 09:17:11 +0100
Subject: [PATCH 2/5] Swift: Widen the StringProtocol model.

---
 .../swift/frameworks/StandardLibrary/String.qll      | 12 ++++++------
 .../dataflow/taint/libraries/string.swift            |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
index 6a1c6ef40e6..504dce6aca5 100644
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -138,18 +138,18 @@ private class StringFieldsInheritTaint extends TaintInheritingContent,
   DataFlow::Content::FieldContent
 {
   StringFieldsInheritTaint() {
-    this.getField()
-        .hasQualifiedName(["String", "StringProtocol"],
+    exists(FieldDecl fieldDecl, Decl declaringDecl, TypeDecl namedTypeDecl |
+      (
+        namedTypeDecl.getFullName() = ["String", "StringProtocol"] and
+        fieldDecl.getName() =
           [
             "unicodeScalars", "utf8", "utf16", "lazy", "utf8CString", "dataValue",
             "identifierValue", "capitalized", "localizedCapitalized", "localizedLowercase",
             "localizedUppercase", "decomposedStringWithCanonicalMapping",
             "decomposedStringWithCompatibilityMapping", "precomposedStringWithCanonicalMapping",
             "precomposedStringWithCompatibilityMapping", "removingPercentEncoding"
-          ])
-    or
-    exists(FieldDecl fieldDecl, Decl declaringDecl, TypeDecl namedTypeDecl |
-      (
+          ]
+        or
         namedTypeDecl.getFullName() = "CustomStringConvertible" and
         fieldDecl.getName() = "description"
         or
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
index f0fb425fa27..1bd46f8d664 100644
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -656,7 +656,7 @@ func testSubstringMembers() {
   let sub1 = tainted[..<tainted.index(tainted.endIndex, offsetBy: -5)]
   sink(arg: sub1) // $ tainted=654
   sink(arg: sub1.base) // $ MISSING: tainted=
-  sink(arg: sub1.utf8) // $ MISSING: tainted=
+  sink(arg: sub1.utf8) // $ tainted=654
   sink(arg: sub1.capitalized) // $ tainted=654
   sink(arg: sub1.description) // $ tainted=654
 
@@ -670,7 +670,7 @@ func testSubstringMembers() {
   sink(arg: result1) // $ MISSING: tainted=
 
   let sub3 = Substring(sub2.utf8)
-  sink(arg: sub3) // $ MISSING: tainted=
+  sink(arg: sub3) // $ tainted=654
 
   var sub4 = clean.prefix(10)
   sink(arg: sub4)

From 0bc24b8641b3d64d4a222972c745a1ae37e58ef3 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 16 Oct 2023 09:28:30 +0100
Subject: [PATCH 3/5] Swift: Model replaceSubrange more generally.

---
 .../lib/codeql/swift/frameworks/StandardLibrary/Collection.qll  | 2 ++
 swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll | 1 -
 .../ql/test/library-tests/dataflow/taint/libraries/string.swift | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
index b10185df41c..a8cf7b1dcd1 100644
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
@@ -36,6 +36,8 @@ private class CollectionSummaries extends SummaryModelCsv {
         ";RangeReplaceableCollection;true;removeFirst();;;Argument[-1];ReturnValue;taint",
         ";RangeReplaceableCollection;true;removeLast();;;Argument[-1];ReturnValue;taint",
         ";RangeReplaceableCollection;true;insert(_:at:);;;Argument[0];Argument[-1];taint",
+        ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1];Argument[-1];taint",
+        ";RangeReplaceableCollection;true;replaceSubrange(_:with:);;;Argument[1].CollectionElement;Argument[-1].CollectionElement;value",
         ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
         ";BidirectionalCollection;true;last(where:);;;Argument[-1];ReturnValue;taint",
         ";BidirectionalCollection;true;popLast();;;Argument[-1];ReturnValue;taint",
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
index 504dce6aca5..49e3227338c 100644
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -114,7 +114,6 @@ private class StringSummaries extends SummaryModelCsv {
         ";String;true;write(_:);;;Argument[0];Argument[-1];taint",
         ";String;true;write(to:);;;Argument[-1];Argument[0];taint",
         ";String;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",
-        ";String;true;replaceSubrange(_:with:);;;Argument[1];Argument[-1];taint",
         ";String;true;max();;;Argument[-1];ReturnValue;taint",
         ";String;true;max(by:);;;Argument[-1];ReturnValue;taint",
         ";String;true;min();;;Argument[-1];ReturnValue;taint",
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
index 1bd46f8d664..61aa7db275c 100644
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -675,5 +675,5 @@ func testSubstringMembers() {
   var sub4 = clean.prefix(10)
   sink(arg: sub4)
   sub4.replaceSubrange(..<clean.endIndex, with: sub1)
-  sink(arg: sub4) // $ MISSING: tainted=
+  sink(arg: sub4) // $ tainted=654
 }

From 613c7b24b54c78e5ef3e6c73cebe1656a5b06b89 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 16 Oct 2023 09:45:10 +0100
Subject: [PATCH 4/5] Swift: Model .base, withUTF8(_:).

---
 .../lib/codeql/swift/frameworks/StandardLibrary/String.qll  | 6 ++++++
 .../library-tests/dataflow/taint/libraries/string.swift     | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
index 49e3227338c..30829f2b98a 100644
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -125,6 +125,9 @@ private class StringSummaries extends SummaryModelCsv {
         ";String;true;enumerated();;;Argument[-1];ReturnValue;taint",
         ";String;true;encode(to:);;;Argument[-1];Argument[0];taint",
         ";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";Substring;true;withUTF8(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";Substring;true;withUTF8(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1];taint",
+        ";Substring;true;withUTF8(_:);;;Argument[0].ReturnValue;ReturnValue;value",
       ]
   }
 }
@@ -154,6 +157,9 @@ private class StringFieldsInheritTaint extends TaintInheritingContent,
         or
         namedTypeDecl.getFullName() = "CustomDebugStringConvertible" and
         fieldDecl.getName() = "debugDescription"
+        or
+        namedTypeDecl.getFullName() = "Substring" and
+        fieldDecl.getName() = "base"
       ) and
       declaringDecl.getAMember() = fieldDecl and
       declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
index 61aa7db275c..24d4adb53b6 100644
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -655,7 +655,7 @@ func testSubstringMembers() {
 
   let sub1 = tainted[..<tainted.index(tainted.endIndex, offsetBy: -5)]
   sink(arg: sub1) // $ tainted=654
-  sink(arg: sub1.base) // $ MISSING: tainted=
+  sink(arg: sub1.base) // $ tainted=654
   sink(arg: sub1.utf8) // $ tainted=654
   sink(arg: sub1.capitalized) // $ tainted=654
   sink(arg: sub1.description) // $ tainted=654
@@ -664,10 +664,10 @@ func testSubstringMembers() {
   sink(arg: sub2) // $ tainted=654
   let result1 = sub2.withUTF8({
     buffer in
-    sink(arg: buffer[0]) // $ MISSING: tainted=
+    sink(arg: buffer[0]) // $ tainted=654
     return source()
   })
-  sink(arg: result1) // $ MISSING: tainted=
+  sink(arg: result1) // $ tainted=668
 
   let sub3 = Substring(sub2.utf8)
   sink(arg: sub3) // $ tainted=654

From 39a6375606fe4d755482d77be9eef7f6ad297798 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 16 Oct 2023 10:02:56 +0100
Subject: [PATCH 5/5] Swift: Change note.

---
 swift/ql/lib/change-notes/2023-10-16-substring.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 swift/ql/lib/change-notes/2023-10-16-substring.md

diff --git a/swift/ql/lib/change-notes/2023-10-16-substring.md b/swift/ql/lib/change-notes/2023-10-16-substring.md
new file mode 100644
index 00000000000..be494a12184
--- /dev/null
+++ b/swift/ql/lib/change-notes/2023-10-16-substring.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added taint flow models for members of `Substring`.