Merge pull request #12413 from geoffw0/ptrout2

Swift: Permit data flow from all generic arguments
2025-12-17 01:03:14 +01:00 · 2023-03-07 16:27:12 +00:00
parent bdad847584 2ed140c696
commit 72d6f56df1
5 changed files with 43 additions and 35 deletions
--- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
+++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -211,9 +211,7 @@ private module Cached {
 private predicate modifiable(Argument arg) {
  arg.getExpr() instanceof InOutExpr
  or
-  arg.getExpr().getType() instanceof NominalType
-  or
-  arg.getExpr().getType() instanceof PointerType
+  arg.getExpr().getType() instanceof NominalOrBoundGenericNominalType
 }

 predicate modifiableParam(ParamDecl param) {
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/PointerTypes.qll
@@ -5,22 +5,6 @@

 import swift

-/**
- * A type that is used as a pointer in Swift, such as `UnsafePointer`,
- * `UnsafeBufferPointer` and similar types.
- */
-class PointerType extends Type {
-  PointerType() {
-    this instanceof UnsafeTypedPointerType or
-    this instanceof UnsafeRawPointerType or
-    this instanceof OpaquePointerType or
-    this instanceof AutoreleasingUnsafeMutablePointerType or
-    this instanceof UnmanagedType or
-    this instanceof CVaListPointerType or
-    this instanceof ManagedBufferPointerType
-  }
-}
-
 /**
 * A Swift unsafe typed pointer type such as `UnsafePointer`,
 * `UnsafeMutablePointer` or `UnsafeBufferPointer`.
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
@@ -99,3 +99,31 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {
  sink(arg: ptr.pointee) // $ MISSING: tainted=87
  sink(arg: ptr)
 }
+
+// ---
+
+struct MyPointerContainer {
+  var ptr: UnsafeMutablePointer<String>
+}
+
+struct MyGenericPointerContainer<T> {
+  var ptr: UnsafeMutablePointer<T>
+}
+
+func writePointerContainer(mpc: MyPointerContainer) {
+  mpc.ptr.pointee = sourceString()
+  sink(arg: mpc.ptr.pointee) // $ tainted=114
+}
+
+func writeGenericPointerContainer<T>(mgpc: MyGenericPointerContainer<T>) {
+  mgpc.ptr.pointee = sourceString() as! T
+  sink(arg: mgpc.ptr.pointee) // $ tainted=119
+}
+
+func testWritingPointerContainersInCalls(mpc: MyPointerContainer, mgpc: MyGenericPointerContainer<Int>) {
+  writePointerContainer(mpc: mpc)
+  sink(arg: mpc.ptr.pointee) // $ tainted=114
+
+  writeGenericPointerContainer(mgpc: mgpc)
+  sink(arg: mgpc.ptr.pointee) // $ tainted=119
+}
--- a/swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.expected
+++ b/swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.expected
@@ -1,14 +1,14 @@
-| pointers.swift:2:8:2:8 | self | AutoreleasingUnsafeMutablePointer<Pointee> | AutoreleasingUnsafeMutablePointerType, PointerType |
-| pointers.swift:14:6:14:6 | p1 | UnsafePointer<Int> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:15:6:15:6 | p2 | UnsafeMutablePointer<UInt8> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:16:6:16:6 | p3 | UnsafeBufferPointer<String> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:17:6:17:6 | p4 | UnsafeMutableBufferPointer<MyClass> | PointerType, UnsafeTypedPointerType |
-| pointers.swift:18:6:18:6 | p5 | UnsafeRawPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:19:6:19:6 | p6 | UnsafeMutableRawPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:20:6:20:6 | p7 | UnsafeRawBufferPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:21:6:21:6 | p8 | UnsafeMutableRawBufferPointer | PointerType, UnsafeRawPointerType |
-| pointers.swift:23:6:23:6 | op | OpaquePointer | OpaquePointerType, PointerType |
-| pointers.swift:24:6:24:6 | aump | AutoreleasingUnsafeMutablePointer<UInt8> | AutoreleasingUnsafeMutablePointerType, PointerType |
-| pointers.swift:25:6:25:6 | um | Unmanaged<MyClass> | PointerType, UnmanagedType |
-| pointers.swift:26:6:26:6 | cvlp | CVaListPointer | CVaListPointerType, PointerType |
-| pointers.swift:28:6:28:6 | mbp | ManagedBufferPointer<Int, MyClass> | ManagedBufferPointerType, PointerType |
+| pointers.swift:2:8:2:8 | self | AutoreleasingUnsafeMutablePointer<Pointee> | AutoreleasingUnsafeMutablePointerType |
+| pointers.swift:14:6:14:6 | p1 | UnsafePointer<Int> | UnsafeTypedPointerType |
+| pointers.swift:15:6:15:6 | p2 | UnsafeMutablePointer<UInt8> | UnsafeTypedPointerType |
+| pointers.swift:16:6:16:6 | p3 | UnsafeBufferPointer<String> | UnsafeTypedPointerType |
+| pointers.swift:17:6:17:6 | p4 | UnsafeMutableBufferPointer<MyClass> | UnsafeTypedPointerType |
+| pointers.swift:18:6:18:6 | p5 | UnsafeRawPointer | UnsafeRawPointerType |
+| pointers.swift:19:6:19:6 | p6 | UnsafeMutableRawPointer | UnsafeRawPointerType |
+| pointers.swift:20:6:20:6 | p7 | UnsafeRawBufferPointer | UnsafeRawPointerType |
+| pointers.swift:21:6:21:6 | p8 | UnsafeMutableRawBufferPointer | UnsafeRawPointerType |
+| pointers.swift:23:6:23:6 | op | OpaquePointer | OpaquePointerType |
+| pointers.swift:24:6:24:6 | aump | AutoreleasingUnsafeMutablePointer<UInt8> | AutoreleasingUnsafeMutablePointerType |
+| pointers.swift:25:6:25:6 | um | Unmanaged<MyClass> | UnmanagedType |
+| pointers.swift:26:6:26:6 | cvlp | CVaListPointer | CVaListPointerType |
+| pointers.swift:28:6:28:6 | mbp | ManagedBufferPointer<Int, MyClass> | ManagedBufferPointerType |
--- a/swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.ql
+++ b/swift/ql/test/library-tests/elements/type/pointertypes/pointertypes.ql
@@ -2,8 +2,6 @@ import swift
 import codeql.swift.frameworks.StandardLibrary.PointerTypes

 string describe(Type t) {
-  t instanceof PointerType and result = "PointerType"
-  or
  t instanceof BuiltinRawPointerType and result = "BuiltinRawPointerType"
  or
  t instanceof UnsafeTypedPointerType and result = "UnsafeTypedPointerType"