Swift: Flow from optional content through "!".

2026-04-27 01:35:13 +02:00 · 2023-07-21 15:53:52 +01:00
parent d9187c62fe
commit 89e7b75ea1
3 changed files with 58 additions and 3 deletions
--- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
+++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -170,6 +170,10 @@ private module Cached {
    nodeFrom.asExpr() = nodeTo.asExpr().(AnyTryExpr).getSubExpr()
    or
    // flow through `!`
+    // note: there's a case in `readStep` that handles when the source is the
+    //   `OptionalSomeContentSet` within the RHS. This case is for when the
+    //   `Optional` itself is tainted (which it usually shouldn't be, but
+    //   retaining this case increases robustness of flow).
    nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
    or
    // flow through `?` and `?.`
@@ -725,6 +729,10 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
    )
  )
  or
+  // read of an enum (`Optional.Some`) member via `!`
+  node1.asExpr() = node2.asExpr().(ForceValueExpr).getSubExpr() and
+  c instanceof OptionalSomeContentSet
+  or
  // read of a tuple member via `case let (v1, v2)` pattern matching
  exists(TuplePattern tupPat, int idx, Pattern subPat |
    node1.asPattern() = tupPat and
--- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
+++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -115,14 +115,23 @@ edges
 | test.swift:263:13:263:28 | call to optionalSource() | test.swift:280:15:280:38 | ... ? ... : ... |
 | test.swift:263:13:263:28 | call to optionalSource() | test.swift:291:16:291:17 | ...? |
 | test.swift:263:13:263:28 | call to optionalSource() | test.swift:303:15:303:16 | ...! |
+| test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:267:15:267:15 | x [some:0] |
+| test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:279:26:279:26 | x [some:0] |
+| test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:280:26:280:26 | x [some:0] |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:284:8:284:12 | let ...? [some:0] |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:291:16:291:17 | ...? [some:0] |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:298:11:298:15 | let ...? [some:0] |
+| test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:303:15:303:15 | x [some:0] |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:306:13:306:24 | .some(...) [some:0] |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | test.swift:314:10:314:21 | .some(...) [some:0] |
+| test.swift:267:15:267:15 | x [some:0] | test.swift:267:15:267:16 | ...! |
 | test.swift:270:15:270:22 | call to source() | test.swift:270:15:270:31 | call to signum() |
 | test.swift:271:15:271:16 | ...? | test.swift:271:15:271:25 | call to signum() |
 | test.swift:271:15:271:25 | call to signum() | test.swift:271:15:271:25 | OptionalEvaluationExpr |
+| test.swift:279:26:279:26 | x [some:0] | test.swift:279:26:279:27 | ...! |
+| test.swift:279:26:279:27 | ...! | test.swift:279:15:279:31 | ... ? ... : ... |
+| test.swift:280:26:280:26 | x [some:0] | test.swift:280:26:280:27 | ...! |
+| test.swift:280:26:280:27 | ...! | test.swift:280:15:280:38 | ... ? ... : ... |
 | test.swift:280:31:280:38 | call to source() | test.swift:280:15:280:38 | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() | test.swift:282:15:282:38 | ... ? ... : ... |
 | test.swift:284:8:284:12 | let ...? [some:0] | test.swift:284:12:284:12 | z |
@@ -135,6 +144,7 @@ edges
 | test.swift:291:16:291:26 | call to signum() [some:0] | test.swift:291:8:291:12 | let ...? [some:0] |
 | test.swift:298:11:298:15 | let ...? [some:0] | test.swift:298:15:298:15 | z1 |
 | test.swift:298:15:298:15 | z1 | test.swift:300:15:300:15 | z1 |
+| test.swift:303:15:303:15 | x [some:0] | test.swift:303:15:303:16 | ...! |
 | test.swift:303:15:303:16 | ...! | test.swift:303:15:303:25 | call to signum() |
 | test.swift:306:13:306:24 | .some(...) [some:0] | test.swift:306:23:306:23 | z |
 | test.swift:306:23:306:23 | z | test.swift:307:19:307:19 | z |
@@ -164,6 +174,8 @@ edges
 | test.swift:361:15:361:15 | t2 [Tuple element at index 1] | test.swift:361:15:361:18 | .1 |
 | test.swift:375:16:375:21 | v | test.swift:375:61:375:61 | v |
 | test.swift:375:61:375:61 | v | test.swift:375:45:375:62 | call to ... [mySingle:0] |
+| test.swift:377:18:377:23 | v | test.swift:377:59:377:59 | v |
+| test.swift:377:59:377:59 | v | test.swift:377:45:377:60 | call to ... [some:0] |
 | test.swift:403:9:403:27 | call to ... [mySingle:0] | test.swift:408:10:408:25 | .mySingle(...) [mySingle:0] |
 | test.swift:403:9:403:27 | call to ... [mySingle:0] | test.swift:417:13:417:28 | .mySingle(...) [mySingle:0] |
 | test.swift:403:19:403:26 | call to source() | test.swift:403:9:403:27 | call to ... [mySingle:0] |
@@ -218,6 +230,16 @@ edges
 | test.swift:496:33:496:33 | d4 | test.swift:496:54:496:54 | d4 |
 | test.swift:498:13:498:35 | .mySingle(...) [mySingle:0] | test.swift:498:33:498:33 | d6 |
 | test.swift:498:33:498:33 | d6 | test.swift:498:54:498:54 | d6 |
+| test.swift:501:14:501:36 | call to ... [some:0] | test.swift:507:15:507:15 | e2 [some:0] |
+| test.swift:501:28:501:35 | call to source() | test.swift:501:14:501:36 | call to ... [some:0] |
+| test.swift:503:14:503:34 | call to mkOptional1(_:) [some:0] | test.swift:509:15:509:15 | e4 [some:0] |
+| test.swift:503:26:503:33 | call to source() | test.swift:377:18:377:23 | v |
+| test.swift:503:26:503:33 | call to source() | test.swift:503:14:503:34 | call to mkOptional1(_:) [some:0] |
+| test.swift:505:14:505:34 | call to mkOptional2(_:) [some:0] | test.swift:511:15:511:15 | e6 [some:0] |
+| test.swift:505:26:505:33 | call to source() | test.swift:505:14:505:34 | call to mkOptional2(_:) [some:0] |
+| test.swift:507:15:507:15 | e2 [some:0] | test.swift:507:15:507:17 | ...! |
+| test.swift:509:15:509:15 | e4 [some:0] | test.swift:509:15:509:17 | ...! |
+| test.swift:511:15:511:15 | e6 [some:0] | test.swift:511:15:511:17 | ...! |
 | test.swift:517:13:517:28 | call to optionalSource() [some:0] | test.swift:519:8:519:12 | let ...? [some:0] |
 | test.swift:517:13:517:28 | call to optionalSource() [some:0] | test.swift:524:19:524:19 | x [some:0] |
 | test.swift:519:8:519:12 | let ...? [some:0] | test.swift:519:12:519:12 | a |
@@ -410,6 +432,7 @@ nodes
 | test.swift:263:13:263:28 | call to optionalSource() | semmle.label | call to optionalSource() |
 | test.swift:263:13:263:28 | call to optionalSource() [some:0] | semmle.label | call to optionalSource() [some:0] |
 | test.swift:265:15:265:15 | x | semmle.label | x |
+| test.swift:267:15:267:15 | x [some:0] | semmle.label | x [some:0] |
 | test.swift:267:15:267:16 | ...! | semmle.label | ...! |
 | test.swift:270:15:270:22 | call to source() | semmle.label | call to source() |
 | test.swift:270:15:270:31 | call to signum() | semmle.label | call to signum() |
@@ -419,7 +442,11 @@ nodes
 | test.swift:274:15:274:20 | ... ??(_:_:) ... | semmle.label | ... ??(_:_:) ... |
 | test.swift:275:15:275:27 | ... ??(_:_:) ... | semmle.label | ... ??(_:_:) ... |
 | test.swift:279:15:279:31 | ... ? ... : ... | semmle.label | ... ? ... : ... |
+| test.swift:279:26:279:26 | x [some:0] | semmle.label | x [some:0] |
+| test.swift:279:26:279:27 | ...! | semmle.label | ...! |
 | test.swift:280:15:280:38 | ... ? ... : ... | semmle.label | ... ? ... : ... |
+| test.swift:280:26:280:26 | x [some:0] | semmle.label | x [some:0] |
+| test.swift:280:26:280:27 | ...! | semmle.label | ...! |
 | test.swift:280:31:280:38 | call to source() | semmle.label | call to source() |
 | test.swift:282:15:282:38 | ... ? ... : ... | semmle.label | ... ? ... : ... |
 | test.swift:282:31:282:38 | call to source() | semmle.label | call to source() |
@@ -436,6 +463,7 @@ nodes
 | test.swift:298:11:298:15 | let ...? [some:0] | semmle.label | let ...? [some:0] |
 | test.swift:298:15:298:15 | z1 | semmle.label | z1 |
 | test.swift:300:15:300:15 | z1 | semmle.label | z1 |
+| test.swift:303:15:303:15 | x [some:0] | semmle.label | x [some:0] |
 | test.swift:303:15:303:16 | ...! | semmle.label | ...! |
 | test.swift:303:15:303:25 | call to signum() | semmle.label | call to signum() |
 | test.swift:306:13:306:24 | .some(...) [some:0] | semmle.label | .some(...) [some:0] |
@@ -473,6 +501,9 @@ nodes
 | test.swift:375:16:375:21 | v | semmle.label | v |
 | test.swift:375:45:375:62 | call to ... [mySingle:0] | semmle.label | call to ... [mySingle:0] |
 | test.swift:375:61:375:61 | v | semmle.label | v |
+| test.swift:377:18:377:23 | v | semmle.label | v |
+| test.swift:377:45:377:60 | call to ... [some:0] | semmle.label | call to ... [some:0] |
+| test.swift:377:59:377:59 | v | semmle.label | v |
 | test.swift:403:9:403:27 | call to ... [mySingle:0] | semmle.label | call to ... [mySingle:0] |
 | test.swift:403:19:403:26 | call to source() | semmle.label | call to source() |
 | test.swift:408:10:408:25 | .mySingle(...) [mySingle:0] | semmle.label | .mySingle(...) [mySingle:0] |
@@ -532,6 +563,18 @@ nodes
 | test.swift:498:13:498:35 | .mySingle(...) [mySingle:0] | semmle.label | .mySingle(...) [mySingle:0] |
 | test.swift:498:33:498:33 | d6 | semmle.label | d6 |
 | test.swift:498:54:498:54 | d6 | semmle.label | d6 |
+| test.swift:501:14:501:36 | call to ... [some:0] | semmle.label | call to ... [some:0] |
+| test.swift:501:28:501:35 | call to source() | semmle.label | call to source() |
+| test.swift:503:14:503:34 | call to mkOptional1(_:) [some:0] | semmle.label | call to mkOptional1(_:) [some:0] |
+| test.swift:503:26:503:33 | call to source() | semmle.label | call to source() |
+| test.swift:505:14:505:34 | call to mkOptional2(_:) [some:0] | semmle.label | call to mkOptional2(_:) [some:0] |
+| test.swift:505:26:505:33 | call to source() | semmle.label | call to source() |
+| test.swift:507:15:507:15 | e2 [some:0] | semmle.label | e2 [some:0] |
+| test.swift:507:15:507:17 | ...! | semmle.label | ...! |
+| test.swift:509:15:509:15 | e4 [some:0] | semmle.label | e4 [some:0] |
+| test.swift:509:15:509:17 | ...! | semmle.label | ...! |
+| test.swift:511:15:511:15 | e6 [some:0] | semmle.label | e6 [some:0] |
+| test.swift:511:15:511:17 | ...! | semmle.label | ...! |
 | test.swift:517:13:517:28 | call to optionalSource() [some:0] | semmle.label | call to optionalSource() [some:0] |
 | test.swift:519:8:519:12 | let ...? [some:0] | semmle.label | let ...? [some:0] |
 | test.swift:519:12:519:12 | a | semmle.label | a |
@@ -634,6 +677,7 @@ subpaths
 | test.swift:219:13:219:13 | b [a, x] | test.swift:185:7:185:7 | self [a, x] | file://:0:0:0:0 | .a [x] | test.swift:219:13:219:15 | .a [x] |
 | test.swift:219:13:219:15 | .a [x] | test.swift:163:7:163:7 | self [x] | file://:0:0:0:0 | .x | test.swift:219:13:219:17 | .x |
 | test.swift:490:24:490:31 | call to source() | test.swift:375:16:375:21 | v | test.swift:375:45:375:62 | call to ... [mySingle:0] | test.swift:490:14:490:32 | call to mkMyEnum1(_:) [mySingle:0] |
+| test.swift:503:26:503:33 | call to source() | test.swift:377:18:377:23 | v | test.swift:377:45:377:60 | call to ... [some:0] | test.swift:503:14:503:34 | call to mkOptional1(_:) [some:0] |
 | test.swift:546:12:546:12 | x [some:0] | test.swift:540:9:540:9 | value [some:0] | file://:0:0:0:0 | [post] self [x, some:0] | test.swift:546:5:546:5 | [post] cx [x, some:0] |
 | test.swift:550:20:550:20 | cx [x, some:0] | test.swift:540:9:540:9 | self [x, some:0] | file://:0:0:0:0 | .x [some:0] | test.swift:550:20:550:23 | .x [some:0] |
 | test.swift:574:20:574:28 | call to source3() | test.swift:567:10:567:13 | s | test.swift:568:7:568:7 | [post] self [str] | test.swift:574:7:574:7 | [post] self [str] |
@@ -711,6 +755,9 @@ subpaths
 | test.swift:494:54:494:54 | d2 | test.swift:488:30:488:37 | call to source() | test.swift:494:54:494:54 | d2 | result |
 | test.swift:496:54:496:54 | d4 | test.swift:490:24:490:31 | call to source() | test.swift:496:54:496:54 | d4 | result |
 | test.swift:498:54:498:54 | d6 | test.swift:492:24:492:31 | call to source() | test.swift:498:54:498:54 | d6 | result |
+| test.swift:507:15:507:17 | ...! | test.swift:501:28:501:35 | call to source() | test.swift:507:15:507:17 | ...! | result |
+| test.swift:509:15:509:17 | ...! | test.swift:503:26:503:33 | call to source() | test.swift:509:15:509:17 | ...! | result |
+| test.swift:511:15:511:17 | ...! | test.swift:505:26:505:33 | call to source() | test.swift:511:15:511:17 | ...! | result |
 | test.swift:520:19:520:19 | a | test.swift:259:12:259:19 | call to source() | test.swift:520:19:520:19 | a | result |
 | test.swift:527:19:527:19 | a | test.swift:259:12:259:19 | call to source() | test.swift:527:19:527:19 | a | result |
 | test.swift:551:15:551:15 | z1 | test.swift:259:12:259:19 | call to source() | test.swift:551:15:551:15 | z1 | result |
--- a/swift/ql/test/library-tests/dataflow/dataflow/test.swift
+++ b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -504,11 +504,11 @@ func testEnums() {
    let e5 = mkOptional2(0)
    let e6 = mkOptional2(source())
    sink(arg: e1!)
-    sink(arg: e2!) // $ MISSING: flow=501
+    sink(arg: e2!) // $ flow=501
    sink(arg: e3!)
-    sink(arg: e4!) // $ MISSING: flow=503
+    sink(arg: e4!) // $ flow=503
    sink(arg: e5!)
-    sink(arg: e6!) // $ MISSING: flow=505
+    sink(arg: e6!) // $ flow=505
 }

 func source2() -> (Int, Int)? { return nil }