Swift: Add data flow through OpenExistentialExpr.

2026-04-25 16:55:19 +02:00 · 2023-08-31 13:25:36 +01:00
parent b8d29e8fc1
commit 93c39c5fdd
5 changed files with 10 additions and 2 deletions
--- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
+++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -208,6 +208,9 @@ private module Cached {
      nodeFrom.asExpr() = ie.getBranch(_)
    )
    or
+    // flow through OpenExistentialExpr (compiler generated expression wrapper)
+    nodeFrom.asExpr() = nodeTo.asExpr().(OpenExistentialExpr).getSubExpr()
+    or
    // flow from Expr to Pattern
    exists(Expr e, Pattern p |
      nodeFrom.asExpr() = e and
--- a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
+++ b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -438,6 +438,7 @@ edges
 | test.swift:766:29:766:29 | KeyPathComponent [x] | test.swift:766:13:766:29 | exit #keyPath(...) |
 | test.swift:767:15:767:15 | s2 [s, some:0, x] | test.swift:766:13:766:29 | enter #keyPath(...) [s, some:0, x] |
 | test.swift:767:15:767:15 | s2 [s, some:0, x] | test.swift:767:15:767:28 | \\...[...] |
+| test.swift:775:12:775:21 | call to source() | test.swift:775:12:775:21 | OpenExistentialExpr |
 nodes
 | file://:0:0:0:0 | .a [x] | semmle.label | .a [x] |
 | file://:0:0:0:0 | .str | semmle.label | .str |
@@ -915,6 +916,8 @@ nodes
 | test.swift:766:29:766:29 | KeyPathComponent [x] | semmle.label | KeyPathComponent [x] |
 | test.swift:767:15:767:15 | s2 [s, some:0, x] | semmle.label | s2 [s, some:0, x] |
 | test.swift:767:15:767:28 | \\...[...] | semmle.label | \\...[...] |
+| test.swift:775:12:775:21 | OpenExistentialExpr | semmle.label | OpenExistentialExpr |
+| test.swift:775:12:775:21 | call to source() | semmle.label | call to source() |
 subpaths
 | test.swift:75:22:75:22 | x | test.swift:65:16:65:28 | arg1 | test.swift:65:1:70:1 | arg2[return] | test.swift:75:32:75:32 | [post] y |
 | test.swift:114:19:114:19 | arg | test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg | test.swift:114:12:114:22 | call to ... |
@@ -1070,3 +1073,4 @@ subpaths
 | test.swift:756:15:756:21 | ...! | test.swift:746:14:746:21 | call to source() | test.swift:756:15:756:21 | ...! | result |
 | test.swift:757:15:757:19 | .v3 | test.swift:747:14:747:21 | call to source() | test.swift:757:15:757:19 | .v3 | result |
 | test.swift:767:15:767:28 | \\...[...] | test.swift:764:18:764:25 | call to source() | test.swift:767:15:767:28 | \\...[...] | result |
+| test.swift:775:12:775:21 | OpenExistentialExpr | test.swift:775:12:775:21 | call to source() | test.swift:775:12:775:21 | OpenExistentialExpr | result |
--- a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
+++ b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -926,3 +926,4 @@
 | test.swift:766:13:766:29 | enter #keyPath(...) | test.swift:766:26:766:26 | KeyPathComponent |
 | test.swift:774:30:774:33 | SSA def(x) | test.swift:775:12:775:12 | x |
 | test.swift:774:30:774:33 | x | test.swift:774:30:774:33 | SSA def(x) |
+| test.swift:775:12:775:21 | call to source() | test.swift:775:12:775:21 | OpenExistentialExpr |
--- a/swift/ql/test/library-tests/dataflow/dataflow/test.swift
+++ b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -772,5 +772,5 @@ protocol MyProtocol {
 }

 func testOpenExistentialExpr(x: MyProtocol) {
-	sink(arg: x.source()) // $ MISSING:flow=771
+	sink(arg: x.source()) // $ flow=775
 }
--- a/swift/ql/test/library-tests/dataflow/flowsources/uikit.swift
+++ b/swift/ql/test/library-tests/dataflow/flowsources/uikit.swift
@@ -86,5 +86,5 @@ func test(
  _ = myTextInput.harmless(in: range)! // GOOD (not input)

  let str = protocolTextInput.text(in: range)! // $ source=local
-  sink(arg: str) // $ MISSING: tainted
+  sink(arg: str) // $ tainted
 }