Swift: Model string closure methods.

2026-04-27 17:55:19 +02:00 · 2023-10-23 23:44:08 +01:00
parent 4cf40ed259
commit d3063e849e
2 changed files with 21 additions and 7 deletions
--- a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
+++ b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll
@@ -68,6 +68,10 @@ private class StringSummaries extends SummaryModelCsv {
        ";StringProtocol;true;trimmingCharacters(in:);;;Argument[-1];ReturnValue;taint",
        ";StringProtocol;true;uppercased();;;Argument[-1];ReturnValue;taint",
        ";StringProtocol;true;uppercased(with:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;withCString(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";StringProtocol;true;withCString(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";StringProtocol;true;withCString(encodedAs:_:);;;Argument[-1];Argument[1].Parameter[0].CollectionElement;taint",
+        ";StringProtocol;true;withCString(encodedAs:_:);;;Argument[1].ReturnValue;ReturnValue;value",
        ";String;true;init(decoding:);;;Argument[0];ReturnValue;taint",
        ";String;true;init(_:);;;Argument[0];ReturnValue;taint",
        ";String;true;init(_:);;;Argument[0];ReturnValue.OptionalSome;taint",
@@ -110,6 +114,7 @@ private class StringSummaries extends SummaryModelCsv {
        ";String;true;init(validating:);;;Argument[0];ReturnValue.OptionalSome;taint",
        ";String;true;init(validatingPlatformString:);;;Argument[0];ReturnValue.OptionalSome;taint",
        ";String;true;init(validatingPlatformString:);;;Argument[0].CollectionElement;ReturnValue.OptionalSome;taint",
+        ";String;true;init(unsafeUninitializedCapacity:initializingUTF8With:);;;Argument[1].CollectionElement;ReturnValue;taint",
        ";String;true;localizedStringWithFormat(_:_:);;;Argument[0];ReturnValue;taint",
        ";String;true;localizedStringWithFormat(_:_:);;;Argument[1].CollectionElement;ReturnValue;taint",
        ";String;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",
@@ -126,6 +131,15 @@ private class StringSummaries extends SummaryModelCsv {
        ";String;true;encode(to:);;;Argument[-1];Argument[0];taint",
        ";String;true;decodeCString(_:as:repairingInvalidCodeUnits:);;;Argument[0];ReturnValue.TupleElement[0];taint",
        ";String;true;decodeCString(_:as:repairingInvalidCodeUnits:);;;Argument[0].CollectionElement;ReturnValue.TupleElement[0];taint",
+        ";String;true;withUTF8(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";String;true;withUTF8(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1];taint",
+        ";String;true;withUTF8(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";String;true;withPlatformString(_:);;;Argument[-1];Argument[0].Parameter[0].CollectionElement;taint",
+        ";String;true;withPlatformString(_:);;;Argument[0].ReturnValue;ReturnValue;value",
+        ";String;true;withMutableCharacters(_:);;;Argument[-1];Argument[0].Parameter[0];value",
+        ";String;true;withMutableCharacters(_:);;;Argument[0].Parameter[0];Argument[-1];value",
+        ";String;true;withMutableCharacters(_:);;;Argument[0].Parameter[0].CollectionElement;Argument[-1];taint",
+        ";String;true;withMutableCharacters(_:);;;Argument[0].ReturnValue;ReturnValue;value",
        ";LosslessStringConvertible;true;init(_:);;;Argument[0];ReturnValue;taint",
      ]
  }
--- a/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
+++ b/swift/ql/test/library-tests/dataflow/taint/libraries/string.swift
@@ -372,7 +372,7 @@ func taintThroughEncodings() {
  })
  tainted.withUTF8({
    buffer in
-    sink(arg: buffer[0]) // $ MISSING: tainted=366
+    sink(arg: buffer[0]) // $ tainted=366
    sink(arg: buffer.baseAddress!) // $ MISSING: tainted=366
  })

@@ -382,7 +382,7 @@ func taintThroughEncodings() {
  })
  tainted.withCString({
    ptr in
-    sink(arg: ptr[0]) // $ MISSING: tainted=366
+    sink(arg: ptr[0]) // $ tainted=366
  })
  clean.withCString(encodedAs: UTF8.self, {
    ptr in
@@ -390,7 +390,7 @@ func taintThroughEncodings() {
  })
  tainted.withCString(encodedAs: UTF8.self, {
    ptr in
-    sink(arg: ptr[0]) // $ MISSING: tainted=366
+    sink(arg: ptr[0]) // $ tainted=366
  })

  let arrayString1 = clean.cString(using: String.Encoding.utf8)!
@@ -421,8 +421,8 @@ func taintThroughEncodings() {
  })
  tainted.withPlatformString({
    ptr in
-    sink(arg: ptr[0]) // $ MISSING: tainted=366
-    sink(arg: String(platformString: ptr)) // $ MISSING: tainted=366
+    sink(arg: ptr[0]) // $ tainted=366
+    sink(arg: String(platformString: ptr)) // $ tainted=366

    let buffer = UnsafeBufferPointer(start: ptr, count: 10)
    let arrayString = Array(buffer)
@@ -699,6 +699,6 @@ func taintMutableCharacters() {
    sink(arg: chars) // $ tainted=698
    return source()
  })
-  sink(arg: rtn) // $ MISSING: tainted=700
-  sink(arg: str) // $ MISSING: tainted=698
+  sink(arg: rtn) // $ tainted=700
+  sink(arg: str) // $ tainted=698
 }