Merge pull request #14661 from geoffw0/commandinject4

Swift: Fix defaultImplicitTaintRead on fields
github · Nov 8, 2023 · 68e7f84 · 68e7f84
2 parents 6b434d1 + 48c3db2
commit 68e7f84
Show file tree

Hide file tree

Showing 4 changed files with 262 additions and 193 deletions.
diff --git a/swift/ql/lib/change-notes/2023-11-01-field-sinks.md b/swift/ql/lib/change-notes/2023-11-01-field-sinks.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Fixed a bug where some flow sinks at field accesses were not being correctly identified.
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll
@@ -32,8 +32,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs)
   // So when the node is a `PostUpdateNode` we allow any sequence of implicit read steps of an appropriate
   // type to make sure we arrive at the sink with an empty access path.
   exists(NominalTypeDecl d, Decl cx |
-    node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getType().getUnderlyingType() =
-      d.getType().getABaseType*() and
+    node.(DataFlow::PostUpdateNode)
+        .getPreUpdateNode()
+        .asExpr()
+        .getType()
+        .getUnderlyingType()
+        .getABaseType*() = d.getType() and
     cx.asNominalTypeDecl() = d and
     cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
   )