Merge pull request #17989 from geoffw0/swift6models2

Swift: More model repairs for Swift 6
github · Nov 18, 2024 · 8bcc5f4 · 8bcc5f4
2 parents 51f7129 + fa43207
commit 8bcc5f4
Show file tree

Hide file tree

Showing 15 changed files with 971 additions and 752 deletions.
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll
@@ -32,8 +32,8 @@ private class CollectionSummaries extends SummaryModelCsv {
         ";Collection;true;dropLast(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
         ";Collection;true;flatMap(_:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;flatMap(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
-        ";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint",
-        ";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value",
+        //";Collection;true;map(_:);;;Argument[-1];ReturnValue;taint", --- disabled due to dubious results in practice
+        //";Collection;true;map(_:);;;Argument[-1].CollectionElement;ReturnValue.CollectionElement;value", --- disabled due to dubious results in practice
         ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint",
         ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint",

diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Numeric.qll
@@ -35,6 +35,17 @@ private class NumericSummaries extends SummaryModelCsv {
         ";BinaryInteger;true;formatted();;;Argument[-1];ReturnValue;taint",
         ";BinaryInteger;true;formatted(_:);;;Argument[-1];ReturnValue;taint",
         ";BinaryInteger;true;quotientAndRemainder(dividingBy:);;;Argument[-1..0];ReturnValue.TupleElement[0,1];taint",
+        ";BinaryInteger;true;advanced(by:);;;Argument[-1..0];ReturnValue;taint",
+        ";BinaryInteger;true;distance(to:);;;Argument[-1..0];ReturnValue;taint",
+        ";SignedInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";SignedInteger;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value",
+        ";UnsignedInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";UnsignedInteger;true;init(exactly:);;;Argument[0];ReturnValue.OptionalSome;value",
+        ";FixedWidthInteger;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(clamping:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(truncatingIfNeeded:);;;Argument[0];ReturnValue;taint",
+        ";FixedWidthInteger;true;init(bitPattern:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc.
+        ";FixedWidthInteger;true;init(truncating:);;;Argument[0];ReturnValue;taint", // actually implemented in Int, UInt, Double etc.
         ";FixedWidthInteger;true;init(_:radix:);;;Argument[0];ReturnValue.OptionalSome;taint",
         ";FixedWidthInteger;true;init(littleEndian:);;;Argument[0];ReturnValue;taint",
         ";FixedWidthInteger;true;init(bigEndian:);;;Argument[0];ReturnValue;taint",
@@ -92,7 +103,7 @@ private class NumericFieldsInheritTaint extends TaintInheritingContent,
         className = "BinaryInteger" and
         fieldName = "words"
         or
-        className = "Numeric" and
+        className = ["Numeric", "SignedInteger", "UnsignedInteger"] and
         fieldName = ["magnitude", "byteSwapped"]
         or
         className = "BinaryFloatingPoint" and

diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll
@@ -63,6 +63,7 @@ private class CommandInjectionSinks extends SinkModelCsv {
 private class CommandInjectionDefaultBarrier extends CommandInjectionBarrier {
   CommandInjectionDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionExtensions.qll
@@ -46,6 +46,7 @@ private class PredicateInjectionSinkCsv extends SinkModelCsv {
 private class PredicateInjectionDefaultBarrier extends PredicateInjectionBarrier {
   PredicateInjectionDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll
@@ -190,6 +190,7 @@ private class DefaultSqlInjectionSink extends SqlInjectionSink {
 private class SqlInjectionDefaultBarrier extends SqlInjectionBarrier {
   SqlInjectionDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll
@@ -94,6 +94,7 @@ class HeuristicUncontrolledFormatStringSink extends UncontrolledFormatStringSink
 private class UncontrolledFormatStringDefaultBarrier extends UncontrolledFormatStringBarrier {
   UncontrolledFormatStringDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll
@@ -127,6 +127,7 @@ private class DefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
 private class UnsafeJsEvalDefaultBarrier extends UnsafeJsEvalBarrier {
   UnsafeJsEvalDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackExtensions.qll
@@ -73,6 +73,7 @@ private class UnsafeUnpackAdditionalDataFlowStep extends UnsafeUnpackAdditionalF
 private class UnsafeUnpackDefaultBarrier extends UnsafeUnpackBarrier {
   UnsafeUnpackDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll
@@ -64,6 +64,7 @@ private class RegexInjectionSinks extends SinkModelCsv {
 private class RegexInjectionDefaultBarrier extends RegexInjectionBarrier {
   RegexInjectionDefaultBarrier() {
     // any numeric type
-    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
+    this.asExpr().getType().getUnderlyingType().getABaseType*().getName() =
+      ["Numeric", "SignedInteger", "UnsignedInteger"]
   }
 }