Swift: Add taint tests for flow through interpolated strings.

MathiasVP · MathiasVP · commit 05e6dd85d4e3 · 2022-08-04T21:57:05.000+01:00
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -0,0 +1,121 @@
+| file://:0:0:0:0 | Phi | test.swift:7:14:7:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:9:14:9:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:11:14:11:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:14:14:14:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:16:14:16:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:18:14:18:14 | $interpolation |
+| file://:0:0:0:0 | Phi | test.swift:21:14:21:14 | $interpolation |
+| test.swift:5:7:5:7 | WriteDef | test.swift:7:16:7:16 | x |
+| test.swift:5:11:5:18 | call to source() | test.swift:5:7:5:7 | WriteDef |
+| test.swift:7:13:7:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:7:14:7:14 | $interpolation | test.swift:7:14:7:14 | &... |
+| test.swift:7:14:7:14 | : &... | test.swift:7:14:7:14 | WriteDef |
+| test.swift:7:14:7:14 | WriteDef | test.swift:7:15:7:15 | $interpolation |
+| test.swift:7:15:7:15 | $interpolation | test.swift:7:15:7:15 | &... |
+| test.swift:7:15:7:15 | : &... | test.swift:7:15:7:15 | WriteDef |
+| test.swift:7:15:7:15 | WriteDef | test.swift:7:18:7:18 | $interpolation |
+| test.swift:7:16:7:16 | x | test.swift:9:16:9:16 | x |
+| test.swift:7:18:7:18 | $interpolation | test.swift:7:18:7:18 | &... |
+| test.swift:7:18:7:18 | : &... | test.swift:7:18:7:18 | WriteDef |
+| test.swift:7:18:7:18 | WriteDef | test.swift:7:13:7:13 | TapExpr |
+| test.swift:9:13:9:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:9:14:9:14 | $interpolation | test.swift:9:14:9:14 | &... |
+| test.swift:9:14:9:14 | : &... | test.swift:9:14:9:14 | WriteDef |
+| test.swift:9:14:9:14 | WriteDef | test.swift:9:15:9:15 | $interpolation |
+| test.swift:9:15:9:15 | $interpolation | test.swift:9:15:9:15 | &... |
+| test.swift:9:15:9:15 | : &... | test.swift:9:15:9:15 | WriteDef |
+| test.swift:9:15:9:15 | WriteDef | test.swift:9:18:9:18 | $interpolation |
+| test.swift:9:16:9:16 | x | test.swift:9:21:9:21 | x |
+| test.swift:9:18:9:18 | $interpolation | test.swift:9:18:9:18 | &... |
+| test.swift:9:18:9:18 | : &... | test.swift:9:18:9:18 | WriteDef |
+| test.swift:9:18:9:18 | WriteDef | test.swift:9:20:9:20 | $interpolation |
+| test.swift:9:20:9:20 | $interpolation | test.swift:9:20:9:20 | &... |
+| test.swift:9:20:9:20 | : &... | test.swift:9:20:9:20 | WriteDef |
+| test.swift:9:20:9:20 | WriteDef | test.swift:9:23:9:23 | $interpolation |
+| test.swift:9:21:9:21 | x | test.swift:11:16:11:16 | x |
+| test.swift:9:23:9:23 | $interpolation | test.swift:9:23:9:23 | &... |
+| test.swift:9:23:9:23 | : &... | test.swift:9:23:9:23 | WriteDef |
+| test.swift:9:23:9:23 | WriteDef | test.swift:9:13:9:13 | TapExpr |
+| test.swift:11:13:11:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:11:14:11:14 | $interpolation | test.swift:11:14:11:14 | &... |
+| test.swift:11:14:11:14 | : &... | test.swift:11:14:11:14 | WriteDef |
+| test.swift:11:14:11:14 | WriteDef | test.swift:11:15:11:15 | $interpolation |
+| test.swift:11:15:11:15 | $interpolation | test.swift:11:15:11:15 | &... |
+| test.swift:11:15:11:15 | : &... | test.swift:11:15:11:15 | WriteDef |
+| test.swift:11:15:11:15 | WriteDef | test.swift:11:18:11:18 | $interpolation |
+| test.swift:11:16:11:16 | x | test.swift:11:26:11:26 | x |
+| test.swift:11:18:11:18 | $interpolation | test.swift:11:18:11:18 | &... |
+| test.swift:11:18:11:18 | : &... | test.swift:11:18:11:18 | WriteDef |
+| test.swift:11:18:11:18 | WriteDef | test.swift:11:20:11:20 | $interpolation |
+| test.swift:11:20:11:20 | $interpolation | test.swift:11:20:11:20 | &... |
+| test.swift:11:20:11:20 | : &... | test.swift:11:20:11:20 | WriteDef |
+| test.swift:11:20:11:20 | WriteDef | test.swift:11:23:11:23 | $interpolation |
+| test.swift:11:23:11:23 | $interpolation | test.swift:11:23:11:23 | &... |
+| test.swift:11:23:11:23 | : &... | test.swift:11:23:11:23 | WriteDef |
+| test.swift:11:23:11:23 | WriteDef | test.swift:11:25:11:25 | $interpolation |
+| test.swift:11:25:11:25 | $interpolation | test.swift:11:25:11:25 | &... |
+| test.swift:11:25:11:25 | : &... | test.swift:11:25:11:25 | WriteDef |
+| test.swift:11:25:11:25 | WriteDef | test.swift:11:28:11:28 | $interpolation |
+| test.swift:11:26:11:26 | x | test.swift:16:16:16:16 | x |
+| test.swift:11:28:11:28 | $interpolation | test.swift:11:28:11:28 | &... |
+| test.swift:11:28:11:28 | : &... | test.swift:11:28:11:28 | WriteDef |
+| test.swift:11:28:11:28 | WriteDef | test.swift:11:13:11:13 | TapExpr |
+| test.swift:13:7:13:7 | WriteDef | test.swift:14:16:14:16 | y |
+| test.swift:13:11:13:11 | 42 | test.swift:13:7:13:7 | WriteDef |
+| test.swift:14:13:14:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:14:14:14:14 | $interpolation | test.swift:14:14:14:14 | &... |
+| test.swift:14:14:14:14 | : &... | test.swift:14:14:14:14 | WriteDef |
+| test.swift:14:14:14:14 | WriteDef | test.swift:14:15:14:15 | $interpolation |
+| test.swift:14:15:14:15 | $interpolation | test.swift:14:15:14:15 | &... |
+| test.swift:14:15:14:15 | : &... | test.swift:14:15:14:15 | WriteDef |
+| test.swift:14:15:14:15 | WriteDef | test.swift:14:18:14:18 | $interpolation |
+| test.swift:14:16:14:16 | y | test.swift:16:27:16:27 | y |
+| test.swift:14:18:14:18 | $interpolation | test.swift:14:18:14:18 | &... |
+| test.swift:14:18:14:18 | : &... | test.swift:14:18:14:18 | WriteDef |
+| test.swift:14:18:14:18 | WriteDef | test.swift:14:13:14:13 | TapExpr |
+| test.swift:16:13:16:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:16:14:16:14 | $interpolation | test.swift:16:14:16:14 | &... |
+| test.swift:16:14:16:14 | : &... | test.swift:16:14:16:14 | WriteDef |
+| test.swift:16:14:16:14 | WriteDef | test.swift:16:15:16:15 | $interpolation |
+| test.swift:16:15:16:15 | $interpolation | test.swift:16:15:16:15 | &... |
+| test.swift:16:15:16:15 | : &... | test.swift:16:15:16:15 | WriteDef |
+| test.swift:16:15:16:15 | WriteDef | test.swift:16:18:16:18 | $interpolation |
+| test.swift:16:16:16:16 | x | test.swift:18:27:18:27 | x |
+| test.swift:16:18:16:18 | $interpolation | test.swift:16:18:16:18 | &... |
+| test.swift:16:18:16:18 | : &... | test.swift:16:18:16:18 | WriteDef |
+| test.swift:16:18:16:18 | WriteDef | test.swift:16:26:16:26 | $interpolation |
+| test.swift:16:26:16:26 | $interpolation | test.swift:16:26:16:26 | &... |
+| test.swift:16:26:16:26 | : &... | test.swift:16:26:16:26 | WriteDef |
+| test.swift:16:26:16:26 | WriteDef | test.swift:16:29:16:29 | $interpolation |
+| test.swift:16:27:16:27 | y | test.swift:18:16:18:16 | y |
+| test.swift:16:29:16:29 | $interpolation | test.swift:16:29:16:29 | &... |
+| test.swift:16:29:16:29 | : &... | test.swift:16:29:16:29 | WriteDef |
+| test.swift:16:29:16:29 | WriteDef | test.swift:16:13:16:13 | TapExpr |
+| test.swift:18:13:18:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:18:14:18:14 | $interpolation | test.swift:18:14:18:14 | &... |
+| test.swift:18:14:18:14 | : &... | test.swift:18:14:18:14 | WriteDef |
+| test.swift:18:14:18:14 | WriteDef | test.swift:18:15:18:15 | $interpolation |
+| test.swift:18:15:18:15 | $interpolation | test.swift:18:15:18:15 | &... |
+| test.swift:18:15:18:15 | : &... | test.swift:18:15:18:15 | WriteDef |
+| test.swift:18:15:18:15 | WriteDef | test.swift:18:18:18:18 | $interpolation |
+| test.swift:18:18:18:18 | $interpolation | test.swift:18:18:18:18 | &... |
+| test.swift:18:18:18:18 | : &... | test.swift:18:18:18:18 | WriteDef |
+| test.swift:18:18:18:18 | WriteDef | test.swift:18:26:18:26 | $interpolation |
+| test.swift:18:26:18:26 | $interpolation | test.swift:18:26:18:26 | &... |
+| test.swift:18:26:18:26 | : &... | test.swift:18:26:18:26 | WriteDef |
+| test.swift:18:26:18:26 | WriteDef | test.swift:18:29:18:29 | $interpolation |
+| test.swift:18:29:18:29 | $interpolation | test.swift:18:29:18:29 | &... |
+| test.swift:18:29:18:29 | : &... | test.swift:18:29:18:29 | WriteDef |
+| test.swift:18:29:18:29 | WriteDef | test.swift:18:13:18:13 | TapExpr |
+| test.swift:20:3:20:7 | WriteDef | test.swift:21:16:21:16 | x |
+| test.swift:20:7:20:7 | 0 | test.swift:20:3:20:7 | WriteDef |
+| test.swift:21:13:21:13 | WriteDef | file://:0:0:0:0 | Phi |
+| test.swift:21:14:21:14 | $interpolation | test.swift:21:14:21:14 | &... |
+| test.swift:21:14:21:14 | : &... | test.swift:21:14:21:14 | WriteDef |
+| test.swift:21:14:21:14 | WriteDef | test.swift:21:15:21:15 | $interpolation |
+| test.swift:21:15:21:15 | $interpolation | test.swift:21:15:21:15 | &... |
+| test.swift:21:15:21:15 | : &... | test.swift:21:15:21:15 | WriteDef |
+| test.swift:21:15:21:15 | WriteDef | test.swift:21:18:21:18 | $interpolation |
+| test.swift:21:18:21:18 | $interpolation | test.swift:21:18:21:18 | &... |
+| test.swift:21:18:21:18 | : &... | test.swift:21:18:21:18 | WriteDef |
+| test.swift:21:18:21:18 | WriteDef | test.swift:21:13:21:13 | TapExpr |
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.ql b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.ql
@@ -0,0 +1,6 @@
+import swift
+import codeql.swift.dataflow.DataFlow
+
+from DataFlow::Node pred, DataFlow::Node succ
+where DataFlow::localFlowStep(pred, succ)
+select pred, succ
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/Taint.expected
@@ -0,0 +1,20 @@
+edges
+| test.swift:5:11:5:18 | call to source() :  | test.swift:7:13:7:13 | "..." |
+| test.swift:5:11:5:18 | call to source() :  | test.swift:9:13:9:13 | "..." |
+| test.swift:5:11:5:18 | call to source() :  | test.swift:11:13:11:13 | "..." |
+| test.swift:5:11:5:18 | call to source() :  | test.swift:16:13:16:13 | "..." |
+| test.swift:5:11:5:18 | call to source() :  | test.swift:18:13:18:13 | "..." |
+nodes
+| test.swift:5:11:5:18 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:7:13:7:13 | "..." | semmle.label | "..." |
+| test.swift:9:13:9:13 | "..." | semmle.label | "..." |
+| test.swift:11:13:11:13 | "..." | semmle.label | "..." |
+| test.swift:16:13:16:13 | "..." | semmle.label | "..." |
+| test.swift:18:13:18:13 | "..." | semmle.label | "..." |
+subpaths
+#select
+| test.swift:7:13:7:13 | "..." | test.swift:5:11:5:18 | call to source() :  | test.swift:7:13:7:13 | "..." | result |
+| test.swift:9:13:9:13 | "..." | test.swift:5:11:5:18 | call to source() :  | test.swift:9:13:9:13 | "..." | result |
+| test.swift:11:13:11:13 | "..." | test.swift:5:11:5:18 | call to source() :  | test.swift:11:13:11:13 | "..." | result |
+| test.swift:16:13:16:13 | "..." | test.swift:5:11:5:18 | call to source() :  | test.swift:16:13:16:13 | "..." | result |
+| test.swift:18:13:18:13 | "..." | test.swift:5:11:5:18 | call to source() :  | test.swift:18:13:18:13 | "..." | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.ql b/swift/ql/test/library-tests/dataflow/taint/Taint.ql
@@ -0,0 +1,29 @@
+/**
+ * @kind path-problem
+ */
+
+import swift
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.DataFlow::DataFlow
+import PathGraph
+
+class TestConfiguration extends TaintTracking::Configuration {
+  TestConfiguration() { this = "TestConfiguration" }
+
+  override predicate isSource(Node src) {
+    src.asExpr().(CallExpr).getStaticTarget().getName() = "source()"
+  }
+
+  override predicate isSink(Node sink) {
+    exists(CallExpr sinkCall |
+      sinkCall.getStaticTarget().getName() = "sink(arg:)" and
+      sinkCall.getAnArgument().getExpr() = sink.asExpr()
+    )
+  }
+
+  override int explorationLimit() { result = 100 }
+}
+
+from PathNode src, PathNode sink, TestConfiguration test
+where test.hasFlowPath(src, sink)
+select sink, src, sink, "result"
diff --git a/swift/ql/test/library-tests/dataflow/taint/test.swift b/swift/ql/test/library-tests/dataflow/taint/test.swift
@@ -0,0 +1,22 @@
+func source() -> Int { return 0; }
+func sink(arg: String) {}
+
+func taintThroughInterpolatedStrings() {
+  var x = source()
+  
+  sink(arg: "\(x)") // tainted
+
+  sink(arg: "\(x) \(x)") // tainted
+
+  sink(arg: "\(x) \(0) \(x)") // tainted
+
+  var y = 42
+  sink(arg: "\(y)") // clean
+
+  sink(arg: "\(x) hello \(y)") // tainted
+
+  sink(arg: "\(y) world \(x)") // tainted
+
+  x = 0
+  sink(arg: "\(x)") // clean
+}
