Swift: More tests of taint flow through Strings.

geoffw0 · geoffw0 · commit 068ec8ea20c2 · 2022-08-09T16:43:07.000+01:00
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -119,3 +119,58 @@
 | string.swift:21:18:21:18 | $interpolation | string.swift:21:18:21:18 | &... |
 | string.swift:21:18:21:18 | : &... | string.swift:21:18:21:18 | WriteDef |
 | string.swift:21:18:21:18 | WriteDef | string.swift:21:13:21:13 | TapExpr |
+| string.swift:27:7:27:7 | WriteDef | string.swift:30:13:30:13 | clean |
+| string.swift:27:15:27:15 | abcdef | string.swift:27:7:27:7 | WriteDef |
+| string.swift:28:7:28:7 | WriteDef | string.swift:31:13:31:13 | tainted |
+| string.swift:28:17:28:25 | call to source2() | string.swift:28:7:28:7 | WriteDef |
+| string.swift:30:13:30:13 | clean | string.swift:33:13:33:13 | clean |
+| string.swift:31:13:31:13 | tainted | string.swift:34:21:34:21 | tainted |
+| string.swift:33:13:33:13 | clean | string.swift:33:21:33:21 | clean |
+| string.swift:33:21:33:21 | clean | string.swift:34:13:34:13 | clean |
+| string.swift:34:13:34:13 | clean | string.swift:35:23:35:23 | clean |
+| string.swift:34:21:34:21 | tainted | string.swift:35:13:35:13 | tainted |
+| string.swift:35:13:35:13 | tainted | string.swift:36:13:36:13 | tainted |
+| string.swift:35:23:35:23 | clean | string.swift:38:19:38:19 | clean |
+| string.swift:36:13:36:13 | tainted | string.swift:36:23:36:23 | tainted |
+| string.swift:36:23:36:23 | tainted | string.swift:39:19:39:19 | tainted |
+| string.swift:41:7:41:7 | WriteDef | string.swift:43:13:43:13 | str |
+| string.swift:41:13:41:13 | abc | string.swift:41:7:41:7 | WriteDef |
+| string.swift:43:13:43:13 | str | string.swift:45:3:45:3 | str |
+| string.swift:45:3:45:3 | : &... | string.swift:45:3:45:10 | WriteDef |
+| string.swift:45:3:45:3 | str | string.swift:45:3:45:3 | &... |
+| string.swift:45:3:45:10 | WriteDef | string.swift:46:13:46:13 | str |
+| string.swift:46:13:46:13 | str | string.swift:48:3:48:3 | str |
+| string.swift:48:3:48:3 | : &... | string.swift:48:3:48:18 | WriteDef |
+| string.swift:48:3:48:3 | str | string.swift:48:3:48:3 | &... |
+| string.swift:48:3:48:18 | WriteDef | string.swift:49:13:49:13 | str |
+| string.swift:51:7:51:7 | WriteDef | string.swift:53:13:53:13 | str2 |
+| string.swift:51:14:51:14 | abc | string.swift:51:7:51:7 | WriteDef |
+| string.swift:53:13:53:13 | str2 | string.swift:55:3:55:3 | str2 |
+| string.swift:55:3:55:3 | : &... | string.swift:55:3:55:8 | WriteDef |
+| string.swift:55:3:55:3 | str2 | string.swift:55:3:55:3 | &... |
+| string.swift:55:3:55:8 | WriteDef | string.swift:56:13:56:13 | str2 |
+| string.swift:56:13:56:13 | str2 | string.swift:58:3:58:3 | str2 |
+| string.swift:58:3:58:3 | : &... | string.swift:58:3:58:8 | WriteDef |
+| string.swift:58:3:58:3 | str2 | string.swift:58:3:58:3 | &... |
+| string.swift:58:3:58:8 | WriteDef | string.swift:59:13:59:13 | str2 |
+| string.swift:59:13:59:13 | str2 | string.swift:69:13:69:13 | str2 |
+| string.swift:61:7:61:7 | WriteDef | string.swift:63:13:63:13 | str3 |
+| string.swift:61:14:61:14 | abc | string.swift:61:7:61:7 | WriteDef |
+| string.swift:63:13:63:13 | str3 | string.swift:65:3:65:3 | str3 |
+| string.swift:65:3:65:3 | : &... | string.swift:65:3:65:8 | WriteDef |
+| string.swift:65:3:65:3 | str3 | string.swift:65:3:65:3 | &... |
+| string.swift:65:3:65:8 | WriteDef | string.swift:66:13:66:13 | str3 |
+| string.swift:66:13:66:13 | str3 | string.swift:68:3:68:3 | str3 |
+| string.swift:68:3:68:3 | str3 | string.swift:68:3:68:3 | &... |
+| string.swift:73:7:73:7 | WriteDef | string.swift:77:20:77:20 | clean |
+| string.swift:73:15:73:15 |  | string.swift:73:7:73:7 | WriteDef |
+| string.swift:74:7:74:7 | WriteDef | string.swift:78:20:78:20 | tainted |
+| string.swift:74:17:74:25 | call to source2() | string.swift:74:7:74:7 | WriteDef |
+| string.swift:75:7:75:7 | WriteDef | string.swift:79:20:79:20 | taintedInt |
+| string.swift:75:20:75:27 | call to source() | string.swift:75:7:75:7 | WriteDef |
+| string.swift:77:20:77:20 | clean | string.swift:81:31:81:31 | clean |
+| string.swift:78:20:78:20 | tainted | string.swift:82:31:82:31 | tainted |
+| string.swift:81:31:81:31 | clean | string.swift:84:13:84:13 | clean |
+| string.swift:82:31:82:31 | tainted | string.swift:85:13:85:13 | tainted |
+| string.swift:84:13:84:13 | clean | string.swift:87:13:87:13 | clean |
+| string.swift:85:13:85:13 | tainted | string.swift:88:13:88:13 | tainted |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/Taint.expected
@@ -4,17 +4,21 @@ edges
 | string.swift:5:11:5:18 | call to source() :  | string.swift:11:13:11:13 | "..." |
 | string.swift:5:11:5:18 | call to source() :  | string.swift:16:13:16:13 | "..." |
 | string.swift:5:11:5:18 | call to source() :  | string.swift:18:13:18:13 | "..." |
+| string.swift:28:17:28:25 | call to source2() :  | string.swift:31:13:31:13 | tainted |
 nodes
 | string.swift:5:11:5:18 | call to source() :  | semmle.label | call to source() :  |
 | string.swift:7:13:7:13 | "..." | semmle.label | "..." |
 | string.swift:9:13:9:13 | "..." | semmle.label | "..." |
 | string.swift:11:13:11:13 | "..." | semmle.label | "..." |
 | string.swift:16:13:16:13 | "..." | semmle.label | "..." |
 | string.swift:18:13:18:13 | "..." | semmle.label | "..." |
+| string.swift:28:17:28:25 | call to source2() :  | semmle.label | call to source2() :  |
+| string.swift:31:13:31:13 | tainted | semmle.label | tainted |
 subpaths
 #select
 | string.swift:7:13:7:13 | "..." | string.swift:5:11:5:18 | call to source() :  | string.swift:7:13:7:13 | "..." | result |
 | string.swift:9:13:9:13 | "..." | string.swift:5:11:5:18 | call to source() :  | string.swift:9:13:9:13 | "..." | result |
 | string.swift:11:13:11:13 | "..." | string.swift:5:11:5:18 | call to source() :  | string.swift:11:13:11:13 | "..." | result |
 | string.swift:16:13:16:13 | "..." | string.swift:5:11:5:18 | call to source() :  | string.swift:16:13:16:13 | "..." | result |
 | string.swift:18:13:18:13 | "..." | string.swift:5:11:5:18 | call to source() :  | string.swift:18:13:18:13 | "..." | result |
+| string.swift:31:13:31:13 | tainted | string.swift:28:17:28:25 | call to source2() :  | string.swift:31:13:31:13 | tainted | result |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.ql b/swift/ql/test/library-tests/dataflow/taint/Taint.ql
@@ -11,12 +11,12 @@ class TestConfiguration extends TaintTracking::Configuration {
   TestConfiguration() { this = "TestConfiguration" }
 
   override predicate isSource(Node src) {
-    src.asExpr().(CallExpr).getStaticTarget().getName() = "source()"
+    src.asExpr().(CallExpr).getStaticTarget().getName().matches("source%")
   }
 
   override predicate isSink(Node sink) {
     exists(CallExpr sinkCall |
-      sinkCall.getStaticTarget().getName() = "sink(arg:)" and
+      sinkCall.getStaticTarget().getName().matches("sink%") and
       sinkCall.getAnArgument().getExpr() = sink.asExpr()
     )
   }
diff --git a/swift/ql/test/library-tests/dataflow/taint/string.swift b/swift/ql/test/library-tests/dataflow/taint/string.swift
@@ -19,4 +19,71 @@ func taintThroughInterpolatedStrings() {
 
   x = 0
   sink(arg: "\(x)") // clean
-}
+}
+
+func source2() -> String { return ""; }
+
+func taintThroughStringConcatenation() {
+  var clean = "abcdef"
+  var tainted = source2()
+
+  sink(arg: clean)
+  sink(arg: tainted) // tainted
+
+  sink(arg: clean + clean)
+  sink(arg: clean + tainted) // tainted [NOT DETECTED]
+  sink(arg: tainted + clean) // tainted [NOT DETECTED]
+  sink(arg: tainted + tainted) // tainted [NOT DETECTED]
+
+  sink(arg: ">" + clean + "<")
+  sink(arg: ">" + tainted + "<") // tainted [NOT DETECTED]
+
+  var str = "abc"
+
+  sink(arg: str)
+
+  str += "def"
+  sink(arg: str)
+
+  str += source2()
+  sink(arg: str) // tainted [NOT DETECTED]
+
+  var str2 = "abc"
+
+  sink(arg: str2)
+
+  str2.append("def")
+  sink(arg: str2)
+
+  str2.append(source2())
+  sink(arg: str2) // tainted [NOT DETECTED]
+
+  var str3 = "abc"
+
+  sink(arg: str3)
+
+  str3.append(contentsOf: "def")
+  sink(arg: str3)
+
+  str3.append(contentsOf: source2())
+  sink(arg: str2) // tainted [NOT DETECTED]
+}
+
+func taintThroughStringOperations() {
+  var clean = ""
+  var tainted = source2()
+  var taintedInt = source()
+
+  sink(arg: String(clean))
+  sink(arg: String(tainted)) // tainted [NOT DETECTED]
+  sink(arg: String(taintedInt)) // tainted [NOT DETECTED]
+
+  sink(arg: String(repeating: clean, count: 2))
+  sink(arg: String(repeating: tainted, count: 2)) // tainted [NOT DETECTED]
+
+  sink(arg: clean.description)
+  sink(arg: tainted.description) // tainted [NOT DETECTED]
+  
+  sink(arg: clean.debugDescription)
+  sink(arg: tainted.debugDescription) // tainted [NOT DETECTED]
+}

Original file line number	Diff line number	Diff line change
`@@ -11,12 +11,12 @@ class TestConfiguration extends TaintTracking::Configuration {`
`11`	`11`	`TestConfiguration() { this = "TestConfiguration" }`
`12`	`12`
`13`	`13`	`override predicate isSource(Node src) {`
`14`		`- src.asExpr().(CallExpr).getStaticTarget().getName() = "source()"`
	`14`	`+ src.asExpr().(CallExpr).getStaticTarget().getName().matches("source%")`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`override predicate isSink(Node sink) {`
`18`	`18`	`exists(CallExpr sinkCall \|`
`19`		`- sinkCall.getStaticTarget().getName() = "sink(arg:)" and`
	`19`	`+ sinkCall.getStaticTarget().getName().matches("sink%") and`
`20`	`20`	`sinkCall.getAnArgument().getExpr() = sink.asExpr()`
`21`	`21`	`)`
`22`	`22`	`}`