Merge pull request #10699 from MathiasVP/swift-mad-summaries

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -80,6 +80,7 @@ private import internal.FlowSummaryImplSpecific
 private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
+  private import codeql.swift.frameworks.StandardLibrary.UrlSession
 }
 
 /**
@@ -410,8 +411,10 @@ pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
+  elementSpec(namespace, type, subtypes, name, signature, _) and
   namespace = "" and // TODO: Fill out when we properly extract modules.
   (
+    // Non-member functions
     exists(AbstractFunctionDecl func |
       func.getName() = name and
       type = "" and
@@ -421,10 +424,11 @@ private Element interpretElement0(
       result = func
     )
     or
+    // Member functions
     exists(NominalType nomType, IterableDeclContext decl, MethodDecl method |
       method.getName() = name and
       method = decl.getAMember() and
-      nomType.getName() = type and
+      nomType.getFullName() = type and
       matchesSignature(method, signature) and
       result = method
     |
@@ -434,6 +438,20 @@ private Element interpretElement0(
       subtypes = false and
       getDeclType(decl) = nomType
     )
+    or
+    signature = "" and
+    exists(NominalType nomType, IterableDeclContext decl, FieldDecl field |
+      field.getName() = name and
+      field = decl.getAMember() and
+      nomType.getFullName() = type and
+      result = field
+    |
+      subtypes = true and
+      getDeclType(decl) = nomType.getADerivedType*()
+      or
+      subtypes = false and
+      getDeclType(decl) = nomType
+    )
   )
 }
 
@@ -447,11 +465,18 @@ Element interpretElement(
   )
 }
 
-/**
- * Holds if `c` has a `generated` summary.
- */
-predicate hasSummary(SummarizedCallable c, boolean generated) {
-  summaryElement(c, _, _, _, generated)
+private predicate parseField(AccessPathToken c, Content::FieldContent f) {
+  exists(string fieldRegex, string name |
+    c.getName() = "Field" and
+    fieldRegex = "^([^.]+)$" and
+    name = c.getAnArgument().regexpCapture(fieldRegex, 1) and
+    f.getField().getName() = name
+  )
+}
+
+/** Holds if the specification component parses as a `Content`. */
+predicate parseContent(AccessPathToken component, Content content) {
+  parseField(component, content)
 }
 
 cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -229,7 +229,9 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
 cached
 private module Cached {
   cached
-  newtype TDataFlowCallable = TDataFlowFunc(CfgScope scope)
+  newtype TDataFlowCallable =
+    TDataFlowFunc(CfgScope scope) or
+    TSummarizedCallable(FlowSummary::SummarizedCallable c)
 
   /** Gets a viable run-time target for the call `call`. */
   cached
@@ -241,6 +243,8 @@ private module Cached {
     result = TDataFlowFunc(call.(PropertySetterCall).getAccessorDecl())
     or
     result = TDataFlowFunc(call.(PropertyObserverCall).getAccessorDecl())
+    or
+    result = TSummarizedCallable(call.asCall().getStaticTarget())
   }
 
   cached

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -64,7 +64,13 @@ private module Cached {
     TExprNode(CfgNode n, Expr e) { hasExprNode(n, e) } or
     TSsaDefinitionNode(Ssa::Definition def) or
     TInoutReturnNode(ParamDecl param) { modifiableParam(param) } or
-    TSummaryNode(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) or
+    TSummaryNode(FlowSummary::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
+      FlowSummaryImpl::Private::summaryNodeRange(c, state)
+    } or
+    TSourceParameterNode(ParamDecl param) or
+    TSummaryParameterNode(FlowSummary::SummarizedCallable c, ParameterPosition pos) {
+      FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
+    } or
     TExprPostUpdateNode(CfgNode n) {
       // Obviously, the base of setters needs a post-update node
       n = any(PropertySetterCfgNode setter).getBase()
@@ -93,6 +99,20 @@ private module Cached {
     )
   }
 
+  private SsaDefinitionNode getParameterDefNode(ParamDecl p) {
+    exists(BasicBlock bb, int i |
+      bb.getNode(i).getNode().asAstNode() = p and
+      result.asDefinition().definesAt(_, bb, i)
+    )
+  }
+
+  /**
+   * Holds if `nodeFrom` is a parameter node, and `nodeTo` is a corresponding SSA node.
+   */
+  private predicate localFlowSsaParamInput(Node nodeFrom, Node nodeTo) {
+    nodeTo = getParameterDefNode(nodeFrom.(ParameterNode).getParameter())
+  }
+
   private predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) {
     exists(Ssa::Definition def |
       // Step from assignment RHS to def
@@ -117,6 +137,8 @@ private module Cached {
       localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
     )
     or
+    localFlowSsaParamInput(nodeFrom, nodeTo)
+    or
     // flow through `&` (inout argument)
     nodeFrom.asExpr() = nodeTo.asExpr().(InOutExpr).getSubExpr()
     or
@@ -125,6 +147,9 @@ private module Cached {
     or
     // flow through `!`
     nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
+    or
+    // flow through a flow summary (extension of `SummaryModelCsv`)
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
   }
 
   /**
@@ -138,7 +163,10 @@ private module Cached {
 
   /** This is the local flow predicate that is exposed. */
   cached
-  predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) { localFlowStepCommon(nodeFrom, nodeTo) }
+  predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) {
+    localFlowStepCommon(nodeFrom, nodeTo) or
+    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
+  }
 
   cached
   newtype TContentSet = TSingletonContent(Content c)
@@ -181,17 +209,15 @@ predicate nodeIsHidden(Node n) { none() }
 private module ParameterNodes {
   abstract class ParameterNodeImpl extends NodeImpl {
     predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { none() }
+
+    /** Gets the parameter associated with this node, if any. */
+    ParamDecl getParameter() { none() }
   }
 
-  class NormalParameterNode extends ParameterNodeImpl, SsaDefinitionNodeImpl {
+  class SourceParameterNode extends ParameterNodeImpl, TSourceParameterNode {
     ParamDecl param;
 
-    NormalParameterNode() {
-      exists(BasicBlock bb, int i |
-        super.asDefinition().definesAt(param, bb, i) and
-        bb.getNode(i).getNode().asAstNode() = param
-      )
-    }
+    SourceParameterNode() { this = TSourceParameterNode(param) }
 
     override Location getLocationImpl() { result = param.getLocation() }
 
@@ -206,6 +232,26 @@ private module ParameterNodes {
     }
 
     override DataFlowCallable getEnclosingCallable() { this.isParameterOf(result, _) }
+
+    override ParamDecl getParameter() { result = param }
+  }
+
+  class SummaryParameterNode extends ParameterNodeImpl, TSummaryParameterNode {
+    FlowSummary::SummarizedCallable sc;
+    ParameterPosition pos;
+
+    SummaryParameterNode() { this = TSummaryParameterNode(sc, pos) }
+
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition p) {
+      c.getUnderlyingCallable() = sc and
+      p = pos
+    }
+
+    override Location getLocationImpl() { result = sc.getLocation() }
+
+    override string toStringImpl() { result = "[summary param] " + pos + " in " + sc }
+
+    override DataFlowCallable getEnclosingCallable() { this.isParameterOf(result, _) }
   }
 }
 
@@ -300,6 +346,14 @@ private module ArgumentNodes {
       )
     }
   }
+
+  class SummaryArgumentNode extends SummaryNode, ArgumentNode {
+    SummaryArgumentNode() { FlowSummaryImpl::Private::summaryArgumentNode(_, this, _) }
+
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this, pos)
+    }
+  }
 }
 
 import ArgumentNodes
@@ -370,6 +424,12 @@ private module OutNodes {
     }
   }
 
+  class SummaryOutNode extends OutNode, SummaryNode {
+    override DataFlowCall getCall(ReturnKind kind) {
+      FlowSummaryImpl::Private::summaryOutNode(result, this, kind)
+    }
+  }
+
   class InOutUpdateArgNode extends OutNode, ExprPostUpdateNode {
     Argument arg;
 
@@ -435,6 +495,8 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = ref.getBase() and
     c.isSingleton(any(Content::FieldContent ct | ct.getField() = ref.getMember()))
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
 }
 
 predicate isLValue(Expr e) { any(AssignExpr assign).getDest() = e }
@@ -556,6 +618,9 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
   kind = TLambdaCallKind() and
   receiver.asExpr() = call.asCall().getExpr().(ApplyExpr).getFunction()
+  or
+  kind = TLambdaCallKind() and
+  receiver = call.(SummaryCall).getReceiver()
 }
 
 /** Extra data-flow steps needed for lambda flow analysis. */

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPublic.qll

@@ -70,7 +70,15 @@ class ExprNode extends Node, TExprNode {
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNode extends Node, SsaDefinitionNode instanceof ParameterNodeImpl { }
+class ParameterNode extends Node instanceof ParameterNodeImpl {
+  override ControlFlowNode getCfgNode() { result = this.(ParameterNodeImpl).getCfgNode() }
+
+  DataFlowCallable getDeclaringFunction() {
+    result = this.(ParameterNodeImpl).getEnclosingCallable()
+  }
+
+  ParamDecl getParameter() { result = this.(ParameterNodeImpl).getParameter() }
+}
 
 /**
  */

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -105,12 +105,19 @@ predicate sinkElement(Element e, string input, string kind, boolean generated) {
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(AccessPathToken c) {
-  none() // TODO once we have field flow
+  exists(ContentSet cs, Content content |
+    cs.isSingleton(content) and
+    parseContent(c, content) and
+    result = SummaryComponent::content(cs)
+  )
 }
 
 /** Gets the textual representation of the content in the format used for flow summaries. */
-private string getContentSpecificCsv(ContentSet c) {
-  none() // TODO once we have field flow
+private string getContentSpecificCsv(ContentSet cs) {
+  exists(Content::FieldContent c |
+    cs.isSingleton(c) and
+    result = "Field[" + c.getField().getName() + "]"
+  )
 }
 
 /** Gets the textual representation of a summary component in the format used for flow summaries. */
@@ -182,10 +189,17 @@ class InterpretNode extends TInterpretNode {
   }
 }
 
-/** Provides additional sink specification logic required for attributes. */
-predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) { none() }
+predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  // Allow fields to be picked as output nodes.
+  exists(Node n, AstNode ast |
+    n = node.asNode() and
+    ast = mid.asElement()
+  |
+    c = "" and
+    n.asExpr().(MemberRefExpr).getMember() = ast
+  )
+}
 
-/** Provides additional sink specification logic required for attributes. */
 predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) { none() }
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll

@@ -4,6 +4,7 @@ private import TaintTrackingPublic
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.Ssa
 private import codeql.swift.controlflow.CfgNodes
+private import FlowSummaryImpl as FlowSummaryImpl
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
@@ -48,15 +49,8 @@ private module Cached {
       ae.getType().getName() = "String"
     )
     or
-    // allow flow through `URL.init`.
-    exists(CallExpr call, StructDecl c, AbstractFunctionDecl f |
-      c.getName() = "URL" and
-      c.getAMember() = f and
-      f.getName() = ["init(string:)", "init(string:relativeTo:)"] and
-      call.getStaticTarget() = f and
-      nodeFrom.asExpr() = call.getAnArgument().getExpr() and
-      nodeTo.asExpr() = call
-    )
+    // flow through a flow summary (extension of `SummaryModelCsv`)
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, false)
   }
 
   /**

swift/ql/lib/codeql/swift/elements/decl/TypeDecl.qll

@@ -1,6 +1,7 @@
 private import codeql.swift.generated.decl.TypeDecl
 private import codeql.swift.generated.type.Type
 private import codeql.swift.elements.type.AnyGenericType
+private import swift
 
 class TypeDecl extends TypeDeclBase {
   override string toString() { result = this.getName() }
@@ -12,4 +13,23 @@ class TypeDecl extends TypeDeclBase {
   TypeDecl getDerivedTypeDecl(int i) { result.getBaseTypeDecl(i) = this }
 
   TypeDecl getADerivedTypeDecl() { result = this.getDerivedTypeDecl(_) }
+
+  /**
+   * Gets the full name of this `TypeDecl`. For example in:
+   * ```swift
+   * struct A {
+   *   struct B {
+   *     // ...
+   *   }
+   * }
+   * ```
+   * The name and full name of `A` is `A`. The name of `B` is `B`, but the
+   * full name of `B` is `A.B`.
+   */
+  string getFullName() {
+    not this.getEnclosingDecl() instanceof TypeDecl and
+    result = this.getName()
+    or
+    result = this.getEnclosingDecl().(TypeDecl).getFullName() + "." + this.getName()
+  }
 }

swift/ql/lib/codeql/swift/elements/type/NominalType.qll

@@ -5,4 +5,18 @@ class NominalType extends NominalTypeBase {
   NominalType getABaseType() { result = this.getDeclaration().(NominalTypeDecl).getABaseType() }
 
   NominalType getADerivedType() { result.getABaseType() = this }
+
+  /**
+   * Gets the full name of this `NominalType`. For example in:
+   * ```swift
+   * struct A {
+   *   struct B {
+   *     // ...
+   *   }
+   * }
+   * ```
+   * The name and full name of `A` is `A`. The name of `B` is `B`, but the
+   * full name of `B` is `A.B`.
+   */
+  string getFullName() { result = this.getDeclaration().(NominalTypeDecl).getFullName() }
 }