Merge pull request #10597 from geoffw0/swifttaintsource

Swift: URL taint sources

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -79,6 +79,7 @@ private import internal.FlowSummaryImplSpecific
  */
 private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.String
+  private import codeql.swift.frameworks.StandardLibrary.Url
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Url.qll

@@ -0,0 +1,27 @@
+import swift
+private import codeql.swift.dataflow.FlowSources
+
+/**
+ * A model for `URL` members that are sources of remote flow.
+ */
+class UrlRemoteFlowSource extends RemoteFlowSource {
+  UrlRemoteFlowSource() {
+    exists(StructDecl urlClass, ConcreteVarDecl memberDecl |
+      urlClass.getName() = "URL" and
+      (
+        urlClass.getAMember() = memberDecl and
+        memberDecl.getName() = ["resourceBytes", "lines"]
+        or
+        exists(StructDecl asyncBytesClass |
+          urlClass.getAMember() = asyncBytesClass and
+          asyncBytesClass.getName() = "AsyncBytes" and
+          asyncBytesClass.getAMember() = memberDecl and
+          memberDecl.getName() = "lines"
+        )
+      ) and
+      this.asExpr().(MemberRefExpr).getMember() = memberDecl
+    )
+  }
+
+  override string getSourceType() { result = "external" }
+}

swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected

@@ -0,0 +1,5 @@
+| string.swift:27:21:27:21 | call to init(contentsOf:) | external |
+| string.swift:27:21:27:44 | call to init(contentsOf:) | external |
+| url.swift:53:15:53:19 | .resourceBytes | external |
+| url.swift:60:15:60:19 | .lines | external |
+| url.swift:67:16:67:22 | .lines | external |

swift/ql/test/library-tests/dataflow/flowsources/FlowSources.ql

@@ -0,0 +1,5 @@
+import swift
+import codeql.swift.dataflow.FlowSources
+
+from RemoteFlowSource source
+select source, concat(source.getSourceType(), ", ")

swift/ql/test/library-tests/dataflow/flowsources/string.swift

@@ -0,0 +1,31 @@
+
+// --- stubs ---
+
+struct URL
+{
+	init?(string: String) {}
+}
+
+extension String {
+	init(contentsOf: URL) throws {
+		var data = ""
+
+		// ...
+
+		self.init(data)
+	}
+}
+
+// --- tests ---
+
+func testStrings() {
+	do
+	{
+		let string1 = String()
+		let string2 = String(repeating: "abc", count: 10)
+		let url = URL(string: "http://example.com/")
+		let string3 = try String(contentsOf: url!) // SOURCE
+	} catch {
+		// ...
+	}
+}

swift/ql/test/library-tests/dataflow/flowsources/url.swift

@@ -0,0 +1,76 @@
+// --- stubs ---
+
+struct URL {
+	init?(string: String) {}
+
+	struct AsyncBytes : AsyncSequence, AsyncIteratorProtocol {
+		typealias Element = UInt8
+
+		func makeAsyncIterator() -> AsyncBytes {
+			return AsyncBytes()
+		}
+
+		mutating func next() async -> Element? { return nil }
+
+		var lines: AsyncLineSequence<Self> {
+			get {
+				return AsyncLineSequence<Self>()
+			}
+		}
+	}
+
+	var resourceBytes: URL.AsyncBytes {
+		get {
+			return AsyncBytes()
+		}
+	}
+
+	struct AsyncLineSequence<Base> : AsyncSequence, AsyncIteratorProtocol where Base : AsyncSequence, Base.Element == UInt8 {
+		typealias Element = String
+
+		func makeAsyncIterator() -> AsyncLineSequence<Base> {
+			return AsyncLineSequence<Base>()
+		}
+
+		mutating func next() async -> Element? { return nil }
+	}
+
+	var lines: AsyncLineSequence<URL.AsyncBytes> {
+		get {
+			return AsyncLineSequence<URL.AsyncBytes>()
+		}
+	}
+}
+
+func print(_ items: Any...) {}
+
+// --- tests ---
+
+func testURLs() async {
+	do
+	{
+		let url = URL(string: "http://example.com/")!
+		let bytes = url.resourceBytes // SOURCE
+
+		for try await byte in bytes
+		{
+			print(byte)
+		}
+
+		let lines = url.lines // SOURCE
+
+		for try await line in lines
+		{
+			print(line)
+		}
+
+		let lines2 = bytes.lines // SOURCE
+
+		for try await line in lines2
+		{
+			print(line)
+		}
+	} catch {
+		// ...
+	}
+}