Swift: Allow trivial taint-like flow.

Author: geoffw0

swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql

@@ -84,6 +84,12 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
       flowstate = "String" // `String` length flowing into `NSString`
     )
   }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // allow flow through `+` and `-`.
+    node2.asExpr().(AddExpr).getAnOperand() = node1.asExpr() or
+    node2.asExpr().(SubExpr).getAnOperand() = node1.asExpr()
+  }
 }
 
 from

swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected

@@ -1,8 +1,36 @@
 edges
+| StringLengthConflation.swift:101:34:101:36 | .count :  | StringLengthConflation.swift:101:34:101:44 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:102:36:102:38 | .count :  | StringLengthConflation.swift:102:36:102:46 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:107:36:107:38 | .count :  | StringLengthConflation.swift:107:36:107:46 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:108:38:108:40 | .count :  | StringLengthConflation.swift:108:38:108:48 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:113:34:113:36 | .count :  | StringLengthConflation.swift:113:34:113:44 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:114:36:114:38 | .count :  | StringLengthConflation.swift:114:36:114:46 | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:120:28:120:30 | .count :  | StringLengthConflation.swift:120:28:120:38 | ... call to -(_:_:) ... |
 nodes
 | StringLengthConflation.swift:72:33:72:35 | .count | semmle.label | .count |
 | StringLengthConflation.swift:78:47:78:49 | .count | semmle.label | .count |
+| StringLengthConflation.swift:101:34:101:36 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:101:34:101:44 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:102:36:102:38 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:102:36:102:46 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:107:36:107:38 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:107:36:107:46 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:108:38:108:40 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:108:38:108:48 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:113:34:113:36 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:113:34:113:44 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:114:36:114:38 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:114:36:114:46 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
+| StringLengthConflation.swift:120:28:120:30 | .count :  | semmle.label | .count :  |
+| StringLengthConflation.swift:120:28:120:38 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
 subpaths
 #select
 | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:101:34:101:44 | ... call to -(_:_:) ... | StringLengthConflation.swift:101:34:101:36 | .count :  | StringLengthConflation.swift:101:34:101:44 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:102:36:102:46 | ... call to -(_:_:) ... | StringLengthConflation.swift:102:36:102:38 | .count :  | StringLengthConflation.swift:102:36:102:46 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:107:36:107:46 | ... call to -(_:_:) ... | StringLengthConflation.swift:107:36:107:38 | .count :  | StringLengthConflation.swift:107:36:107:46 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:108:38:108:48 | ... call to -(_:_:) ... | StringLengthConflation.swift:108:38:108:40 | .count :  | StringLengthConflation.swift:108:38:108:48 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:113:34:113:44 | ... call to -(_:_:) ... | StringLengthConflation.swift:113:34:113:36 | .count :  | StringLengthConflation.swift:113:34:113:44 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:114:36:114:46 | ... call to -(_:_:) ... | StringLengthConflation.swift:114:36:114:38 | .count :  | StringLengthConflation.swift:114:36:114:46 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |
+| StringLengthConflation.swift:120:28:120:38 | ... call to -(_:_:) ... | StringLengthConflation.swift:120:28:120:30 | .count :  | StringLengthConflation.swift:120:28:120:38 | ... call to -(_:_:) ... | This String length is used in an NSString, but it may not be equivalent. |

swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.swift

@@ -98,26 +98,26 @@ func test(s: String) {
 
     let nstr1 = ns.character(at: ns.length - 1) // GOOD
     let nmstr1 = nms.character(at: nms.length - 1) // GOOD
-    let nstr2 = ns.character(at: s.count - 1) // BAD: String length used in NSString [NOT DETECTED]
-    let nmstr2 = nms.character(at: s.count - 1) // BAD: String length used in NString [NOT DETECTED]
+    let nstr2 = ns.character(at: s.count - 1) // BAD: String length used in NSString
+    let nmstr2 = nms.character(at: s.count - 1) // BAD: String length used in NString
     print("character '\(nstr1)' '\(nmstr1)' / '\(nstr2)' '\(nmstr2)'")
 
     let nstr3 = ns.substring(from: ns.length - 1) // GOOD
     let nmstr3 = nms.substring(from: nms.length - 1) // GOOD
-    let nstr4 = ns.substring(from: s.count - 1) // BAD: String length used in NSString [NOT DETECTED]
-    let nmstr4 = nms.substring(from: s.count - 1) // BAD: String length used in NString [NOT DETECTED]
+    let nstr4 = ns.substring(from: s.count - 1) // BAD: String length used in NSString
+    let nmstr4 = nms.substring(from: s.count - 1) // BAD: String length used in NString
     print("substring from '\(nstr3)' '\(nmstr3)' / '\(nstr4)' '\(nmstr4)'")
 
     let nstr5 = ns.substring(to: ns.length - 1) // GOOD
     let nmstr5 = nms.substring(to: nms.length - 1) // GOOD
-    let nstr6 = ns.substring(to: s.count - 1) // BAD: String length used in NSString [NOT DETECTED]
-    let nmstr6 = nms.substring(to: s.count - 1) // BAD: String length used in NString [NOT DETECTED]
+    let nstr6 = ns.substring(to: s.count - 1) // BAD: String length used in NSString
+    let nmstr6 = nms.substring(to: s.count - 1) // BAD: String length used in NString
     print("substring to '\(nstr5)' '\(nmstr5)' / '\(nstr6)' '\(nmstr6)'")
 
     let nmstr7 = NSMutableString(string: s)
     nmstr7.insert("*", at: nms.length - 1) // GOOD
     let nmstr8 = NSMutableString(string: s)
-    nmstr8.insert("*", at: s.count - 1) // BAD: String length used in NSString [NOT DETECTED]
+    nmstr8.insert("*", at: s.count - 1) // BAD: String length used in NSString
     print("insert '\(nmstr7)' / '\(nmstr8)'")
 }