Merge pull request #9669 from rdmarsh2/rdmarsh2/swift/dataflow-lambda-flow

MathiasVP · web-flow · commit 9b587843ff59 · 2022-06-23T10:38:45.000+01:00
Swift: implement LambdaCall in dataflow library
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -165,7 +165,7 @@ private module ParameterNodes {
     override string toStringImpl() { result = param.toString() }
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-      exists(FuncDecl f, int index |
+      exists(Callable f, int index |
         c = TDataFlowFunc(f) and
         f.getParam(index) = param and
         pos = TPositionalParameter(index)
@@ -383,13 +383,25 @@ class Unit extends TUnit {
  */
 predicate isUnreachableInCall(Node n, DataFlowCall call) { none() }
 
-newtype LambdaCallKind = TODO_TLambdaCallKind()
+newtype LambdaCallKind = TLambdaCallKind()
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
+predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
+  kind = TLambdaCallKind() and
+  (
+    // Closures
+    c.getUnderlyingCallable() = creation.asExpr()
+    or
+    // Reference to a function declaration
+    creation.asExpr().(DeclRefExpr).getDecl() = c.getUnderlyingCallable()
+  )
+}
 
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
+predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
+  kind = TLambdaCallKind() and
+  receiver.asExpr() = call.asCall().getExpr().(ApplyExpr).getFunction()
+}
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected
@@ -29,6 +29,42 @@ edges
 | test.swift:89:15:89:22 | call to source() :  | test.swift:84:1:91:1 | arg[return] :  |
 | test.swift:97:9:97:41 | arg :  | test.swift:98:19:98:19 | x |
 | test.swift:104:9:104:54 | arg :  | test.swift:105:19:105:19 | x |
+| test.swift:109:9:109:14 | WriteDef :  | test.swift:110:12:110:12 | arg :  |
+| test.swift:109:9:109:14 | arg :  | test.swift:110:12:110:12 | arg :  |
+| test.swift:113:14:113:19 | WriteDef :  | test.swift:114:19:114:19 | arg :  |
+| test.swift:113:14:113:19 | WriteDef :  | test.swift:114:19:114:19 | arg :  |
+| test.swift:113:14:113:19 | arg :  | test.swift:114:19:114:19 | arg :  |
+| test.swift:113:14:113:19 | arg :  | test.swift:114:19:114:19 | arg :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | WriteDef :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | arg :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:123:10:123:13 | WriteDef :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:123:10:123:13 | i :  |
+| test.swift:118:18:118:25 | call to source() :  | test.swift:119:31:119:31 | x :  |
+| test.swift:119:18:119:44 | call to forward(arg:lambda:) :  | test.swift:120:15:120:15 | y |
+| test.swift:119:31:119:31 | x :  | test.swift:113:14:113:19 | WriteDef :  |
+| test.swift:119:31:119:31 | x :  | test.swift:113:14:113:19 | arg :  |
+| test.swift:119:31:119:31 | x :  | test.swift:119:18:119:44 | call to forward(arg:lambda:) :  |
+| test.swift:122:18:125:6 | call to forward(arg:lambda:) :  | test.swift:126:15:126:15 | z |
+| test.swift:122:31:122:38 | call to source() :  | test.swift:113:14:113:19 | WriteDef :  |
+| test.swift:122:31:122:38 | call to source() :  | test.swift:113:14:113:19 | arg :  |
+| test.swift:122:31:122:38 | call to source() :  | test.swift:122:18:125:6 | call to forward(arg:lambda:) :  |
+| test.swift:123:10:123:13 | WriteDef :  | test.swift:124:16:124:16 | i :  |
+| test.swift:123:10:123:13 | i :  | test.swift:124:16:124:16 | i :  |
+| test.swift:142:10:142:13 | WriteDef :  | test.swift:143:16:143:16 | i :  |
+| test.swift:142:10:142:13 | i :  | test.swift:143:16:143:16 | i :  |
+| test.swift:145:23:145:30 | call to source() :  | test.swift:142:10:142:13 | WriteDef :  |
+| test.swift:145:23:145:30 | call to source() :  | test.swift:142:10:142:13 | i :  |
+| test.swift:145:23:145:30 | call to source() :  | test.swift:145:15:145:31 | call to ... |
+| test.swift:149:16:149:23 | call to source() :  | test.swift:151:15:151:28 | call to ... |
+| test.swift:149:16:149:23 | call to source() :  | test.swift:159:16:159:29 | call to ... :  |
+| test.swift:154:10:154:13 | WriteDef :  | test.swift:155:19:155:19 | i |
+| test.swift:154:10:154:13 | i :  | test.swift:155:19:155:19 | i |
+| test.swift:157:16:157:23 | call to source() :  | test.swift:154:10:154:13 | WriteDef :  |
+| test.swift:157:16:157:23 | call to source() :  | test.swift:154:10:154:13 | i :  |
+| test.swift:159:16:159:29 | call to ... :  | test.swift:154:10:154:13 | WriteDef :  |
+| test.swift:159:16:159:29 | call to ... :  | test.swift:154:10:154:13 | i :  |
 nodes
 | test.swift:6:19:6:26 | call to source() :  | semmle.label | call to source() :  |
 | test.swift:7:15:7:15 | t1 | semmle.label | t1 |
@@ -72,9 +108,65 @@ nodes
 | test.swift:98:19:98:19 | x | semmle.label | x |
 | test.swift:104:9:104:54 | arg :  | semmle.label | arg :  |
 | test.swift:105:19:105:19 | x | semmle.label | x |
+| test.swift:109:9:109:14 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:109:9:109:14 | WriteDef :  | semmle.label | arg :  |
+| test.swift:109:9:109:14 | arg :  | semmle.label | WriteDef :  |
+| test.swift:109:9:109:14 | arg :  | semmle.label | arg :  |
+| test.swift:110:12:110:12 | arg :  | semmle.label | arg :  |
+| test.swift:113:14:113:19 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:113:14:113:19 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:113:14:113:19 | WriteDef :  | semmle.label | arg :  |
+| test.swift:113:14:113:19 | WriteDef :  | semmle.label | arg :  |
+| test.swift:113:14:113:19 | arg :  | semmle.label | WriteDef :  |
+| test.swift:113:14:113:19 | arg :  | semmle.label | WriteDef :  |
+| test.swift:113:14:113:19 | arg :  | semmle.label | arg :  |
+| test.swift:113:14:113:19 | arg :  | semmle.label | arg :  |
+| test.swift:114:12:114:22 | call to ... :  | semmle.label | call to ... :  |
+| test.swift:114:12:114:22 | call to ... :  | semmle.label | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | semmle.label | arg :  |
+| test.swift:114:19:114:19 | arg :  | semmle.label | arg :  |
+| test.swift:118:18:118:25 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:119:18:119:44 | call to forward(arg:lambda:) :  | semmle.label | call to forward(arg:lambda:) :  |
+| test.swift:119:31:119:31 | x :  | semmle.label | x :  |
+| test.swift:120:15:120:15 | y | semmle.label | y |
+| test.swift:122:18:125:6 | call to forward(arg:lambda:) :  | semmle.label | call to forward(arg:lambda:) :  |
+| test.swift:122:31:122:38 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:123:10:123:13 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:123:10:123:13 | WriteDef :  | semmle.label | i :  |
+| test.swift:123:10:123:13 | i :  | semmle.label | WriteDef :  |
+| test.swift:123:10:123:13 | i :  | semmle.label | i :  |
+| test.swift:124:16:124:16 | i :  | semmle.label | i :  |
+| test.swift:126:15:126:15 | z | semmle.label | z |
+| test.swift:138:19:138:26 | call to source() | semmle.label | call to source() |
+| test.swift:142:10:142:13 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:142:10:142:13 | WriteDef :  | semmle.label | i :  |
+| test.swift:142:10:142:13 | i :  | semmle.label | WriteDef :  |
+| test.swift:142:10:142:13 | i :  | semmle.label | i :  |
+| test.swift:143:16:143:16 | i :  | semmle.label | i :  |
+| test.swift:145:15:145:31 | call to ... | semmle.label | call to ... |
+| test.swift:145:23:145:30 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:149:16:149:23 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:151:15:151:28 | call to ... | semmle.label | call to ... |
+| test.swift:154:10:154:13 | WriteDef :  | semmle.label | WriteDef :  |
+| test.swift:154:10:154:13 | WriteDef :  | semmle.label | i :  |
+| test.swift:154:10:154:13 | i :  | semmle.label | WriteDef :  |
+| test.swift:154:10:154:13 | i :  | semmle.label | i :  |
+| test.swift:155:19:155:19 | i | semmle.label | i |
+| test.swift:157:16:157:23 | call to source() :  | semmle.label | call to source() :  |
+| test.swift:159:16:159:29 | call to ... :  | semmle.label | call to ... :  |
 subpaths
 | test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | WriteDef :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
 | test.swift:75:21:75:22 | &... :  | test.swift:65:16:65:28 | arg1 :  | test.swift:65:1:70:1 | arg2[return] :  | test.swift:75:5:75:33 | arg2 :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | WriteDef :  | test.swift:110:12:110:12 | arg :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:109:9:109:14 | arg :  | test.swift:110:12:110:12 | arg :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:123:10:123:13 | WriteDef :  | test.swift:124:16:124:16 | i :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:114:19:114:19 | arg :  | test.swift:123:10:123:13 | i :  | test.swift:124:16:124:16 | i :  | test.swift:114:12:114:22 | call to ... :  |
+| test.swift:119:31:119:31 | x :  | test.swift:113:14:113:19 | WriteDef :  | test.swift:114:12:114:22 | call to ... :  | test.swift:119:18:119:44 | call to forward(arg:lambda:) :  |
+| test.swift:119:31:119:31 | x :  | test.swift:113:14:113:19 | arg :  | test.swift:114:12:114:22 | call to ... :  | test.swift:119:18:119:44 | call to forward(arg:lambda:) :  |
+| test.swift:122:31:122:38 | call to source() :  | test.swift:113:14:113:19 | WriteDef :  | test.swift:114:12:114:22 | call to ... :  | test.swift:122:18:125:6 | call to forward(arg:lambda:) :  |
+| test.swift:122:31:122:38 | call to source() :  | test.swift:113:14:113:19 | arg :  | test.swift:114:12:114:22 | call to ... :  | test.swift:122:18:125:6 | call to forward(arg:lambda:) :  |
+| test.swift:145:23:145:30 | call to source() :  | test.swift:142:10:142:13 | WriteDef :  | test.swift:143:16:143:16 | i :  | test.swift:145:15:145:31 | call to ... |
+| test.swift:145:23:145:30 | call to source() :  | test.swift:142:10:142:13 | i :  | test.swift:143:16:143:16 | i :  | test.swift:145:15:145:31 | call to ... |
 #select
 | test.swift:7:15:7:15 | t1 | test.swift:6:19:6:26 | call to source() :  | test.swift:7:15:7:15 | t1 | result |
 | test.swift:9:15:9:15 | t1 | test.swift:6:19:6:26 | call to source() :  | test.swift:9:15:9:15 | t1 | result |
@@ -88,3 +180,10 @@ subpaths
 | test.swift:98:19:98:19 | x | test.swift:81:11:81:18 | call to source() :  | test.swift:98:19:98:19 | x | result |
 | test.swift:105:19:105:19 | x | test.swift:86:15:86:22 | call to source() :  | test.swift:105:19:105:19 | x | result |
 | test.swift:105:19:105:19 | x | test.swift:89:15:89:22 | call to source() :  | test.swift:105:19:105:19 | x | result |
+| test.swift:120:15:120:15 | y | test.swift:118:18:118:25 | call to source() :  | test.swift:120:15:120:15 | y | result |
+| test.swift:126:15:126:15 | z | test.swift:122:31:122:38 | call to source() :  | test.swift:126:15:126:15 | z | result |
+| test.swift:138:19:138:26 | call to source() | test.swift:138:19:138:26 | call to source() | test.swift:138:19:138:26 | call to source() | result |
+| test.swift:145:15:145:31 | call to ... | test.swift:145:23:145:30 | call to source() :  | test.swift:145:15:145:31 | call to ... | result |
+| test.swift:151:15:151:28 | call to ... | test.swift:149:16:149:23 | call to source() :  | test.swift:151:15:151:28 | call to ... | result |
+| test.swift:155:19:155:19 | i | test.swift:149:16:149:23 | call to source() :  | test.swift:155:19:155:19 | i | result |
+| test.swift:155:19:155:19 | i | test.swift:157:16:157:23 | call to source() :  | test.swift:155:19:155:19 | i | result |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected b/swift/ql/test/library-tests/dataflow/dataflow/LocalFlow.expected
@@ -74,3 +74,31 @@
 | test.swift:104:9:104:54 | WriteDef | test.swift:105:19:105:19 | x |
 | test.swift:104:9:104:54 | arg | test.swift:104:9:104:54 | WriteDef |
 | test.swift:104:41:104:41 | x | test.swift:104:40:104:41 | &... |
+| test.swift:109:9:109:14 | WriteDef | test.swift:110:12:110:12 | arg |
+| test.swift:109:9:109:14 | arg | test.swift:110:12:110:12 | arg |
+| test.swift:113:14:113:19 | WriteDef | test.swift:114:19:114:19 | arg |
+| test.swift:113:14:113:19 | arg | test.swift:114:19:114:19 | arg |
+| test.swift:113:24:113:41 | WriteDef | test.swift:114:12:114:12 | lambda |
+| test.swift:113:24:113:41 | lambda | test.swift:114:12:114:12 | lambda |
+| test.swift:118:9:118:12 | WriteDef | test.swift:119:31:119:31 | x |
+| test.swift:118:18:118:25 | call to source() | test.swift:118:9:118:12 | WriteDef |
+| test.swift:119:9:119:12 | WriteDef | test.swift:120:15:120:15 | y |
+| test.swift:119:18:119:44 | call to forward(arg:lambda:) | test.swift:119:9:119:12 | WriteDef |
+| test.swift:122:9:122:12 | WriteDef | test.swift:126:15:126:15 | z |
+| test.swift:122:18:125:6 | call to forward(arg:lambda:) | test.swift:122:9:122:12 | WriteDef |
+| test.swift:123:10:123:13 | WriteDef | test.swift:124:16:124:16 | i |
+| test.swift:123:10:123:13 | i | test.swift:124:16:124:16 | i |
+| test.swift:128:9:128:16 | WriteDef | test.swift:132:15:132:15 | clean |
+| test.swift:128:22:131:6 | call to forward(arg:lambda:) | test.swift:128:9:128:16 | WriteDef |
+| test.swift:141:9:141:9 | WriteDef | test.swift:145:15:145:15 | lambda2 |
+| test.swift:141:19:144:5 | { ... } | test.swift:141:9:141:9 | WriteDef |
+| test.swift:142:10:142:13 | WriteDef | test.swift:143:16:143:16 | i |
+| test.swift:142:10:142:13 | i | test.swift:143:16:143:16 | i |
+| test.swift:147:9:147:9 | WriteDef | test.swift:151:15:151:15 | lambdaSource |
+| test.swift:147:24:150:5 | { ... } | test.swift:147:9:147:9 | WriteDef |
+| test.swift:151:15:151:15 | lambdaSource | test.swift:159:16:159:16 | lambdaSource |
+| test.swift:153:9:153:9 | WriteDef | test.swift:157:5:157:5 | lambdaSink |
+| test.swift:153:22:156:5 | { ... } | test.swift:153:9:153:9 | WriteDef |
+| test.swift:154:10:154:13 | WriteDef | test.swift:155:19:155:19 | i |
+| test.swift:154:10:154:13 | i | test.swift:155:19:155:19 | i |
+| test.swift:157:5:157:5 | lambdaSink | test.swift:159:5:159:5 | lambdaSink |
diff --git a/swift/ql/test/library-tests/dataflow/dataflow/test.swift b/swift/ql/test/library-tests/dataflow/dataflow/test.swift
@@ -105,3 +105,56 @@ func inoutUser2(bool: Bool) {
         sink(arg: x) // tainted by two sources
     }
 }
+
+func id(arg: Int) -> Int {
+    return arg
+}
+
+func forward(arg: Int, lambda: (Int) -> Int) -> Int {
+    return lambda(arg)
+}
+
+func forwarder() {
+    var x: Int = source()
+    var y: Int = forward(arg: x, lambda: id)
+    sink(arg: y)
+
+    var z: Int = forward(arg: source(), lambda: {
+        (i: Int) -> Int in
+        return i
+    })
+    sink(arg: z)
+    
+    var clean: Int = forward(arg: source(), lambda: {
+        (i: Int) -> Int in
+        return 0
+    })
+    sink(arg: clean)
+}
+
+func lambdaFlows() {
+    var lambda1 = {
+        () -> Void in
+        sink(arg: source())
+    }
+
+    var lambda2 = {
+        (i: Int) -> Int in
+        return i
+    }
+    sink(arg: lambda2(source()))
+
+    var lambdaSource = {
+        () -> Int in
+        return source()
+    }
+    sink(arg: lambdaSource())
+
+    var lambdaSink = {
+        (i: Int) -> Void in
+        sink(arg: i)
+    }
+    lambdaSink(source())
+
+    lambdaSink(lambdaSource())
+}
