Swift: Support selecting fields in Swift MaD.

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -410,8 +410,10 @@ pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
+  elementSpec(namespace, type, subtypes, name, signature, _) and
   namespace = "" and // TODO: Fill out when we properly extract modules.
   (
+    // Non-member functions
     exists(AbstractFunctionDecl func |
       func.getName() = name and
       type = "" and
@@ -421,10 +423,11 @@ private Element interpretElement0(
       result = func
     )
     or
+    // Member functions
     exists(NominalType nomType, IterableDeclContext decl, MethodDecl method |
       method.getName() = name and
       method = decl.getAMember() and
-      nomType.getName() = type and
+      nomType.getFullName() = type and
       matchesSignature(method, signature) and
       result = method
     |
@@ -434,6 +437,20 @@ private Element interpretElement0(
       subtypes = false and
       getDeclType(decl) = nomType
     )
+    or
+    signature = "" and
+    exists(NominalType nomType, IterableDeclContext decl, FieldDecl field |
+      field.getName() = name and
+      field = decl.getAMember() and
+      nomType.getFullName() = type and
+      result = field
+    |
+      subtypes = true and
+      getDeclType(decl) = nomType.getADerivedType*()
+      or
+      subtypes = false and
+      getDeclType(decl) = nomType
+    )
   )
 }
 
@@ -447,11 +464,18 @@ Element interpretElement(
   )
 }
 
-/**
- * Holds if `c` has a `generated` summary.
- */
-predicate hasSummary(SummarizedCallable c, boolean generated) {
-  summaryElement(c, _, _, _, generated)
+private predicate parseField(AccessPathToken c, Content::FieldContent f) {
+  exists(string fieldRegex, string name |
+    c.getName() = "Field" and
+    fieldRegex = "^([^.]+)$" and
+    name = c.getAnArgument().regexpCapture(fieldRegex, 1) and
+    f.getField().getName() = name
+  )
+}
+
+/** Holds if the specification component parses as a `Content`. */
+predicate parseContent(AccessPathToken component, Content content) {
+  parseField(component, content)
 }
 
 cached

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -105,12 +105,19 @@ predicate sinkElement(Element e, string input, string kind, boolean generated) {
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(AccessPathToken c) {
-  none() // TODO once we have field flow
+  exists(ContentSet cs, Content content |
+    cs.isSingleton(content) and
+    parseContent(c, content) and
+    result = SummaryComponent::content(cs)
+  )
 }
 
 /** Gets the textual representation of the content in the format used for flow summaries. */
-private string getContentSpecificCsv(ContentSet c) {
-  none() // TODO once we have field flow
+private string getContentSpecificCsv(ContentSet cs) {
+  exists(Content::FieldContent c |
+    cs.isSingleton(c) and
+    result = "Field[" + c.getField().getName() + "]"
+  )
 }
 
 /** Gets the textual representation of a summary component in the format used for flow summaries. */
@@ -182,10 +189,17 @@ class InterpretNode extends TInterpretNode {
   }
 }
 
-/** Provides additional sink specification logic required for attributes. */
-predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) { none() }
+predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  // Allow fields to be picked as output nodes.
+  exists(Node n, AstNode ast |
+    n = node.asNode() and
+    ast = mid.asElement()
+  |
+    c = "" and
+    n.asExpr().(MemberRefExpr).getMember() = ast
+  )
+}
 
-/** Provides additional sink specification logic required for attributes. */
 predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) { none() }
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */

swift/ql/lib/codeql/swift/elements/decl/TypeDecl.qll

@@ -1,6 +1,7 @@
 private import codeql.swift.generated.decl.TypeDecl
 private import codeql.swift.generated.type.Type
 private import codeql.swift.elements.type.AnyGenericType
+private import swift
 
 class TypeDecl extends TypeDeclBase {
   override string toString() { result = this.getName() }
@@ -12,4 +13,23 @@ class TypeDecl extends TypeDeclBase {
   TypeDecl getDerivedTypeDecl(int i) { result.getBaseTypeDecl(i) = this }
 
   TypeDecl getADerivedTypeDecl() { result = this.getDerivedTypeDecl(_) }
+
+  /**
+   * Gets the full name of this `TypeDecl`. For example in:
+   * ```swift
+   * struct A {
+   *   struct B {
+   *     // ...
+   *   }
+   * }
+   * ```
+   * The name and full name of `A` is `A`. The name of `B` is `B`, but the
+   * full name of `B` is `A.B`.
+   */
+  string getFullName() {
+    not this.getEnclosingDecl() instanceof TypeDecl and
+    result = this.getName()
+    or
+    result = this.getEnclosingDecl().(TypeDecl).getFullName() + "." + this.getName()
+  }
 }

swift/ql/lib/codeql/swift/elements/type/NominalType.qll

@@ -5,4 +5,18 @@ class NominalType extends NominalTypeBase {
   NominalType getABaseType() { result = this.getDeclaration().(NominalTypeDecl).getABaseType() }
 
   NominalType getADerivedType() { result.getABaseType() = this }
+
+  /**
+   * Gets the full name of this `TypeDecl`. For example in:
+   * ```swift
+   * struct A {
+   *   struct B {
+   *     // ...
+   *   }
+   * }
+   * ```
+   * The name and full name of `A` is `A`. The name of `B` is `B`, but the
+   * full name of `B` is `A.B`.
+   */
+  string getFullName() { result = this.getDeclaration().(NominalTypeDecl).getFullName() }
 }

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Url.qll

@@ -1,27 +1,25 @@
 import swift
-private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A model for `URL` members that are sources of remote flow.
  */
-class UrlRemoteFlowSource extends RemoteFlowSource {
-  UrlRemoteFlowSource() {
-    exists(StructDecl urlClass, ConcreteVarDecl memberDecl |
-      urlClass.getName() = "URL" and
-      (
-        urlClass.getAMember() = memberDecl and
-        memberDecl.getName() = ["resourceBytes", "lines"]
-        or
-        exists(StructDecl asyncBytesClass |
-          urlClass.getAMember() = asyncBytesClass and
-          asyncBytesClass.getName() = "AsyncBytes" and
-          asyncBytesClass.getAMember() = memberDecl and
-          memberDecl.getName() = "lines"
-        )
-      ) and
-      this.asExpr().(MemberRefExpr).getMember() = memberDecl
-    )
+private class UrlRemoteFlowSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";URL;true;resourceBytes;;;;remote", ";URL;true;lines;;;;remote",
+        ";URL.AsyncBytes;true;lines;;;;remote"
+      ]
   }
+}
 
-  override string getSourceType() { result = "external" }
+private class UrlSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";URL;true;init(string:);(String);;Argument[0];ReturnValue;taint",
+        ";URL;true;init(string:relativeTo:);(String,URL?);;Argument[0,1];ReturnValue;taint"
+      ]
+  }
 }