Merge pull request #9623 from MathiasVP/swift-interpretElement0

Swift: Interpret MaD strings

Author: rdmarsh2

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -78,7 +78,7 @@ private import internal.FlowSummaryImplSpecific
  * ensuring that they are visible to the taint tracking / data flow library.
  */
 private module Frameworks {
-  /* TODO */
+  private import codeql.swift.frameworks.StandardLibrary.String
 }
 
 /**
@@ -344,11 +344,86 @@ private predicate elementSpec(
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
+private string paramsStringPart(AbstractFunctionDecl c, int i) {
+  i = -1 and result = "(" and exists(c)
+  or
+  exists(int n, string p | c.getParam(n).getType().toString() = p |
+    i = 2 * n and result = p
+    or
+    i = 2 * n - 1 and result = "," and n != 0
+  )
+  or
+  i = 2 * c.getNumberOfParams() and result = ")"
+}
+
+/**
+ * Gets a parenthesized string containing all parameter types of this callable, separated by a comma.
+ *
+ * Returns the empty string if the callable has no parameters.
+ * Parameter types are represented by their type erasure.
+ */
+cached
+string paramsString(AbstractFunctionDecl c) {
+  result = concat(int i | | paramsStringPart(c, i) order by i)
+}
+
+bindingset[func]
+predicate matchesSignature(AbstractFunctionDecl func, string signature) {
+  signature = "" or
+  paramsString(func) = signature
+}
+
+private NominalType getDeclType(IterableDeclContext decl) {
+  result = decl.(ClassDecl).getType()
+  or
+  result = decl.(StructDecl).getType()
+  or
+  result = getDeclType(decl.(ExtensionDecl).getExtendedTypeDecl())
+  or
+  result = decl.(EnumDecl).getType()
+  or
+  result = decl.(ProtocolDecl).getType()
+}
+
+/**
+ * Gets the element in module `namespace` that satisfies the following properties:
+ * 1. If the element is a member of a class-like type, then the class-like type has name `type`
+ * 2. If `subtypes = true` and the element is a member of a class-like type, then overrides of the element
+ *    are also returned.
+ * 3. The element has name `name`
+ * 4. If `signature` is non-empty, then the element has a list of parameter types described by `signature`.
+ *
+ * NOTE: `namespace` is currently not used (since we don't properly extract modules yet).
+ */
 pragma[nomagic]
 private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
-  none() // TODO
+  namespace = "" and // TODO: Fill out when we properly extract modules.
+  (
+    exists(AbstractFunctionDecl func |
+      func.getName() = name and
+      type = "" and
+      matchesSignature(func, signature) and
+      subtypes = false and
+      not result instanceof MethodDecl and
+      result = func
+    )
+    or
+    exists(NominalType nomType, IterableDeclContext decl, MethodDecl method |
+      method.getName() = name and
+      method = decl.getAMember() and
+      nomType.getName() = type and
+      matchesSignature(method, signature) and
+      result = method
+    |
+      subtypes = true and
+      getDeclType(decl) = nomType.getADerivedType*()
+      or
+      subtypes = false and
+      getDeclType(decl) = nomType
+    )
+  )
 }
 
 /** Gets the source/sink/summary element corresponding to the supplied parameters. */

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll

@@ -181,6 +181,12 @@ class ParameterPosition extends TParameterPosition {
 
 class PositionalParameterPosition extends ParameterPosition, TPositionalParameter {
   int getIndex() { this = TPositionalParameter(result) }
+
+  override string toString() { result = this.getIndex().toString() }
+}
+
+class ThisParameterPosition extends ParameterPosition, TThisParameter {
+  override string toString() { result = "this" }
 }
 
 /** An argument position. */
@@ -191,6 +197,12 @@ class ArgumentPosition extends TArgumentPosition {
 
 class PositionalArgumentPosition extends ArgumentPosition, TPositionalArgument {
   int getIndex() { this = TPositionalArgument(result) }
+
+  override string toString() { result = this.getIndex().toString() }
+}
+
+class ThisArgumentPosition extends ArgumentPosition, TThisArgument {
+  override string toString() { result = "this" }
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -17,7 +17,7 @@ class SummarizedCallableBase = AbstractFunctionDecl;
 DataFlowCallable inject(SummarizedCallable c) { result = TDataFlowFunc(c) }
 
 /** Gets the parameter position of the instance parameter. */
-ArgumentPosition instanceParameterPosition() { none() } // disables implicit summary flow to `this` for callbacks
+ArgumentPosition instanceParameterPosition() { result instanceof ThisArgumentPosition }
 
 /** Gets the synthesized summary data-flow node for the given values. */
 Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = TSummaryNode(c, state) }
@@ -31,23 +31,23 @@ DataFlowType getContentType(Content c) { any() }
 /** Gets the return type of kind `rk` for callable `c`. */
 bindingset[c]
 DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
-  any() // TODO
+  any() // TODO once we have type pruning
 }
 
 /**
  * Gets the type of the parameter matching arguments at position `pos` in a
  * synthesized call that targets a callback of type `t`.
  */
 DataFlowType getCallbackParameterType(DataFlowType t, ArgumentPosition pos) {
-  none() // TODO
+  any() // TODO once we have type pruning
 }
 
 /**
  * Gets the return type of kind `rk` in a synthesized call that targets a
  * callback of type `t`.
  */
 DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
-  none() // TODO
+  any() // TODO once we have type pruning
 }
 
 /**
@@ -97,12 +97,12 @@ predicate sinkElement(Element e, string input, string kind, boolean generated) {
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(AccessPathToken c) {
-  none() // TODO
+  none() // TODO once we have field flow
 }
 
 /** Gets the textual representation of the content in the format used for flow summaries. */
 private string getContentSpecificCsv(Content c) {
-  none() // TODO
+  none() // TODO once we have field flow
 }
 
 /** Gets the textual representation of a summary component in the format used for flow summaries. */
@@ -117,14 +117,10 @@ string getComponentSpecificCsv(SummaryComponent sc) {
 }
 
 /** Gets the textual representation of a parameter position in the format used for flow summaries. */
-string getParameterPositionCsv(ParameterPosition pos) {
-  none() // TODO
-}
+string getParameterPositionCsv(ParameterPosition pos) { result = pos.toString() }
 
 /** Gets the textual representation of an argument position in the format used for flow summaries. */
-string getArgumentPositionCsv(ArgumentPosition pos) {
-  none() // TODO
-}
+string getArgumentPositionCsv(ArgumentPosition pos) { result = pos.toString() }
 
 /** Holds if input specification component `c` needs a reference. */
 predicate inputNeedsReferenceSpecific(string c) { none() }
@@ -187,11 +183,21 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]
 ArgumentPosition parseParamBody(string s) {
-  none() // TODO
+  exists(int index | index = AccessPath::parseInt(s) |
+    result.(PositionalArgumentPosition).getIndex() = index
+    or
+    index = -1 and
+    result instanceof ThisArgumentPosition
+  )
 }
 
 /** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
 bindingset[s]
 ParameterPosition parseArgBody(string s) {
-  none() // TODO
+  exists(int index | index = AccessPath::parseInt(s) |
+    result.(PositionalParameterPosition).getIndex() = index
+    or
+    index = -1 and
+    result instanceof ThisParameterPosition
+  )
 }

swift/ql/lib/codeql/swift/elements/decl/MethodDecl.qll

@@ -0,0 +1,24 @@
+private import swift
+
+private Decl getAMember(IterableDeclContext ctx) {
+  ctx.getAMember() = result
+  or
+  exists(VarDecl var |
+    ctx.getAMember() = var and
+    var.getAnAccessorDecl() = result
+  )
+}
+
+class MethodDecl extends AbstractFunctionDecl {
+  MethodDecl() {
+    this = getAMember(any(ClassDecl c))
+    or
+    this = getAMember(any(StructDecl c))
+    or
+    this = getAMember(any(ExtensionDecl c))
+    or
+    this = getAMember(any(EnumDecl c))
+    or
+    this = getAMember(any(ProtocolDecl c))
+  }
+}

swift/ql/lib/codeql/swift/elements/expr/ApplyExpr.qll

@@ -1,9 +1,9 @@
 private import codeql.swift.generated.expr.ApplyExpr
-private import codeql.swift.elements.decl.FuncDecl
+private import codeql.swift.elements.decl.AbstractFunctionDecl
 private import codeql.swift.elements.expr.DeclRefExpr
 
 class ApplyExpr extends ApplyExprBase {
-  FuncDecl getStaticTarget() { result = this.getFunction().(DeclRefExpr).getDecl() }
+  AbstractFunctionDecl getStaticTarget() { result = this.getFunction().(DeclRefExpr).getDecl() }
 
   override string toString() {
     result = "call to " + this.getStaticTarget().toString()

swift/ql/lib/codeql/swift/elements/type/AnyGenericType.qll

@@ -1,4 +1,6 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.AnyGenericType
+private import codeql.swift.elements.decl.GenericTypeDecl
 
-class AnyGenericType extends AnyGenericTypeBase { }
+class AnyGenericType extends AnyGenericTypeBase {
+  string getName() { result = this.getDeclaration().(GenericTypeDecl).getName() }
+}

swift/ql/lib/codeql/swift/elements/type/NominalType.qll

@@ -1,4 +1,8 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.NominalType
+private import codeql.swift.elements.decl.NominalTypeDecl
 
-class NominalType extends NominalTypeBase { }
+class NominalType extends NominalTypeBase {
+  NominalType getABaseType() { result = this.getDeclaration().(NominalTypeDecl).getABaseType() }
+
+  NominalType getADerivedType() { result.getABaseType() = this }
+}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll

@@ -0,0 +1,12 @@
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+private class StringSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // String(contentsOf:) is a remote flow source
+        ";String;true;init(contentsOf:);(URL);;ReturnValue;remote"
+      ]
+  }
+}

swift/ql/lib/swift.qll

@@ -2,3 +2,4 @@
 
 import codeql.swift.elements
 import codeql.swift.elements.expr.LogicalOperation
+import codeql.swift.elements.decl.MethodDecl

swift/ql/test/extractor-tests/expressions/all.expected

@@ -44,7 +44,7 @@
 | expressions.swift:21:6:21:16 | call to failure(_:) |
 | expressions.swift:21:14:21:14 | 11 |
 | expressions.swift:27:13:27:13 | Klass.Type |
-| expressions.swift:27:13:27:13 | call to ... |
+| expressions.swift:27:13:27:13 | call to init |
 | expressions.swift:27:13:27:13 | init |
 | expressions.swift:27:13:27:19 | call to ... |
 | expressions.swift:29:9:29:19 | [...] |
@@ -163,7 +163,7 @@
 | expressions.swift:79:11:79:11 | init |
 | expressions.swift:79:19:79:19 | 22 |
 | expressions.swift:83:15:83:15 | Derived.Type |
-| expressions.swift:83:15:83:15 | call to ... |
+| expressions.swift:83:15:83:15 | call to init |
 | expressions.swift:83:15:83:15 | init |
 | expressions.swift:83:15:83:23 | call to ... |
 | expressions.swift:84:1:84:1 | _ |
@@ -184,7 +184,7 @@
 | expressions.swift:92:14:92:55 | call to ... |
 | expressions.swift:92:24:92:24 | passRetained(_:) |
 | expressions.swift:92:37:92:37 | ToPtr.Type |
-| expressions.swift:92:37:92:37 | call to ... |
+| expressions.swift:92:37:92:37 | call to init |
 | expressions.swift:92:37:92:37 | init |
 | expressions.swift:92:37:92:43 | call to ... |
 | expressions.swift:92:46:92:46 | toOpaque() |