Swift: Restrict taint flow through + to strings.

geoffw0 · geoffw0 · commit e09e64ee85e2 · 2022-08-10T15:46:28.000+01:00
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll
@@ -43,7 +43,11 @@ private module Cached {
     )
     or
     // allow flow through string concatenation.
-    nodeTo.asExpr().(AddExpr).getAnOperand() = nodeFrom.asExpr()
+    exists(AddExpr ae |
+      ae.getAnOperand() = nodeFrom.asExpr() and
+      ae = nodeTo.asExpr() and
+      ae.getType().getName() = "String"
+    )
     or
     // allow flow through `URL.init`.
     exists(CallExpr call, ClassDecl c, AbstractFunctionDecl f |
