Swift: Move try, ! to dataflow.

geoffw0 · geoffw0 · commit f3499e98a4b6 · 2022-08-10T15:13:04.000+01:00
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -106,6 +106,12 @@ private module Cached {
       //or
       // step from previous read to Phi node
       localFlowSsaInput(nodeFrom, def, nodeTo.asDefinition())
+      or
+      // flow through `try!` and similar constructs
+      nodeFrom.asExpr() = nodeTo.asExpr().(AnyTryExpr).getSubExpr()
+      or
+      // flow through `!`
+      nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
     )
     or
     exists(ParamReturnKind kind, ExprCfgNode arg |
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll
@@ -36,14 +36,6 @@ private module Cached {
       nodeTo.asDefinition().(Ssa::WriteDefinition).isInoutDef(e)
     )
     or
-    // allow flow through `try!` and similar constructs
-    // TODO: this should probably be part of DataFlow / TaintTracking?
-    nodeFrom.asExpr() = nodeTo.asExpr().(AnyTryExpr).getSubExpr()
-    or
-    // allow flow through `!`
-    // TODO: this should probably be part of DataFlow / TaintTracking?
-    nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
-    or
     // Flow from the computation of the interpolated string literal to the result of the interpolation.
     exists(InterpolatedStringLiteralExpr interpolated |
       nodeTo.asExpr() = interpolated and
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -182,25 +182,41 @@
 | string.swift:82:31:82:31 | tainted | string.swift:85:13:85:13 | tainted |
 | string.swift:84:13:84:13 | clean | string.swift:87:13:87:13 | clean |
 | string.swift:85:13:85:13 | tainted | string.swift:88:13:88:13 | tainted |
+| try.swift:8:17:8:23 | call to clean() | try.swift:8:13:8:23 | try ... |
+| try.swift:9:17:9:24 | call to source() | try.swift:9:13:9:24 | try ... |
+| try.swift:14:17:14:23 | call to clean() | try.swift:14:12:14:23 | try! ... |
+| try.swift:15:17:15:24 | call to source() | try.swift:15:12:15:24 | try! ... |
+| try.swift:17:13:17:24 | try? ... | try.swift:17:12:17:26 | ...! |
+| try.swift:17:18:17:24 | call to clean() | try.swift:17:13:17:24 | try? ... |
+| try.swift:18:13:18:25 | try? ... | try.swift:18:12:18:27 | ...! |
+| try.swift:18:18:18:25 | call to source() | try.swift:18:13:18:25 | try? ... |
 | url.swift:12:6:12:6 | WriteDef | url.swift:14:29:14:29 | clean |
 | url.swift:12:14:12:14 | http://example.com/ | url.swift:12:6:12:6 | WriteDef |
 | url.swift:13:6:13:6 | WriteDef | url.swift:15:31:15:31 | tainted |
 | url.swift:13:16:13:23 | call to source() | url.swift:13:6:13:6 | WriteDef |
 | url.swift:14:6:14:6 | WriteDef | url.swift:17:12:17:12 | urlClean |
+| url.swift:14:17:14:34 | call to ... | url.swift:14:17:14:35 | ...! |
 | url.swift:14:17:14:35 | ...! | url.swift:14:6:14:6 | WriteDef |
 | url.swift:14:29:14:29 | clean | url.swift:20:24:20:24 | clean |
 | url.swift:15:6:15:6 | WriteDef | url.swift:18:12:18:12 | urlTainted |
+| url.swift:15:19:15:38 | call to ... | url.swift:15:19:15:39 | ...! |
 | url.swift:15:19:15:39 | ...! | url.swift:15:6:15:6 | WriteDef |
 | url.swift:15:31:15:31 | tainted | url.swift:21:24:21:24 | tainted |
 | url.swift:17:12:17:12 | urlClean | url.swift:22:43:22:43 | urlClean |
 | url.swift:18:12:18:12 | urlTainted | url.swift:23:43:23:43 | urlTainted |
+| url.swift:20:12:20:46 | call to ... | url.swift:20:12:20:47 | ...! |
 | url.swift:20:24:20:24 | clean | url.swift:22:24:22:24 | clean |
+| url.swift:21:12:21:48 | call to ... | url.swift:21:12:21:49 | ...! |
 | url.swift:21:24:21:24 | tainted | url.swift:29:25:29:25 | tainted |
+| url.swift:22:12:22:51 | call to ... | url.swift:22:12:22:52 | ...! |
 | url.swift:22:24:22:24 | clean | url.swift:23:24:23:24 | clean |
+| url.swift:23:12:23:53 | call to ... | url.swift:23:12:23:54 | ...! |
 | url.swift:23:24:23:24 | clean | url.swift:25:25:25:25 | clean |
 | url.swift:25:25:25:25 | clean | url.swift:34:26:34:26 | clean |
 | url.swift:29:25:29:25 | tainted | url.swift:38:28:38:28 | tainted |
 | url.swift:34:2:34:31 | WriteDef | url.swift:35:12:35:12 | urlClean2 |
 | url.swift:34:14:34:31 | call to ... | url.swift:34:2:34:31 | WriteDef |
+| url.swift:35:12:35:12 | urlClean2 | url.swift:35:12:35:12 | ...! |
 | url.swift:38:2:38:35 | WriteDef | url.swift:39:12:39:12 | urlTainted2 |
 | url.swift:38:16:38:35 | call to ... | url.swift:38:2:38:35 | WriteDef |
+| url.swift:39:12:39:12 | urlTainted2 | url.swift:39:12:39:12 | ...! |
