Swift: It turns out NSString.length always exactly matches String.utf16.count.

geoffw0 · geoffw0 · commit fe69bbf17cca · 2022-07-27T17:54:57.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql b/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
@@ -18,20 +18,29 @@ import DataFlow::PathGraph
  * A flow state for this query, which is a type of Swift string encoding.
  */
 class StringLengthConflationFlowState extends string {
+  string equivClass;
   string singular;
 
   StringLengthConflationFlowState() {
-    this = "String" and singular = "a String"
+    this = "String" and singular = "a String" and equivClass = "String"
     or
-    this = "NSString" and singular = "an NSString"
+    this = "NSString" and singular = "an NSString" and equivClass = "NSString"
     or
-    this = "String.utf8" and singular = "a String.utf8"
+    this = "String.utf8" and singular = "a String.utf8" and equivClass = "String.utf8"
     or
-    this = "String.utf16" and singular = "a String.utf16"
+    this = "String.utf16" and singular = "a String.utf16" and equivClass = "NSString"
     or
-    this = "String.unicodeScalars" and singular = "a String.unicodeScalars"
+    this = "String.unicodeScalars" and
+    singular = "a String.unicodeScalars" and
+    equivClass = "String.unicodeScalars"
   }
 
+  /**
+   * Gets the equivalence class for this flow state. If these are equal,
+   * they should be treated as equivalent.
+   */
+  string getEquivClass() { result = equivClass }
+
   /**
    * Gets text for the singular form of this flow state.
    */
@@ -183,7 +192,8 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
     // should report.
     exists(string correctFlowState |
       isSinkImpl(node, correctFlowState) and
-      flowstate.(StringLengthConflationFlowState) != correctFlowState
+      flowstate.(StringLengthConflationFlowState).getEquivClass() !=
+        correctFlowState.(StringLengthConflationFlowState).getEquivClass()
     )
   }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected b/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected
@@ -26,7 +26,6 @@ nodes
 | StringLengthConflation.swift:72:33:72:35 | .count | semmle.label | .count |
 | StringLengthConflation.swift:78:47:78:49 | .count | semmle.label | .count |
 | StringLengthConflation.swift:79:47:79:54 | .count | semmle.label | .count |
-| StringLengthConflation.swift:80:47:80:55 | .count | semmle.label | .count |
 | StringLengthConflation.swift:81:47:81:64 | .count | semmle.label | .count |
 | StringLengthConflation.swift:96:28:96:31 | .length :  | semmle.label | .length :  |
 | StringLengthConflation.swift:96:28:96:40 | ... call to -(_:_:) ... | semmle.label | ... call to -(_:_:) ... |
@@ -65,7 +64,6 @@ subpaths
 | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | StringLengthConflation.swift:72:33:72:35 | .count | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | StringLengthConflation.swift:78:47:78:49 | .count | This String length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:79:47:79:54 | .count | StringLengthConflation.swift:79:47:79:54 | .count | StringLengthConflation.swift:79:47:79:54 | .count | This String.utf8 length is used in an NSString, but it may not be equivalent. |
-| StringLengthConflation.swift:80:47:80:55 | .count | StringLengthConflation.swift:80:47:80:55 | .count | StringLengthConflation.swift:80:47:80:55 | .count | This String.utf16 length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:81:47:81:64 | .count | StringLengthConflation.swift:81:47:81:64 | .count | StringLengthConflation.swift:81:47:81:64 | .count | This String.unicodeScalars length is used in an NSString, but it may not be equivalent. |
 | StringLengthConflation.swift:96:28:96:40 | ... call to -(_:_:) ... | StringLengthConflation.swift:96:28:96:31 | .length :  | StringLengthConflation.swift:96:28:96:40 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
 | StringLengthConflation.swift:100:27:100:39 | ... call to -(_:_:) ... | StringLengthConflation.swift:100:27:100:30 | .length :  | StringLengthConflation.swift:100:27:100:39 | ... call to -(_:_:) ... | This NSString length is used in a String, but it may not be equivalent. |
diff --git a/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.swift b/swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.swift
@@ -77,7 +77,7 @@ func test(s: String) {
     let range5 = NSRange(location: 0, length: ns.length) // GOOD
     let range6 = NSRange(location: 0, length: s.count) // BAD: String length used in NSMakeRange
     let range7 = NSRange(location: 0, length: s.utf8.count) // BAD: String.utf8  length used in NSMakeRange
-    let range8 = NSRange(location: 0, length: s.utf16.count) // BAD: String.utf16 length used in NSMakeRange
+    let range8 = NSRange(location: 0, length: s.utf16.count) // GOOD: String.utf16 length and NSRange count are equivalent
     let range9 = NSRange(location: 0, length: s.unicodeScalars.count) // BAD: String.unicodeScalars length used in NSMakeRange
     print("NSRange '\(range5.description)' / '\(range6.description)' '\(range7.description)' '\(range8.description)' '\(range9.description)'")
 
