The Wayback Machine - https://web.archive.org/web/20231129093758/https://github.com/github/codeql/pull/14925
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swift: Imprecise Taint Flows #14925

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Swift: Imprecise Taint Flows #14925

wants to merge 8 commits into from
+251 −6

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Nov 27, 2023

Adds a small number of imprecise taint flow models. There's a lot more we could potentially do here, but lets start small for now:

  • taint flow through methods that look like an "append" or "insert"; many of these will be on classes derived from Collection (which we can model and I think do model most of), but quite often these patterns are also copied in classes that do not derived from Collection. By using an imprecise model, we can catch the latter as well.
  • taint flow through initializers with a "data" argument, which I'm pretty happy will inherit taint from an argument of that nature.

There's a contents / flow paths issue here - we only have flow path support on MAD flow models, not on QL flow models which these imprecise sinks have to be - so we can't have flow from the contents of the argument to the contents of the qualifier. That's why we don't catch the cases on lines 118 and 119 of the test where taint was introduced in the contents of the taintedArray argument rather than in taintedArray itself. I'm keen to hear thoughts on how we could solve this.
@geoffw0 geoffw0 added the Swift label Nov 27, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner November 27, 2023 20:16
@geoffw0
Copy link
Contributor Author

geoffw0 commented Nov 28, 2023

DCA run looks clean.
MathiasVP
MathiasVP reviewed Nov 28, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, but otherwise this LGTM
swift/ql/lib/codeql/swift/frameworks/Heuristic.qll
ce.getStaticTarget().(Function).getShortName() = ["append", "insert"] and
arg.getLabel() = ["", "contentsOf"] and
node1.asExpr() = arg.getExpr() and
node2.asExpr() = ce.getQualifier()
Copy link
Contributor

@MathiasVP MathiasVP Nov 28, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this really be the qualifier expression? I would have expected this to be

node.(PostUpdateNode).getPreUpdateNode().asExpr() = ce.getQualifier()

to reflect the fact that this is the value of the expression after append returns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Swift
2 participants
@geoffw0 @MathiasVP