Swift: Model RawRepresentable.

geoffw0 · geoffw0 · commit 4e29ed5ff07d · 2023-10-13T15:00:49.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/RawRepresentable.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides models the `RawRepresentable` Swift class.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `RawRepresentable` class members that permit taint flow.
+ */
+private class RawRepresentableSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";RawRepresentable;true;init(rawValue:);;;Argument[0];ReturnValue;taint"
+  }
+}
+
+/**
+ * A content implying that, if an `RawRepresentable` is tainted, then
+ * the `rawValue` field is tainted as well.
+ */
+private class RawRepresentableFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent
+{
+  RawRepresentableFieldsInheritTaint() {
+    exists(FieldDecl fieldDecl, Decl declaringDecl, TypeDecl namedTypeDecl |
+      namedTypeDecl.getFullName() = "RawRepresentable" and
+      fieldDecl.getName() = "rawValue" and
+      declaringDecl.getAMember() = fieldDecl and
+      declaringDecl.asNominalTypeDecl() = namedTypeDecl.getADerivedTypeDecl*() and
+      this.getField() = fieldDecl
+    )
+  }
+}
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll
@@ -17,6 +17,7 @@ private import NsObject
 private import NsString
 private import NsUrl
 private import Numeric
+private import RawRepresentable
 private import PointerTypes
 private import Sequence
 private import Set
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/optionset.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/optionset.swift
@@ -36,11 +36,11 @@ func testRawRepresentable() {
 
   sink(arg: rr1)
   sink(arg: rr2)
-  sink(arg: rr3) // $ MISSING: tainted=
+  sink(arg: rr3) // $ tainted=35
 
   sink(arg: rr1.rawValue)
   sink(arg: rr2.rawValue)
-  sink(arg: rr3.rawValue) // $ MISSING: tainted=
+  sink(arg: rr3.rawValue) // $ tainted=35
 }
 
 // ---
@@ -57,10 +57,10 @@ func testOptionSet() {
 	sink(arg: MyOptionSet.red)
 	sink(arg: MyOptionSet([.red, .green]))
 	sink(arg: MyOptionSet(rawValue: 0))
-	sink(arg: MyOptionSet(rawValue: sourceUInt())) // $ MISSING: tainted=
+	sink(arg: MyOptionSet(rawValue: sourceUInt())) // $ tainted=60
 
 	sink(arg: MyOptionSet.red.rawValue)
 	sink(arg: MyOptionSet([.red, .green]).rawValue)
 	sink(arg: MyOptionSet(rawValue: 0).rawValue)
-	sink(arg: MyOptionSet(rawValue: sourceUInt()).rawValue) // $ MISSING: tainted=
+	sink(arg: MyOptionSet(rawValue: sourceUInt()).rawValue) // $ tainted=65
 }
