Swift: Proof of concept fix.

geoffw0 · geoffw0 · commit 9f86bcb1b8ca · 2023-03-03T15:04:47.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -211,6 +211,8 @@ private predicate modifiable(Argument arg) {
   arg.getExpr() instanceof InOutExpr
   or
   arg.getExpr().getType() instanceof NominalType
+  or
+  arg.getLabel() = "ptr"
 }
 
 predicate modifiableParam(ParamDecl param) {
diff --git a/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift b/swift/ql/test/library-tests/dataflow/taint/libraries/unsafepointer.swift
@@ -25,7 +25,7 @@ func taintPointer(ptr: UnsafeMutablePointer<String>) {
 }
 
 func clearPointer2(ptr: UnsafeMutablePointer<String>) {
-  sink(arg: ptr.pointee) // $ MISSING: tainted=21
+  sink(arg: ptr.pointee) // $ tainted=21
   sink(arg: ptr)
 
   ptr.pointee = "abc"
@@ -42,12 +42,12 @@ func testMutatingPointerInCall(ptr: UnsafeMutablePointer<String>) {
 
   taintPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
 
-  sink(arg: ptr.pointee) // $ MISSING: tainted=21
+  sink(arg: ptr.pointee) // $ tainted=21
   sink(arg: ptr)
 
   clearPointer2(ptr: ptr)
 
-  sink(arg: ptr.pointee)
+  sink(arg: ptr.pointee) // $ SPURIOUS: tainted=21
   sink(arg: ptr)
 }
 
@@ -96,6 +96,6 @@ func testMutatingMyPointerInCall(ptr: MyPointer) {
 
   taintMyPointer(ptr: ptr) // mutates `ptr` pointee with a tainted value
 
-  sink(arg: ptr.pointee) // $ MISSING: tainted=87
+  sink(arg: ptr.pointee) // $ tainted=87
   sink(arg: ptr)
 }

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,8 @@ private predicate modifiable(Argument arg) {`
`211`	`211`	`arg.getExpr() instanceof InOutExpr`
`212`	`212`	`or`
`213`	`213`	`arg.getExpr().getType() instanceof NominalType`
	`214`	`+ or`
	`215`	`+ arg.getLabel() = "ptr"`
`214`	`216`	`}`
`215`	`217`
`216`	`218`	`predicate modifiableParam(ParamDecl param) {`