Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swift: Taint flow improvements #10000

Merged
merged 12 commits into from
Aug 10, 2022
Merged

Swift: Taint flow improvements #10000

merged 12 commits into from
Aug 10, 2022

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Aug 9, 2022

Taint flow improvements for Swift:

  • expanded the taint flow tests
  • moved the special cases from UnsafeWebViewFetch.ql to TaintTrackingPrivate.qll so that all queries can benefit.

The next step (in a follow-up PR) will be converting these to models-as-data summaries, which are more concise (but my first attempt isn't working). With that I should be able to add the required bits to cover most / all of the rest of the test cases quite easily.

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note Swift labels Aug 9, 2022
@geoffw0 geoffw0 requested a review from a team as a code owner August 9, 2022 18:09
@MathiasVP
Copy link
Contributor

The next step (in a follow-up PR) will be converting these to models-as-data summaries, which are more concise (but my first attempt isn't working). With that I should be able to add the required bits to cover most / all of the rest of the test cases quite easily.

I'm not surprised MaD summaries for taint isn't working. I've only added support for MaD sources so far. It shouldn't be difficult to add MaD support for flow steps, though - that work just hasn't been scheduled yet. If we're starting on library modeling we should schedule it soon, though.

MathiasVP
MathiasVP reviewed Aug 10, 2022
View reviewed changes
swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll Outdated Show resolved Hide resolved
swift/ql/test/library-tests/dataflow/taint/data.swift
let dataTainted2 = Data(dataTainted)

sink(arg: dataClean)
sink(arg: dataTainted) // tainted [NOT DETECTED]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we have InlineExpectationsTest for Swift we should convert out tests to use that framework. No need to do it in this PR, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that might be good as a follow-up PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added to the issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can make an inline expectation test for the sinks that taint reaches (annotated with where taint came from), but it won't have the same detail (path edges etc) as the query as it is. Do you think I should keep both queries or prefer just one?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think there's value in testing the paths as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little reluctant to have three similar but different tests on the same code (when you include LocalTaint.ql), but the taint tests are really important. 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#10014

@geoffw0
Copy link
Contributor Author

geoffw0 commented Aug 10, 2022

I've only added support for MaD sources so far. It shouldn't be difficult to add MaD support for flow steps, though - that work just hasn't been scheduled yet. If we're starting on library modeling we should schedule it soon, though.

Do you know what needs doing for this? I had a look but couldn't see anything obviously missing (apart from a TODO about return types).

@MathiasVP
Copy link
Contributor

Do you know what needs doing for this? I had a look but couldn't see anything obviously missing (apart from a TODO about return types).

We have the dataflow node that represents flow through MaD. But that node is not currently being propagated anywhere (i.e., we need to extend the set of ReturnNodes and OutNodes to include flow out of modeled calls, and we need to extend ArgumentNodes and ParameterNodes to contain flow into modeled calls).

MathiasVP
MathiasVP approved these changes Aug 10, 2022
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@MathiasVP MathiasVP merged commit 56fddd7 into github:main Aug 10, 2022
@geoffw0 geoffw0 mentioned this pull request Aug 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

@rdmarsh2 rdmarsh2 rdmarsh2 left review comments

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Swift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@geoffw0 @MathiasVP @rdmarsh2