Merge pull request #14383 from geoffw0/nsstringregex

Swift: Add regular expression evaluation models for StringProtocol and NSString methods

Author: MathiasVP

swift/ql/lib/change-notes/2023-10-05-regex-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added models of `StringProtocol` and `NSString` methods that evaluate regular expressions.

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -69,10 +69,15 @@ abstract class RegexCreation extends DataFlow::Node {
   abstract DataFlow::Node getStringInput();
 
   /**
-   * Gets a dataflow node for the options input that might contain parse mode
-   * flags (if any).
+   * Gets a dataflow node for an options input that might contain options
+   * such as parse mode flags (if any).
    */
-  DataFlow::Node getOptionsInput() { none() }
+  DataFlow::Node getAnOptionsInput() { none() }
+
+  /**
+   * DEPRECATED: Use `getAnOptionsInput()` instead.
+   */
+  deprecated DataFlow::Node getOptionsInput() { result = this.getAnOptionsInput() }
 }
 
 /**
@@ -110,7 +115,7 @@ private class NSRegularExpressionRegexCreation extends RegexCreation {
 
   override DataFlow::Node getStringInput() { result = input }
 
-  override DataFlow::Node getOptionsInput() {
+  override DataFlow::Node getAnOptionsInput() {
     result.asExpr() = this.asExpr().(CallExpr).getArgument(1).getExpr()
   }
 }
@@ -121,7 +126,8 @@ private newtype TRegexParseMode =
   MkDotAll() or // dot matches all characters, including line terminators
   MkMultiLine() or // `^` and `$` also match beginning and end of lines
   MkUnicodeBoundary() or // Unicode UAX 29 word boundary mode
-  MkUnicode() // Unicode matching
+  MkUnicode() or // Unicode matching
+  MkAnchoredStart() // match must begin at start of string
 
 /**
  * A regular expression parse mode flag.
@@ -142,6 +148,8 @@ class RegexParseMode extends TRegexParseMode {
     this = MkUnicodeBoundary() and result = "UNICODEBOUNDARY"
     or
     this = MkUnicode() and result = "UNICODE"
+    or
+    this = MkAnchoredStart() and result = "ANCHOREDSTART"
   }
 
   /**
@@ -207,9 +215,9 @@ class RegexRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
 }
 
 /**
- * An additional flow step for `NSRegularExpression`.
+ * An additional flow step for `NSRegularExpression.Options`.
  */
-class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+private class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
   override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
 
   override predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet) {
@@ -257,6 +265,34 @@ class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep
   }
 }
 
+/**
+ * An additional flow step for `NSString.CompareOptions`.
+ */
+private class NSStringRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+
+  override predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet) {
+    // `NSString.CompareOptions` values (these are typically combined with
+    // `NSString.CompareOptions.regularExpression`, then passed into a `StringProtocol`
+    // or `NSString` method).
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "caseInsensitive") and
+    mode = MkIgnoreCase() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "anchored") and
+    mode = MkAnchoredStart() and
+    isSet = true
+  }
+}
+
 /**
  * A call that evaluates a regular expression. For example, the call to `firstMatch` in:
  * ```
@@ -265,27 +301,46 @@ class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep
  */
 abstract class RegexEval extends CallExpr {
   /**
-   * Gets the input to this call that is the regular expression being evaluated. This may
-   * be a regular expression object or a string literal.
+   * Gets the input to this call that is the regular expression being evaluated.
+   * This may be a regular expression object or a string literal.
+   *
+   * Consider using `getARegex()` instead (which tracks the regular expression
+   * input back to its source).
+   */
+  abstract DataFlow::Node getRegexInputNode();
+
+  /**
+   * DEPRECATED: Use `getRegexInputNode()` instead.
    */
-  abstract Expr getRegexInput();
+  deprecated Expr getRegexInput() { result = this.getRegexInputNode().asExpr() }
 
   /**
    * Gets the input to this call that is the string the regular expression is evaluated on.
    */
-  abstract Expr getStringInput();
+  abstract DataFlow::Node getStringInputNode();
+
+  /**
+   * DEPRECATED: Use `getStringInputNode()` instead.
+   */
+  deprecated Expr getStringInput() { result = this.getStringInputNode().asExpr() }
+
+  /**
+   * Gets a dataflow node for an options input that might contain options such
+   * as parse mode flags (if any).
+   */
+  DataFlow::Node getAnOptionsInput() { none() }
 
   /**
    * Gets a regular expression value that is evaluated here (if any can be identified).
    */
   RegExp getARegex() {
     // string literal used directly as a regex
-    DataFlow::exprNode(result).(ParsedStringRegex).getAParse().asExpr() = this.getRegexInput()
+    DataFlow::exprNode(result).(ParsedStringRegex).getAParse() = this.getRegexInputNode()
     or
     // string literal -> regex object -> use
     exists(RegexCreation regexCreation |
       DataFlow::exprNode(result).(ParsedStringRegex).getAParse() = regexCreation.getStringInput() and
-      RegexUseFlow::flow(regexCreation, DataFlow::exprNode(this.getRegexInput()))
+      RegexUseFlow::flow(regexCreation, this.getRegexInputNode())
     )
   }
 
@@ -298,7 +353,10 @@ abstract class RegexEval extends CallExpr {
       // parse mode flag is set
       any(RegexAdditionalFlowStep s).setsParseMode(setNode, result, true) and
       // reaches this eval
-      RegexParseModeFlow::flow(setNode, DataFlow::exprNode(this.getRegexInput()))
+      (
+        RegexParseModeFlow::flow(setNode, this.getRegexInputNode()) or
+        RegexParseModeFlow::flow(setNode, this.getAnOptionsInput())
+      )
     )
   }
 }
@@ -307,15 +365,15 @@ abstract class RegexEval extends CallExpr {
  * A call to a function that always evaluates a regular expression.
  */
 private class AlwaysRegexEval extends RegexEval {
-  Expr regexInput;
-  Expr stringInput;
+  DataFlow::Node regexInput;
+  DataFlow::Node stringInput;
 
   AlwaysRegexEval() {
     this.getStaticTarget()
         .(Method)
         .hasQualifiedName("Regex", ["firstMatch(in:)", "prefixMatch(in:)", "wholeMatch(in:)"]) and
-    regexInput = this.getQualifier() and
-    stringInput = this.getArgument(0).getExpr()
+    regexInput.asExpr() = this.getQualifier() and
+    stringInput.asExpr() = this.getArgument(0).getExpr()
     or
     this.getStaticTarget()
         .(Method)
@@ -327,8 +385,8 @@ private class AlwaysRegexEval extends RegexEval {
             "replaceMatches(in:options:range:withTemplate:)",
             "stringByReplacingMatches(in:options:range:withTemplate:)"
           ]) and
-    regexInput = this.getQualifier() and
-    stringInput = this.getArgument(0).getExpr()
+    regexInput.asExpr() = this.getQualifier() and
+    stringInput.asExpr() = this.getArgument(0).getExpr()
     or
     this.getStaticTarget()
         .(Method)
@@ -339,8 +397,8 @@ private class AlwaysRegexEval extends RegexEval {
             "split(separator:maxSplits:omittingEmptySubsequences:)", "starts(with:)",
             "trimmingPrefix(_:)", "wholeMatch(of:)"
           ]) and
-    regexInput = this.getArgument(0).getExpr() and
-    stringInput = this.getQualifier()
+    regexInput.asExpr() = this.getArgument(0).getExpr() and
+    stringInput.asExpr() = this.getQualifier()
     or
     this.getStaticTarget()
         .(Method)
@@ -351,11 +409,103 @@ private class AlwaysRegexEval extends RegexEval {
             "replacing(_:with:maxReplacements:)", "replacing(_:with:subrange:maxReplacements:)",
             "trimPrefix(_:)"
           ]) and
-    regexInput = this.getArgument(0).getExpr() and
-    stringInput = this.getQualifier()
+    regexInput.asExpr() = this.getArgument(0).getExpr() and
+    stringInput.asExpr() = this.getQualifier()
   }
 
-  override Expr getRegexInput() { result = regexInput }
+  override DataFlow::Node getRegexInputNode() { result = regexInput }
 
-  override Expr getStringInput() { result = stringInput }
+  override DataFlow::Node getStringInputNode() { result = stringInput }
+}
+
+/**
+ * A call to a function that sometimes evaluates a regular expression, if
+ * `NSString.CompareOptions.regularExpression` is set as an `options` argument.
+ *
+ * This is a helper class for `NSStringCompareOptionsRegexEval`.
+ */
+private class NSStringCompareOptionsPotentialRegexEval extends CallExpr {
+  DataFlow::Node regexInput;
+  DataFlow::Node stringInput;
+  DataFlow::Node optionsInput;
+
+  NSStringCompareOptionsPotentialRegexEval() {
+    (
+      this.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("StringProtocol",
+            ["range(of:options:range:locale:)", "replacingOccurrences(of:with:options:range:)"])
+      or
+      this.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("NSString",
+            [
+              "range(of:options:)", "range(of:options:range:)", "range(of:options:range:locale:)",
+              "replacingOccurrences(of:with:options:range:)"
+            ])
+    ) and
+    regexInput.asExpr() = this.getArgument(0).getExpr() and
+    stringInput.asExpr() = this.getQualifier() and
+    optionsInput.asExpr() = this.getArgumentWithLabel("options").getExpr()
+  }
+
+  DataFlow::Node getRegexInput() { result = regexInput }
+
+  DataFlow::Node getStringInput() { result = stringInput }
+
+  DataFlow::Node getAnOptionsInput() { result = optionsInput }
+}
+
+/**
+ * A data flow configuration for tracking `NSString.CompareOptions.regularExpression`
+ * values from where they are created to the point of use.
+ */
+private module NSStringCompareOptionsFlagConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // creation of a `NSString.CompareOptions.regularExpression` value
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSString.CompareOptions", "regularExpression")
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // use in a [potential] regex eval `options` argument
+    any(NSStringCompareOptionsPotentialRegexEval potentialEval).getAnOptionsInput() = node
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from collection content at the sink.
+    isSink(node) and
+    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
+  }
+}
+
+module NSStringCompareOptionsFlagFlow = DataFlow::Global<NSStringCompareOptionsFlagConfig>;
+
+/**
+ * A call to a function that evaluates a regular expression because
+ * `NSString.CompareOptions.regularExpression` is set as an `options` argument.
+ */
+private class NSStringCompareOptionsRegexEval extends RegexEval instanceof NSStringCompareOptionsPotentialRegexEval
+{
+  NSStringCompareOptionsRegexEval() {
+    // check there is flow from a `NSString.CompareOptions.regularExpression` value to an `options` argument;
+    // if there isn't, the input won't be interpretted as a regular expression.
+    NSStringCompareOptionsFlagFlow::flow(_,
+      this.(NSStringCompareOptionsPotentialRegexEval).getAnOptionsInput())
+  }
+
+  override DataFlow::Node getRegexInputNode() {
+    result = this.(NSStringCompareOptionsPotentialRegexEval).getRegexInput()
+  }
+
+  override DataFlow::Node getStringInputNode() {
+    result = this.(NSStringCompareOptionsPotentialRegexEval).getStringInput()
+  }
+
+  override DataFlow::Node getAnOptionsInput() {
+    result = this.(NSStringCompareOptionsPotentialRegexEval).getAnOptionsInput()
+  }
 }

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -20,7 +20,7 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // evaluated directly as a regular expression
-    node.asExpr() = any(RegexEval eval).getRegexInput()
+    node = any(RegexEval eval).getRegexInputNode()
     or
     // used to create a regular expression object
     node = any(RegexCreation regexCreation).getStringInput()
@@ -41,7 +41,7 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // evaluation of the regex
-    node.asExpr() = any(RegexEval eval).getRegexInput()
+    node = any(RegexEval eval).getRegexInputNode()
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -65,8 +65,11 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
   }
 
   predicate isSink(DataFlow::Node node, FlowState flowstate) {
-    // evaluation of the regex
-    node.asExpr() = any(RegexEval eval).getRegexInput() and
+    // evaluation of a regex
+    (
+      node = any(RegexEval eval).getRegexInputNode() or
+      node = any(RegexEval eval).getAnOptionsInput()
+    ) and
     exists(flowstate)
   }
 
@@ -86,7 +89,7 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
     or
     // flow through regex creation
     exists(RegexCreation create |
-      nodeFrom = create.getOptionsInput() and
+      nodeFrom = create.getAnOptionsInput() and
       nodeTo = create
     )
     or

swift/ql/lib/codeql/swift/security/regex/RegexInjectionExtensions.qll

@@ -37,7 +37,7 @@ class RegexInjectionAdditionalFlowStep extends Unit {
  * These cases are modeled separately.
  */
 private class EvalRegexInjectionSink extends RegexInjectionSink {
-  EvalRegexInjectionSink() { this.asExpr() = any(RegexEval e).getRegexInput() }
+  EvalRegexInjectionSink() { this = any(RegexEval e).getRegexInputNode() }
 }
 
 /**