Merge pull request #13770 from geoffw0/parsemode3

Swift: Track regular expression parse modes set in code

Author: geoffw0

swift/ql/lib/change-notes/2023-07-19-regex-mode-flags -more.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expression library now understands mode flags specified by `Regex` methods and the `NSRegularExpression` initializer.

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -36,28 +36,191 @@ abstract class RegexCreation extends DataFlow::Node {
    * created from.
    */
   abstract DataFlow::Node getStringInput();
+
+  /**
+   * Gets a dataflow node for the options input that might contain parse mode
+   * flags (if any).
+   */
+  DataFlow::Node getOptionsInput() { none() }
 }
 
 /**
- * A data-flow node where a `Regex` or `NSRegularExpression` object is created.
+ * A data-flow node where a `Regex` object is created.
  */
-private class StandardRegexCreation extends RegexCreation {
+private class RegexRegexCreation extends RegexCreation {
   DataFlow::Node input;
 
-  StandardRegexCreation() {
+  RegexRegexCreation() {
     exists(CallExpr call |
-      (
-        call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) or
-        call.getStaticTarget()
-            .(Method)
-            .hasQualifiedName("NSRegularExpression", "init(pattern:options:)")
-      ) and
+      call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) and
+      input.asExpr() = call.getArgument(0).getExpr() and
+      this.asExpr() = call
+    )
+  }
+
+  override DataFlow::Node getStringInput() { result = input }
+}
+
+/**
+ * A data-flow node where an `NSRegularExpression` object is created.
+ */
+private class NSRegularExpressionRegexCreation extends RegexCreation {
+  DataFlow::Node input;
+
+  NSRegularExpressionRegexCreation() {
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("NSRegularExpression", "init(pattern:options:)") and
       input.asExpr() = call.getArgument(0).getExpr() and
       this.asExpr() = call
     )
   }
 
   override DataFlow::Node getStringInput() { result = input }
+
+  override DataFlow::Node getOptionsInput() {
+    result.asExpr() = this.asExpr().(CallExpr).getArgument(1).getExpr()
+  }
+}
+
+private newtype TRegexParseMode =
+  MkIgnoreCase() or // case insensitive
+  MkVerbose() or // ignores whitespace and `#` comments within patterns
+  MkDotAll() or // dot matches all characters, including line terminators
+  MkMultiLine() or // `^` and `$` also match beginning and end of lines
+  MkUnicode() // Unicode UAX 29 word boundary mode
+
+/**
+ * A regular expression parse mode flag.
+ */
+class RegexParseMode extends TRegexParseMode {
+  /**
+   * Gets the name of this parse mode flag.
+   */
+  string getName() {
+    this = MkIgnoreCase() and result = "IGNORECASE"
+    or
+    this = MkVerbose() and result = "VERBOSE"
+    or
+    this = MkDotAll() and result = "DOTALL"
+    or
+    this = MkMultiLine() and result = "MULTILINE"
+    or
+    this = MkUnicode() and result = "UNICODE"
+  }
+
+  /**
+   * Gets a textual representation of this `RegexParseMode`.
+   */
+  string toString() { result = this.getName() }
+}
+
+/**
+ * A unit class for adding additional flow steps for regular expressions.
+ */
+class RegexAdditionalFlowStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a flow
+   * step for regular expressions.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+
+  /**
+   * Holds if a regular expression parse mode is either set (`isSet` = true)
+   * or unset (`isSet` = false) at `node`. Parse modes propagate through
+   * array construction and regex construction.
+   */
+  abstract predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet);
+}
+
+/**
+ * An additional flow step for `Regex`.
+ */
+class RegexRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    this.setsParseModeEdge(nodeFrom, nodeTo, _, _)
+  }
+
+  override predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet) {
+    this.setsParseModeEdge(_, node, mode, isSet)
+  }
+
+  private predicate setsParseModeEdge(
+    DataFlow::Node nodeFrom, DataFlow::Node nodeTo, RegexParseMode mode, boolean isSet
+  ) {
+    // `Regex` methods that modify the parse mode of an existing `Regex` object.
+    exists(CallExpr ce |
+      nodeFrom.asExpr() = ce.getQualifier() and
+      nodeTo.asExpr() = ce and
+      // decode the parse mode being set
+      (
+        ce.getStaticTarget().(Method).hasQualifiedName("Regex", "ignoresCase(_:)") and
+        mode = MkIgnoreCase()
+        or
+        ce.getStaticTarget().(Method).hasQualifiedName("Regex", "dotMatchesNewlines(_:)") and
+        mode = MkDotAll()
+        or
+        ce.getStaticTarget().(Method).hasQualifiedName("Regex", "anchorsMatchLineEndings(_:)") and
+        mode = MkMultiLine()
+      ) and
+      // decode the value being set
+      if ce.getArgument(0).getExpr().(BooleanLiteralExpr).getValue() = false
+      then isSet = false // mode is set to false
+      else isSet = true // mode is set to true OR mode is set to default (=true) OR mode is set to an unknown value
+    )
+  }
+}
+
+/**
+ * An additional flow step for `NSRegularExpression`.
+ */
+class NSRegularExpressionRegexAdditionalFlowStep extends RegexAdditionalFlowStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+
+  override predicate setsParseMode(DataFlow::Node node, RegexParseMode mode, boolean isSet) {
+    // `NSRegularExpression.Options` values (these are typically combined, then passed into
+    // the `NSRegularExpression` initializer).
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSRegularExpression.Options", "caseInsensitive") and
+    mode = MkIgnoreCase() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSRegularExpression.Options", "allowCommentsAndWhitespace") and
+    mode = MkVerbose() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSRegularExpression.Options", "dotMatchesLineSeparators") and
+    mode = MkDotAll() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSRegularExpression.Options", "anchorsMatchLines") and
+    mode = MkMultiLine() and
+    isSet = true
+    or
+    node.asExpr()
+        .(MemberRefExpr)
+        .getMember()
+        .(FieldDecl)
+        .hasQualifiedName("NSRegularExpression.Options", "useUnicodeWordBoundaries") and
+    mode = MkUnicode() and
+    isSet = true
+  }
 }
 
 /**
@@ -91,6 +254,19 @@ abstract class RegexEval extends CallExpr {
       RegexUseFlow::flow(regexCreation, DataFlow::exprNode(this.getRegexInput()))
     )
   }
+
+  /**
+   * Gets a parse mode that is set at this evaluation (in at least one path
+   * from the creation of the regular expression object).
+   */
+  RegexParseMode getAParseMode() {
+    exists(DataFlow::Node setNode |
+      // parse mode flag is set
+      any(RegexAdditionalFlowStep s).setsParseMode(setNode, result, true) and
+      // reaches this eval
+      RegexParseModeFlow::flow(setNode, DataFlow::exprNode(this.getRegexInput()))
+    )
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/regex/internal/ParseRegex.qll

@@ -6,6 +6,8 @@
  */
 
 import swift
+private import RegexTracking
+private import codeql.swift.regex.Regex
 
 /**
  * A `Expr` containing a regular expression term, that is, either
@@ -317,14 +319,24 @@ abstract class RegExp extends Expr {
   }
 
   /**
-   * Gets a mode (if any) of this regular expression. Can be any of:
+   * Gets a mode (if any) of this regular expression in any evaluation. Can be
+   * any of:
    * IGNORECASE
    * VERBOSE
    * DOTALL
    * MULTILINE
    * UNICODE
    */
-  string getAMode() { result = this.getModeFromPrefix() }
+  string getAMode() {
+    // mode flags from inside the regex string
+    result = this.getModeFromPrefix()
+    or
+    // mode flags applied to the regex object before evaluation
+    exists(RegexEval e |
+      e.getARegex() = this and
+      result = e.getAParseMode().getName()
+    )
+  }
 
   /**
    * Holds if the `i`th character could not be parsed.

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -6,7 +6,7 @@
 
 import swift
 import codeql.swift.regex.RegexTreeView
-private import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.DataFlow
 private import ParseRegex
 private import codeql.swift.regex.Regex
 
@@ -37,7 +37,6 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     // creation of the regex
     node instanceof RegexCreation
-    // TODO: track parse mode flags.
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -46,9 +45,60 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // TODO: flow through regex methods that return a modified regex.
-    none()
+    any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 
 module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
+
+/**
+ * A data flow configuration for tracking regular expression parse mode
+ * flags from wherever they are created or set through to regular expression
+ * evaluation. The flow state encodes which parse mode flag was set.
+ */
+private module RegexParseModeConfig implements DataFlow::StateConfigSig {
+  class FlowState = RegexParseMode;
+
+  predicate isSource(DataFlow::Node node, FlowState flowstate) {
+    // parse mode flag is set
+    any(RegexAdditionalFlowStep s).setsParseMode(node, flowstate, true)
+  }
+
+  predicate isSink(DataFlow::Node node, FlowState flowstate) {
+    // evaluation of the regex
+    node.asExpr() = any(RegexEval eval).getRegexInput() and
+    exists(flowstate)
+  }
+
+  predicate isBarrier(DataFlow::Node node) { none() }
+
+  predicate isBarrier(DataFlow::Node node, FlowState flowstate) {
+    // parse mode flag is unset
+    any(RegexAdditionalFlowStep s).setsParseMode(node, flowstate, false)
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // flow through array construction
+    exists(ArrayExpr arr |
+      nodeFrom.asExpr() = arr.getAnElement() and
+      nodeTo.asExpr() = arr
+    )
+    or
+    // flow through regex creation
+    exists(RegexCreation create |
+      nodeFrom = create.getOptionsInput() and
+      nodeTo = create
+    )
+    or
+    // additional flow steps for regular expression objects
+    any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState flowstateFrom, DataFlow::Node nodeTo, FlowState flowStateTo
+  ) {
+    none()
+  }
+}
+
+module RegexParseModeFlow = DataFlow::GlobalWithState<RegexParseModeConfig>;