github
diff --git a/‎swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll‎
Lines changed: 2 additions & 0 deletions b/‎swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll‎
Lines changed: 34 additions & 0 deletions b/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Collection.qll‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Data.qll‎
Lines changed: 0 additions & 2 deletions b/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Data.qll‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll‎
Lines changed: 46 additions & 0 deletions b/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Sequence.qll‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll‎
Lines changed: 116 additions & 4 deletions b/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/String.qll‎
Lines changed: 116 additions & 4 deletions
@@ -78,12 +78,14 @@ private import internal.FlowSummaryImplSpecific
  * ensuring that they are visible to the taint tracking / data flow library.
  */
 private module Frameworks {
+  private import codeql.swift.frameworks.StandardLibrary.Collection
   private import codeql.swift.frameworks.StandardLibrary.CustomUrlSchemes
   private import codeql.swift.frameworks.StandardLibrary.Data
   private import codeql.swift.frameworks.StandardLibrary.FilePath
   private import codeql.swift.frameworks.StandardLibrary.InputStream
   private import codeql.swift.frameworks.StandardLibrary.NsData
   private import codeql.swift.frameworks.StandardLibrary.NsUrl
+  private import codeql.swift.frameworks.StandardLibrary.Sequence
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
 
@@ -0,0 +1,34 @@
+/**
+ * Provides models for `Collection` and related Swift classes.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `Collection` members that permit taint flow.
+ */
+private class CollectionSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";Collection;true;prefix(_:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;prefix(through:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;prefix(upTo:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;prefix(while:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;suffix(_:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;suffix(from:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;dropLast(_:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint",
+        ";Collection;true;removeFirst();;;Argument[-1];ReturnValue;taint",
+        ";RangeReplaceableCollection;true;remove(at:);;;Argument[-1];ReturnValue;taint",
+        ";RangeReplaceableCollection;true;removeFirst();;;Argument[-1];ReturnValue;taint",
+        ";RangeReplaceableCollection;true;removeLast();;;Argument[-1];ReturnValue;taint",
+        ";BidirectionalCollection;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
+      ]
+  }
+}
@@ -41,8 +41,6 @@ private class DataSummaries extends SummaryModelCsv {
         ";Data;true;replaceSubrange(_:with:count:);;;Argument[1];Argument[-1];taint",
         ";Data;true;replacing(_:with:maxReplacements:);;;Argument[1];Argument[-1];taint",
         ";Data;true;replacing(_:with:subrange:maxReplacements:);;;Argument[1];Argument[-1];taint",
-        // TODO: this should be implemented by a model of BidirectionalCollection
-        // ";Data;true;reversed();;;Argument[-1];ReturnValue;taint",
         ";Data;true;sorted();;;Argument[-1];ReturnValue;taint",
         ";Data;true;sorted(by:);;;Argument[-1];ReturnValue;taint",
         ";Data;true;sorted(using:);;;Argument[-1];ReturnValue;taint",
 
@@ -0,0 +1,46 @@
+/**
+ * Provides models for the `Sequence` Swift class.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `Sequence` members that permit taint flow.
+ */
+private class SequenceSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";Sequence;true;reversed();;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;prefix(_:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;prefix(while:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;suffix(_:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;dropFirst(_:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;dropLast(_:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;split(separator:maxSplits:omittingEmptySubsequences:);;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;joined();;;Argument[-1];ReturnValue;taint",
+        ";Sequence;true;joined(separator:);;;Argument[-1..0];ReturnValue;taint",
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `Sequence` is tainted, certain fields are also
+ * tainted.
+ */
+private class SequenceFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  SequenceFieldsInheritTaint() {
+    exists(FieldDecl f | this.getField() = f |
+      (
+        f.getEnclosingDecl().(NominalTypeDecl).getName() = "Sequence" or
+        f.getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getName() = "Sequence"
+      ) and
+      f.getName() = "lazy"
+    )
+  }
+}
@@ -7,6 +7,9 @@ private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
 private import codeql.swift.dataflow.FlowSteps
 
+/**
+ * A model for `String` members that are sources of remote flow.
+ */
 private class StringSource extends SourceModelCsv {
   override predicate row(string row) {
     row =
@@ -24,13 +27,122 @@ private class StringSource extends SourceModelCsv {
 }
 
 /**
- * A content implying that, if a `String` is tainted, then all its fields are tainted.
+ * A model for `String` and `StringProtocol` members that permit taint flow.
+ */
+private class StringSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";StringProtocol;true;init(cString:);;;Argument[0];ReturnValue;taint",
+        ";StringProtocol;true;init(decoding:as:);;;Argument[0];ReturnValue;taint",
+        ";StringProtocol;true;init(decodingCString:as:);;;Argument[0];ReturnValue;taint",
+        ";StringProtocol;true;addingPercentEncoding(withAllowedCharacter:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;addingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;appending(_:);;;Argument[-1..0];ReturnValue;taint",
+        ";StringProtocol;true;appendingFormat(_:_:);;;Argument[-1..0];ReturnValue;taint", //-1..
+        ";StringProtocol;true;applyingTransform(_:reverse:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;cString(using:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;capitalized(with:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[0];taint",
+        ";StringProtocol;true;completePath(into:caseSensitive:matchesInto:filterTypes:);;;Argument[-1];Argument[2];taint",
+        ";StringProtocol;true;components(separatedBy:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;data(using:allowLossyConversion:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;folding(options:locale:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;getBytes(_:maxLength:usedLength:encoding:options:range:remaining:);;;Argument[-1];Argument[0];taint",
+        ";StringProtocol;true;getCString(_:maxLength:encoding:);;;Argument[-1];Argument[0];taint",
+        ";StringProtocol;true;lowercased();;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;lowercased(with:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;padding(toLength:withPad:startingAt:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;padding(toLength:withPad:startingAt:);;;Argument[1];ReturnValue;taint",
+        ";StringProtocol;true;propertyList();;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;propertyListFromStringsFileFormat();;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;replacingCharacters(in:with:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;replacingCharacters(in:with:);;;Argument[1];ReturnValue;taint",
+        ";StringProtocol;true;replacingOccurrences(of:with:options:range);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;replacingOccurrences(of:with:options:range);;;Argument[1];ReturnValue;taint",
+        ";StringProtocol;true;replacingPercentEscapes(using:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;substring(from:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;substring(with:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;trimmingCharacters(in:);;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;uppercased();;;Argument[-1];ReturnValue;taint",
+        ";StringProtocol;true;uppercased(with:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;init(decoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(repeating:count:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(data:encoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(validatingUTF8:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(utf16CodeUnits:count:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(utf16CodeUnitsNoCopy:count:freeWhenDone:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(format:_:);;;Argument[0];ReturnValue;taint", //0..
+        ";String;true;init(format:arguments:);;;Argument[0..1];ReturnValue;taint",
+        ";String;true;init(format:locale:_:);;;Argument[0];ReturnValue;taint", //0,2..
+        ";String;true;init(format:locale:arguments:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(_:radix:uppercase:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(bytes:encoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(bytesNoCopy:length:encoding:freeWhenDone);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(describing:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contentsOf:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contentsOf:encoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contendsOf:usedEncoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contentsOfFile:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contentsOfFile:encoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(contentsOfFile:usedEncoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(from:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(stringInterpolation:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(stringLiteral:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(unicodeScalarLiteral:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(extendedGraphemeClusterLiteral:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(cString:encoding:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(platformString:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(utf8String:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(validating:);;;Argument[0];ReturnValue;taint",
+        ";String;true;init(validatingPlatformString:);;;Argument[0];ReturnValue;taint",
+        ";String;true;localizedStringWithFormat(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";String;true;write(_:);;;Argument[0];Argument[-1];taint",
+        ";String;true;write(to:);;;Argument[-1];Argument[0];taint",
+        ";String;true;append(_:);;;Argument[0];Argument[-1];taint",
+        ";String;true;append(contentsOf:);;;Argument[0];Argument[-1];taint",
+        ";String;true;insert(_:at:);;;Argument[0];Argument[-1];taint",
+        ";String;true;insert(contentsOf:at:);;;Argument[0];Argument[-1];taint",
+        ";String;true;replaceSubrange(_:with::);;;Argument[1];Argument[-1];taint",
+        ";String;true;popLast();;;Argument[-1];ReturnValue;taint",
+        ";String;true;first(where:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;last(where:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;max();;;Argument[-1];ReturnValue;taint",
+        ";String;true;max(by:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;min();;;Argument[-1];ReturnValue;taint",
+        ";String;true;min(by:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;subscript(_:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;split(maxSplits:omittingEmptySubsequences:whereSeparator:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;randomElement();;;Argument[-1];ReturnValue;taint",
+        ";String;true;randomElement(using:);;;Argument[-1];ReturnValue;taint",
+        ";String;true;enumerated();;;Argument[-1];ReturnValue;taint",
+        ";String;true;encode(to:);;;Argument[-1];Argument[0];taint"
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `String` is tainted, then many of its fields are
+ * tainted. This also includes fields declared in `StringProtocol`.
  */
 private class StringFieldsInheritTaint extends TaintInheritingContent,
   DataFlow::Content::FieldContent {
   StringFieldsInheritTaint() {
-    this.getField().getEnclosingDecl().(ClassOrStructDecl).getFullName() = "String" or
-    this.getField().getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getFullName() =
-      "String"
+    exists(FieldDecl f | this.getField() = f |
+      (
+        f.getEnclosingDecl().(NominalTypeDecl).getName() = ["String", "StringProtocol"] or
+        f.getEnclosingDecl().(ExtensionDecl).getExtendedTypeDecl().getName() =
+          ["String", "StringProtocol"]
+      ) and
+      f.getName() =
+        [
+          "first", "last", "unicodeScalars", "utf8", "utf16", "lazy", "utf8CString", "description",
+          "debugDescription", "dataValue", "identifierValue", "capitalized", "localizedCapitalized",
+          "localizedLowercase", "localizedUppercase", "decomposedStringWithCanonicalMapping",
+          "decomposedStringWithCompatibilityMapping", "precomposedStringWithCanonicalMapping",
+          "precomposedStringWithCompatibilityMapping", "removingPercentEncoding"
+        ]
+    )
   }
 }