Swift: Add RegexUseFlow and modify the role of StringLiteralUseFlow.

Author: geoffw0

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -9,23 +9,22 @@ private import internal.ParseRegex
 private import internal.RegexTracking
 
 /**
- * A string literal that is used as a regular expression in a regular
- * expression evaluation. For example the string literal `"(a|b).*"` in:
+ * A string literal that is used as a regular expression. For example
+ * the string literal `"(a|b).*"` in:
  * ```
  * Regex("(a|b).*").firstMatch(in: myString)
  * ```
  */
 private class ParsedStringRegex extends RegExp, StringLiteralExpr {
-  RegexEval eval;
+  DataFlow::Node use;
 
-  ParsedStringRegex() {
-    StringLiteralUseFlow::flow(DataFlow::exprNode(this), DataFlow::exprNode(eval.getRegexInput()))
-  }
+  ParsedStringRegex() { StringLiteralUseFlow::flow(DataFlow::exprNode(this), use) }
 
   /**
-   * Gets a call that evaluates this regular expression.
+   * Gets a dataflow node where this string literal is used as a regular
+   * expression.
    */
-  RegexEval getEval() { result = eval }
+  DataFlow::Node getUse() { result = use }
 }
 
 /**
@@ -69,7 +68,8 @@ private class StandardRegexCreation extends RegexCreation {
  */
 abstract class RegexEval extends CallExpr {
   /**
-   * Gets the input to this call that is the regular expression being evaluated.
+   * Gets the input to this call that is the regular expression being evaluated. This may
+   * be a regular expression object or a string literal.
    */
   abstract Expr getRegexInput();
 
@@ -81,7 +81,16 @@ abstract class RegexEval extends CallExpr {
   /**
    * Gets a regular expression value that is evaluated here (if any can be identified).
    */
-  RegExp getARegex() { result.(ParsedStringRegex).getEval() = this }
+  RegExp getARegex() {
+    // string literal used directly as a regex
+    result.(ParsedStringRegex).getUse().asExpr() = this.getRegexInput()
+    or
+    // string literal -> regex object -> use
+    exists(RegexCreation regexCreation |
+      result.(ParsedStringRegex).getUse() = regexCreation.getStringInput() and
+      RegexUseFlow::flow(regexCreation, DataFlow::exprNode(this.getRegexInput()))
+    )
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -11,21 +11,46 @@ private import ParseRegex
 private import codeql.swift.regex.Regex
 
 /**
- * A data flow configuration for tracking string literals that are used as
- * regular expressions.
+ * A data flow configuration for tracking string literals that are used to
+ * create regular expression objects, or are evaluated directly as regular
+ * expressions.
  */
 private module StringLiteralUseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
 
-  predicate isSink(DataFlow::Node node) { node.asExpr() = any(RegexEval eval).getRegexInput() }
+  predicate isSink(DataFlow::Node node) {
+    // evaluated directly as a regular expression
+    node.asExpr() = any(RegexEval eval).getRegexInput()
+    or
+    // used to create a regular expression object
+    node = any(RegexCreation regexCreation).getStringInput()
+  }
+}
 
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // flow through `Regex` initializer, i.e. from a string to a `Regex` object.
+module StringLiteralUseFlow = DataFlow::Global<StringLiteralUseConfig>;
+
+/**
+ * A data flow configuration for tracking regular expression objects from
+ * creation to the point of use.
+ */
+private module RegexUseConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // creation of the regex
     exists(RegexCreation regexCreation |
-      nodeFrom = regexCreation.getStringInput() and
-      nodeTo = regexCreation
+      node = regexCreation
     )
+    // TODO: track parse mode flags.
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // evaluation of the regex
+    node.asExpr() = any(RegexEval eval).getRegexInput()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // TODO: flow through regex methods that return a modified regex.
+    none()
   }
 }
 
-module StringLiteralUseFlow = DataFlow::Global<StringLiteralUseConfig>;
+module RegexUseFlow = DataFlow::Global<RegexUseConfig>;