Swift: Create a model for RegexCreation.

geoffw0 · geoffw0 · commit c76d85df1be9 · 2023-07-18T09:49:47.000+01:00
diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll
@@ -28,6 +28,39 @@ private class ParsedStringRegex extends RegExp, StringLiteralExpr {
   RegexEval getEval() { result = eval }
 }
 
+/**
+ * A data-flow node where a regular expression object is created.
+ */
+abstract class RegexCreation extends DataFlow::Node {
+  /**
+   * Gets a dataflow node for the string that the regular expression object is
+   * created from.
+   */
+  abstract DataFlow::Node getStringInput();
+}
+
+/**
+ * A data-flow node where a `Regex` or `NSRegularExpression` object is created.
+ */
+private class StandardRegexCreation extends RegexCreation {
+  DataFlow::Node input;
+
+  StandardRegexCreation() {
+    exists(CallExpr call |
+      (
+        call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) or
+        call.getStaticTarget()
+            .(Method)
+            .hasQualifiedName("NSRegularExpression", "init(pattern:options:)")
+      ) and
+      input.asExpr() = call.getArgument(0).getExpr() and
+      this.asExpr() = call
+    )
+  }
+
+  override DataFlow::Node getStringInput() { result = input }
+}
+
 /**
  * A call that evaluates a regular expression. For example, the call to `firstMatch` in:
  * ```
diff --git a/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll b/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll
@@ -21,15 +21,9 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     // flow through `Regex` initializer, i.e. from a string to a `Regex` object.
-    exists(CallExpr call |
-      (
-        call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) or
-        call.getStaticTarget()
-            .(Method)
-            .hasQualifiedName("NSRegularExpression", "init(pattern:options:)")
-      ) and
-      nodeFrom.asExpr() = call.getArgument(0).getExpr() and
-      nodeTo.asExpr() = call
+    exists(RegexCreation regexCreation |
+      nodeFrom = regexCreation.getStringInput() and
+      nodeTo = regexCreation
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -21,15 +21,9 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {`
`21`	`21`
`22`	`22`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`23`	`23`	// flow through `Regex` initializer, i.e. from a string to a `Regex` object.
`24`		`- exists(CallExpr call \|`
`25`		`- (`
`26`		`- call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) or`
`27`		`- call.getStaticTarget()`
`28`		`- .(Method)`
`29`		`- .hasQualifiedName("NSRegularExpression", "init(pattern:options:)")`
`30`		`- ) and`
`31`		`- nodeFrom.asExpr() = call.getArgument(0).getExpr() and`
`32`		`- nodeTo.asExpr() = call`
	`24`	`+ exists(RegexCreation regexCreation \|`
	`25`	`+ nodeFrom = regexCreation.getStringInput() and`
	`26`	`+ nodeTo = regexCreation`
`33`	`27`	`)`
`34`	`28`	`}`
`35`	`29`	`}`