Swift: Taint through arithmetic#12266
Conversation
MathiasVP
left a comment
There was a problem hiding this comment.
LGTM!
I remember for C/C++ we only taint the result of an arithmetic operation when one of the operands is predictable (which pretty much translates to constant). I fully support the decision to not go this route for Swift (since no other CodeQL-support language does it this way), and just provide taint through all arithmetic operations.
|
Yes, I'm not sure why that was. Perhaps there was a problematic pattern involving subtraction??? |
I'm not sure of the history either. What I am sure of is that C/C++ probably has a lot more queries that involve arithmetic operations (and thus a lot more flow through arithmetic operations), so the potential for FPs were probably just a lot more relevant. |
|
We are paying a lot of attention to new results (at least at the DCA scale) and have plans to do a wide review of query false positives later in the year. So we don't have to worry about non-obvious FPs too much at this early stage. Merging. |
Adds tests and taint flow through arithmetic. Before this PR we had flow through
+onStrings only, a rather conservative position. We want taint through other types such asIntegers, and through other arithmetic operators such as-.After this PR I will create a follow-up for taint through
+=and friends, which builds on the changes here but is a separate chunk of work with a bit of its own complexity. More of the tests will pass after that.