- Extracts Swift's
DiscardStmtandMaterizliePackExpr - Expanded and improved flow models for
SetandSequence. - Added imprecise flow sources matching initializers such as
init(contentsOfFile:). - Extracts
MacroDecland some related information
- Added Swift 5.9.1 support
- New AST node is extracted:
SingleValueStmtExpr
- AST and types related to parameter packs are now extracted
- Added taint flow models for the
NSString.enumerate*methods. - Generalized the data flow model for subscript writes (
a[index] = b) so that it applies to subscripts on all kinds of objects, not just arrays. - Fixed a bug where some flow sinks at field accesses were not being correctly identified.
- Added indexed
getVariabletoCaptureListExpr, improving its AST printing and data flow. - Added flow models for
Stringmethods involving closures such asString.withUTF8(_:). - AST and types related to move semantics (
copy,consume,_borrow) are now extracted
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
- Added children of
UnspecifiedElement, which will be present only in certain downgraded databases. - Collection content is now automatically read at taint flow sinks. This removes the need to define an
allowImplicitReadpredicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now. - Added taint models for
StringProtocol.appendingFormatandString.decodeCString. - Added taint flow models for members of
Substring. - Added taint flow models for
RawRepresentable. - The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries.
- Added models of
StringProtocolandNSStringmethods that evaluate regular expressions. - Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source.
- Improved taint models for
Numerictypes andRangeReplaceableCollections. - The nil-coalescing operator
??is now supported by the CFG construction and dataflow libraries. - The data flow library now supports flow to the loop variable of for-in loops.
- The methods
getIteratorVarandgetNextCallhave been added to theForEachStmtclass.
- The
ArrayContenttype in the data flow library has been deprecated and made an alias for theCollectionContenttype, to better reflect the hierarchy of the Swift standard library. Uses ofArrayElementin model files will be interpreted as referring toCollectionContent.
- The predicates
getABaseType,getABaseTypeDecl,getADerivedTypeandgetADerivedTypeDeclonTypeandTypeDeclnow behave more usefully and consistently. They now explore through type aliases used in base class declarations, and include protocols added in extensions.
To examine base class declarations at a low level without these enhancements, use TypeDecl.getInheritedType.
Type.getABaseType (only) previously resolved a type alias it was called directly on. This behaviour no longer exists. To find any base type of a type that could be an alias, the construct Type.getUnderlyingType().getABaseType*() is recommended.
- Modelled varargs function in
NSStringmore accurately. - Modelled
CustomStringConvertible.descriptionandCustomDebugStringConvertible.debugDescription, replacing ad-hoc models of these properties on derived classes. - The regular expressions library now accepts a wider range of mode flags in a regular expression mode flag group (such as
(?u)). The(?w) flag has been renamed from "UNICODE" to "UNICODEBOUNDARY", and the(?u)flag is called "UNICODE" in the libraries. - Renamed
TypeDecl.getBaseType/1togetInheritedType. - Flow through writes via keypaths is now supported by the data flow library.
- Added flow through variadic arguments, and the
getVaListfunction. - Added flow steps through
Dictionarykeys and values. - Added taint models for
Numericconversions.
- The regular expressions library no longer incorrectly matches mode flag characters against the input.
No user-facing changes.
- Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library.
- Added flow models of collection
.withContiguous[Mutable]StorageIfAvailable,.withUnsafe[Mutable]BufferPointerand.withUnsafe[Mutable]Bytesmethods.
- Added
DataFlow::CollectionContent, which will enable more accurate flow through collections.
- Added local flow sources for
UITextInputand related classes. - Flow through forced optional unwrapping (
!) on the left side of assignment now works in most cases. Type.getNamenow gets the name of the type alone without any enclosing types. UseType.getFullNamefor the old behaviour.
- Added
DataFlow::ArrayContent, which will provide more accurate flow through arrays.
- Flow through forced optional unwrapping (
!) is modelled more accurately. - Added flow models for
Sequence.withContiguousStorageIfAvailable. - Added taint flow for
NSUserActivity.referrerURL.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - The regular expression library now understands mode flags specified by
Regexmethods and theNSRegularExpressioninitializer. - The regular expression library now understands mode flags specified at the beginning of a regular expression (for example
(?is)). - Added detail to the taint model for
URL. - Added new heuristics to
SensitiveExprs.qll, enhancing detection from the library.
- The
BraceStmtAST node'sAstNode getElement(index)member predicate no longer returnsVarDecls after thePatternBindingDeclthat declares them. Instead, a newVarDecl getVariable(index)predicate has been introduced for accessing the variables declared in aBraceStmt.
- Added new libraries
Regex.qllandRegexTreeView.qllfor reasoning about regular expressions in Swift code and places where they are evaluated.
- Added a data flow model for
swap(_:_:).
No user-facing changes.
- Incorporated the cross-language
SensitiveDataHeuristics.qllheuristics library into the SwiftSensitiveExprs.qlllibrary. This adds a number of new heuristics enhancing detection from the library.
- Some models for the
Dataclass have been generalized toDataProtocolso that they apply more widely.
- Fixed a number of inconsistencies in the abstract syntax tree (AST) and in the control-flow graph (CFG). This may lead to more results in queries that use these libraries, or libraries that depend on them (such as dataflow).