Merge pull request #13058 from geoffw0/barrier

Swift: Standardize terminology for ConfigSig queries

Author: MathiasVP

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

@@ -8,18 +8,15 @@ private import codeql.swift.security.SensitiveExprs
 /** A data flow sink for cleartext logging of sensitive data vulnerabilities. */
 abstract class CleartextLoggingSink extends DataFlow::Node { }
 
-/** A sanitizer for cleartext logging of sensitive data vulnerabilities. */
-abstract class CleartextLoggingSanitizer extends DataFlow::Node { }
+/** A barrier for cleartext logging of sensitive data vulnerabilities. */
+abstract class CleartextLoggingBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
- *
- * Extend this class to add additional taint steps that should apply to paths related to
- * cleartext logging of sensitive data vulnerabilities.
+ * A unit class for adding additional flow steps.
  */
-class CleartextLoggingAdditionalTaintStep extends Unit {
+class CleartextLoggingAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `n1` to `n2` should be considered a taint
+   * Holds if the step from `n1` to `n2` should be considered a flow
    * step for flows related to cleartext logging of sensitive data vulnerabilities.
    */
   abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
@@ -33,12 +30,12 @@ private class DefaultCleartextLoggingSink extends CleartextLoggingSink {
 }
 
 /**
- * A sanitizer for `OSLogMessage`s configured with the appropriate privacy option.
+ * A barrier for `OSLogMessage`s configured with the appropriate privacy option.
  * Numeric and boolean arguments aren't redacted unless the `private` or `sensitive` options are used.
  * Arguments of other types are always redacted unless the `public` option is used.
  */
-private class OsLogPrivacyCleartextLoggingSanitizer extends CleartextLoggingSanitizer {
-  OsLogPrivacyCleartextLoggingSanitizer() {
+private class OsLogPrivacyCleartextLoggingBarrier extends CleartextLoggingBarrier {
+  OsLogPrivacyCleartextLoggingBarrier() {
     exists(CallExpr c, AutoClosureExpr e |
       c.getStaticTarget().getName().matches("appendInterpolation(_:%privacy:%)") and
       c.getArgument(0).getExpr() = e and

swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll

@@ -17,13 +17,13 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CleartextLoggingSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof CleartextLoggingSanitizer }
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextLoggingBarrier }
 
   // Disregard paths that contain other paths. This helps with performance.
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
-    any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
+    any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
 }
 

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -15,16 +15,16 @@ import codeql.swift.dataflow.ExternalFlow
 abstract class CleartextStorageDatabaseSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for cleartext database storage vulnerabilities.
+ * A barrier for cleartext database storage vulnerabilities.
  */
-abstract class CleartextStorageDatabaseSanitizer extends DataFlow::Node { }
+abstract class CleartextStorageDatabaseBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class CleartextStorageDatabaseAdditionalTaintStep extends Unit {
+class CleartextStorageDatabaseAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to cleartext database storage vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
@@ -114,16 +114,16 @@ private class CleartextStorageDatabaseSinks extends SinkModelCsv {
 }
 
 /**
- * An encryption sanitizer for cleartext database storage vulnerabilities.
+ * An encryption barrier for cleartext database storage vulnerabilities.
  */
-private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
-  CleartextStorageDatabaseEncryptionSanitizer() { this.asExpr() instanceof EncryptedExpr }
+private class CleartextStorageDatabaseEncryptionBarrier extends CleartextStorageDatabaseBarrier {
+  CleartextStorageDatabaseEncryptionBarrier() { this.asExpr() instanceof EncryptedExpr }
 }
 
 /**
  * An additional taint step for cleartext database storage vulnerabilities.
  */
-private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep
+private class CleartextStorageDatabaseArrayAdditionalFlowStep extends CleartextStorageDatabaseAdditionalFlowStep
 {
   override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     // needed until we have proper content flow through arrays.

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -18,12 +18,10 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof CleartextStorageDatabaseSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer instanceof CleartextStorageDatabaseSanitizer
-  }
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextStorageDatabaseBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(CleartextStorageDatabaseAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(CleartextStorageDatabaseAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 
   predicate isBarrierIn(DataFlow::Node node) {

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll

@@ -18,16 +18,16 @@ abstract class CleartextStoragePreferencesSink extends DataFlow::Node {
 }
 
 /**
- * A sanitizer for cleartext preferences storage vulnerabilities.
+ * A barrier for cleartext preferences storage vulnerabilities.
  */
-abstract class CleartextStoragePreferencesSanitizer extends DataFlow::Node { }
+abstract class CleartextStoragePreferencesBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class CleartextStoragePreferencesAdditionalTaintStep extends Unit {
+class CleartextStoragePreferencesAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to cleartext preferences storage vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
@@ -72,11 +72,11 @@ private class NSUserDefaultsControllerStore extends CleartextStoragePreferencesS
 }
 
 /**
- * An encryption sanitizer for cleartext preferences storage vulnerabilities.
+ * An encryption barrier for cleartext preferences storage vulnerabilities.
  */
-private class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer
+private class CleartextStoragePreferencesEncryptionBarrier extends CleartextStoragePreferencesBarrier
 {
-  CleartextStoragePreferencesEncryptionSanitizer() { this.asExpr() instanceof EncryptedExpr }
+  CleartextStoragePreferencesEncryptionBarrier() { this.asExpr() instanceof EncryptedExpr }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -18,12 +18,12 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof CleartextStoragePreferencesSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer instanceof CleartextStoragePreferencesSanitizer
+  predicate isBarrier(DataFlow::Node barrier) {
+    barrier instanceof CleartextStoragePreferencesBarrier
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(CleartextStoragePreferencesAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(CleartextStoragePreferencesAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 
   predicate isBarrierIn(DataFlow::Node node) {

swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll

@@ -15,16 +15,16 @@ import codeql.swift.dataflow.ExternalFlow
 abstract class CleartextTransmissionSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for cleartext transmission vulnerabilities.
+ * A barrier for cleartext transmission vulnerabilities.
  */
-abstract class CleartextTransmissionSanitizer extends DataFlow::Node { }
+abstract class CleartextTransmissionBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class CleartextTransmissionAdditionalTaintStep extends Unit {
+class CleartextTransmissionAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to cleartext transmission vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
@@ -81,10 +81,10 @@ private class AlamofireTransmittedSink extends CleartextTransmissionSink {
 }
 
 /**
- * An encryption sanitizer for cleartext transmission vulnerabilities.
+ * An encryption barrier for cleartext transmission vulnerabilities.
  */
-private class CleartextTransmissionEncryptionSanitizer extends CleartextTransmissionSanitizer {
-  CleartextTransmissionEncryptionSanitizer() { this.asExpr() instanceof EncryptedExpr }
+private class CleartextTransmissionEncryptionBarrier extends CleartextTransmissionBarrier {
+  CleartextTransmissionEncryptionBarrier() { this.asExpr() instanceof EncryptedExpr }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll

@@ -18,12 +18,10 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmissionSink }
 
-  predicate isBarrier(DataFlow::Node sanitizer) {
-    sanitizer instanceof CleartextTransmissionSanitizer
-  }
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextTransmissionBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(CleartextTransmissionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(CleartextTransmissionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 
   predicate isBarrierIn(DataFlow::Node node) {

swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll

@@ -14,16 +14,16 @@ import codeql.swift.dataflow.ExternalFlow
 abstract class ConstantPasswordSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for constant password vulnerabilities.
+ * A barrier for constant password vulnerabilities.
  */
-abstract class ConstantPasswordSanitizer extends DataFlow::Node { }
+abstract class ConstantPasswordBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class ConstantPasswordAdditionalTaintStep extends Unit {
+class ConstantPasswordAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to constant password vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll

@@ -28,10 +28,10 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof ConstantPasswordSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantPasswordSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantPasswordBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(ConstantPasswordAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -14,16 +14,16 @@ import codeql.swift.dataflow.ExternalFlow
 abstract class ConstantSaltSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for constant salt vulnerabilities.
+ * A barrier for constant salt vulnerabilities.
  */
-abstract class ConstantSaltSanitizer extends DataFlow::Node { }
+abstract class ConstantSaltBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class ConstantSaltAdditionalTaintStep extends Unit {
+class ConstantSaltAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to constant salt vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);

swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll

@@ -29,10 +29,10 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof ConstantSaltSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantSaltSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantSaltBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(ConstantSaltAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 

swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll

@@ -22,16 +22,16 @@ abstract class EcbEncryptionSource extends DataFlow::Node { }
 abstract class EcbEncryptionSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for ECB encryption vulnerabilities.
+ * A barrier for ECB encryption vulnerabilities.
  */
-abstract class EcbEncryptionSanitizer extends DataFlow::Node { }
+abstract class EcbEncryptionBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class EcbEncryptionAdditionalTaintStep extends Unit {
+class EcbEncryptionAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to ECB encryption vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);

swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll

@@ -17,10 +17,10 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof EcbEncryptionSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof EcbEncryptionSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof EcbEncryptionBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(EcbEncryptionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -14,16 +14,16 @@ import codeql.swift.dataflow.ExternalFlow
 abstract class HardcodedEncryptionKeySink extends DataFlow::Node { }
 
 /**
- * A sanitizer for hard-coded encryption key vulnerabilities.
+ * A barrier for hard-coded encryption key vulnerabilities.
  */
-abstract class HardcodedEncryptionKeySanitizer extends DataFlow::Node { }
+abstract class HardcodedEncryptionKeyBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class HardcodedEncryptionKeyAdditionalTaintStep extends Unit {
+class HardcodedEncryptionKeyAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to hard-coded encryption key vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll

@@ -34,10 +34,10 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof HardcodedEncryptionKeySink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof HardcodedEncryptionKeySanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof HardcodedEncryptionKeyBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(HardcodedEncryptionKeyAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -20,16 +20,16 @@ abstract class InsecureTlsExtensionsSource extends DataFlow::Node { }
 abstract class InsecureTlsExtensionsSink extends DataFlow::Node { }
 
 /**
- * A sanitizer for insecure TLS configuration vulnerabilities.
+ * A barrier for insecure TLS configuration vulnerabilities.
  */
-abstract class InsecureTlsExtensionsSanitizer extends DataFlow::Node { }
+abstract class InsecureTlsExtensionsBarrier extends DataFlow::Node { }
 
 /**
- * A unit class for adding additional taint steps.
+ * A unit class for adding additional flow steps.
  */
-class InsecureTlsExtensionsAdditionalTaintStep extends Unit {
+class InsecureTlsExtensionsAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a taint
+   * Holds if the step from `node1` to `node2` should be considered a flow
    * step for paths related to insecure TLS configuration vulnerabilities.
    */
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);

swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll

@@ -16,10 +16,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof InsecureTlsExtensionsSink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof InsecureTlsExtensionsSanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof InsecureTlsExtensionsBarrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(InsecureTlsExtensionsAdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }