Merge pull request #12896 from geoffw0/modernsec3

Swift: Fix member variable CSV sinks (swift/insecure-tls)

Author: MathiasVP

swift/ql/.generated.list

@@ -197,7 +197,22 @@ predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode nod
   )
 }
 
-predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) { none() }
+predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  exists(Node n, AstNode ast, MemberRefExpr e |
+    n = node.asNode() and
+    ast = mid.asElement() and
+    e.getMember() = ast
+  |
+    // Allow fields to be picked as input nodes.
+    c = "" and
+    e.getBase() = n.asExpr()
+    or
+    // Allow post update nodes to be picked as input nodes when the `input` column
+    // of the row is `PostUpdate`.
+    c = "PostUpdate" and
+    e.getBase() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
+  )
+}
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]

swift/ql/.gitattributes

@@ -26,4 +26,14 @@ predicate localTaintStep = localTaintStepCached/2;
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs) {
+  // If a `PostUpdateNode` is specified as a sink, there's (almost) always a store step preceding it.
+  // So when the node is a `PostUpdateNode` we allow any sequence of implicit read steps of an appropriate
+  // type to make sure we arrive at the sink with an empty access path.
+  exists(NominalTypeDecl d, Decl cx |
+    node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getType() =
+      d.getType().getABaseType*() and
+    cx.asNominalTypeDecl() = d and
+    cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+  )
+}

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -1,4 +1,9 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.DynamicSelfType
 
-class DynamicSelfType extends Generated::DynamicSelfType { }
+class DynamicSelfType extends Generated::DynamicSelfType {
+  override Type getResolveStep() {
+    // The type of qualifiers in a Swift constructor is assigned the type `Self` by the Swift compiler
+    // This `getResolveStep` replaces that `Self` type with the type of the enclosing class.
+    result = this.getImmediateStaticSelfType()
+  }
+}

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll

@@ -70,7 +70,7 @@ private class EncryptionKeySinks extends SinkModelCsv {
         // Realm database library.
         ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[3];encryption-key",
         ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[3];encryption-key",
-        ";Realm.Configuration;true;encryptionKey;;;;encryption-key",
+        ";Realm.Configuration;true;encryptionKey;;;PostUpdate;encryption-key",
       ]
   }
 }

swift/ql/lib/codeql/swift/elements/type/DynamicSelfType.qll

@@ -45,19 +45,16 @@ private class EnumInsecureTlsExtensionsSource extends InsecureTlsExtensionsSourc
   }
 }
 
-/**
- * A sink for assignment of TLS-related properties of `NSURLSessionConfiguration`.
- */
-private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
-  NsUrlTlsExtensionsSink() {
-    exists(AssignExpr assign |
-      assign.getSource() = this.asExpr() and
-      assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
-        [
-          "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
-          "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
-        ]
-    )
+private class TlsExtensionsSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // TLS-related properties of `URLSessionConfiguration`
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocol;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocol;;;PostUpdate;tls-protocol-version",
+      ]
   }
 }
 

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -129,8 +129,8 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[0];path-injection",
         ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[0];path-injection",
         ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[10];path-injection",
-        ";Realm.Configuration;true;fileURL;;;;path-injection",
-        ";Realm.Configuration;true;seedFilePath;;;;path-injection",
+        ";Realm.Configuration;true;fileURL;;;PostUpdate;path-injection",
+        ";Realm.Configuration;true;seedFilePath;;;PostUpdate;path-injection",
       ]
   }
 }

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -1 +0,0 @@
-| Self | getName: | Self | getCanonicalType: | Self | getStaticSelfType: | X |

swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll

@@ -235,7 +235,7 @@ edges
 | test.swift:536:10:536:13 | s | test.swift:537:13:537:13 | s |
 | test.swift:537:7:537:7 | [post] self [str] | test.swift:536:5:538:5 | self[return] [str] |
 | test.swift:537:13:537:13 | s | test.swift:537:7:537:7 | [post] self [str] |
-| test.swift:542:17:545:5 | self[return] [str] | test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] |
+| test.swift:542:17:545:5 | self[return] [str] | test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] |
 | test.swift:543:7:543:7 | [post] self [str] | test.swift:542:17:545:5 | self[return] [str] |
 | test.swift:543:7:543:7 | [post] self [str] | test.swift:544:17:544:17 | self [str] |
 | test.swift:543:20:543:28 | call to source3() | test.swift:536:10:536:13 | s |
@@ -245,8 +245,8 @@ edges
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() | test.swift:536:10:536:13 | s |
 | test.swift:549:24:549:32 | call to source3() | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] | test.swift:535:9:535:9 | self [str] |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] | test.swift:535:9:535:9 | self [str] |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] | test.swift:550:13:550:43 | .str |
 | test.swift:567:8:567:11 | x | test.swift:568:14:568:14 | x |
 | test.swift:568:5:568:5 | [post] self [x] | test.swift:567:3:569:3 | self[return] [x] |
 | test.swift:568:14:568:14 | x | test.swift:568:5:568:5 | [post] self [x] |
@@ -541,7 +541,7 @@ nodes
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] | semmle.label | call to MyClass.init(s:) [str] |
 | test.swift:549:13:549:35 | .str | semmle.label | .str |
 | test.swift:549:24:549:32 | call to source3() | semmle.label | call to source3() |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] | semmle.label | call to Self.init(contentsOfFile:) [str] |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] | semmle.label | call to MyClass.init(contentsOfFile:) [str] |
 | test.swift:550:13:550:43 | .str | semmle.label | .str |
 | test.swift:567:3:569:3 | self[return] [x] | semmle.label | self[return] [x] |
 | test.swift:567:8:567:11 | x | semmle.label | x |
@@ -609,7 +609,7 @@ subpaths
 | test.swift:543:20:543:28 | call to source3() | test.swift:536:10:536:13 | s | test.swift:537:7:537:7 | [post] self [str] | test.swift:543:7:543:7 | [post] self [str] |
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] | test.swift:535:9:535:9 | self [str] | file://:0:0:0:0 | .str | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() | test.swift:536:10:536:13 | s | test.swift:536:5:538:5 | self[return] [str] | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] | test.swift:535:9:535:9 | self [str] | file://:0:0:0:0 | .str | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] | test.swift:535:9:535:9 | self [str] | file://:0:0:0:0 | .str | test.swift:550:13:550:43 | .str |
 | test.swift:573:16:573:23 | call to source() | test.swift:567:8:567:11 | x | test.swift:567:3:569:3 | self[return] [x] | test.swift:573:11:573:24 | call to S.init(x:) [x] |
 | test.swift:575:13:575:13 | s [x] | test.swift:574:11:574:14 | enter #keyPath(...) [x] | test.swift:574:11:574:14 | exit #keyPath(...) | test.swift:575:13:575:25 | \\...[...] |
 | test.swift:578:13:578:13 | s [x] | test.swift:577:36:577:38 | enter #keyPath(...) [x] | test.swift:577:36:577:38 | exit #keyPath(...) | test.swift:578:13:578:32 | \\...[...] |

swift/ql/test/extractor-tests/generated/type/DynamicSelfType/DynamicSelfType.expected

@@ -10,12 +10,12 @@ class PathInjectionTest extends InlineExpectationsTest {
   override string getARelevantTag() { result = "hasPathInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+    exists(DataFlow::Node source, DataFlow::Node sink |
       PathInjectionFlow::flow(source, sink) and
-      sinkExpr = sink.asExpr() and
-      location = sinkExpr.getLocation() and
-      element = sinkExpr.toString() and
+      location = sink.getLocation() and
+      element = sink.toString() and
       tag = "hasPathInjection" and
+      location.getFile().getName() != "" and
       value = source.asExpr().getLocation().getStartLine().toString()
     )
   }

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -317,9 +317,9 @@ func test() {
 
 	var config = Realm.Configuration() // GOOD
 	config.fileURL = safeUrl // GOOD
-	config.fileURL = remoteUrl // $ MISSING: hasPathInjection=208
+	config.fileURL = remoteUrl // $ hasPathInjection=208
 	config.seedFilePath = safeUrl // GOOD
-	config.seedFilePath = remoteUrl // $ MISSING: hasPathInjection=208
+	config.seedFilePath = remoteUrl // $ hasPathInjection=208
 }
 
 func testBarriers() {