hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Use asNominalType() more widely to include things declared in extensions.

Browse Source
This commit is contained in:
Geoffrey White
2023-05-19 14:19:32 +01:00
parent ccbd041875
commit 0d8aa825d9
8 changed files with 28 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll
View File

@@ -49,14 +49,14 @@ private class UrlLaunchOptionsRemoteFlowSource extends RemoteFlowSource {
private class ApplicationWithLaunchOptionsFunc extends Function {
ApplicationWithLaunchOptionsFunc() {
this.getName() = "application(_:" + ["did", "will"] + "FinishLaunchingWithOptions:)" and
this.getEnclosingDecl().(ClassOrStructDecl).getABaseTypeDecl*().(ProtocolDecl).getName() =
this.getEnclosingDecl().asNominalTypeDecl().getABaseTypeDecl*().(ProtocolDecl).getName() =
"UIApplicationDelegate"
}
}
private class LaunchOptionsUrlVarDecl extends VarDecl {
LaunchOptionsUrlVarDecl() {
this.getEnclosingDecl().(StructDecl).getFullName() = "UIApplication.LaunchOptionsKey" and
this.getEnclosingDecl().asNominalTypeDecl().getFullName() = "UIApplication.LaunchOptionsKey" and
this.getName() = "url"
}
}
@@ -68,7 +68,7 @@ private class UiOpenUrlContextUrlInheritTaint extends TaintInheritingContent,
DataFlow::Content::FieldContent
{
UiOpenUrlContextUrlInheritTaint() {
this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "UIOpenURLContext" and
this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "UIOpenURLContext" and
this.getField().getName() = "url"
}
}
@@ -80,7 +80,7 @@ private class UserActivityUrlInheritTaint extends TaintInheritingContent,
DataFlow::Content::FieldContent
{
UserActivityUrlInheritTaint() {
this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "NSUserActivity" and
this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "NSUserActivity" and
this.getField().getName() = "webpageURL"
}
}
@@ -93,7 +93,7 @@ private class ConnectionOptionsFieldsInheritTaint extends TaintInheritingContent
DataFlow::Content::FieldContent
{
ConnectionOptionsFieldsInheritTaint() {
this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "ConnectionOptions" and
this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "ConnectionOptions" and
this.getField().getName() = ["userActivities", "urlContexts"]
}
}

4
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsData.qll
View File

@@ -75,7 +75,7 @@ private class NsMutableDataSummaries extends SummaryModelCsv {
private class NsDataTaintedFields extends TaintInheritingContent, DataFlow::Content::FieldContent {
NsDataTaintedFields() {
exists(FieldDecl f | this.getField() = f |
f.getEnclosingDecl() instanceof NsData and
f.getEnclosingDecl().asNominalTypeDecl() instanceof NsData and
f.getName() = ["bytes", "description"]
)
}
@@ -87,7 +87,7 @@ private class NsMutableDataTaintedFields extends TaintInheritingContent,
{
NsMutableDataTaintedFields() {
exists(FieldDecl f | this.getField() = f |
f.getEnclosingDecl() instanceof NsMutableData and
f.getEnclosingDecl().asNominalTypeDecl() instanceof NsMutableData and
f.getName() = "mutableBytes"
)
}

6
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Url.qll
View File

@@ -16,7 +16,9 @@ class UrlDecl extends StructDecl {
* A content implying that, if a `URL` is tainted, then all its fields are tainted.
*/
private class UriFieldsInheritTaint extends TaintInheritingContent, DataFlow::Content::FieldContent {
UriFieldsInheritTaint() { this.getField().getEnclosingDecl() instanceof UrlDecl }
UriFieldsInheritTaint() {
this.getField().getEnclosingDecl().asNominalTypeDecl() instanceof UrlDecl
}
}
/**
@@ -27,7 +29,7 @@ private class UrlRequestFieldsInheritTaint extends TaintInheritingContent,
DataFlow::Content::FieldContent
{
UrlRequestFieldsInheritTaint() {
this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "URLRequest" and
this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "URLRequest" and
this.getField().getName() =
["url", "httpBody", "httpBodyStream", "mainDocument", "allHTTPHeaderFields"]
}

12
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll
View File

@@ -32,7 +32,7 @@ private class WKScriptMessageBodyInheritsTaint extends TaintInheritingContent,
{
WKScriptMessageBodyInheritsTaint() {
exists(FieldDecl f | this.getField() = f |
f.getEnclosingDecl() instanceof WKScriptMessageDecl and
f.getEnclosingDecl().asNominalTypeDecl() instanceof WKScriptMessageDecl and
f.getName() = "body"
)
}
@@ -170,16 +170,16 @@ private class JsExportedType extends ClassOrStructDecl {
private class JsExportedSource extends RemoteFlowSource {
JsExportedSource() {
exists(Method adopter, Method base |
base.getEnclosingDecl() instanceof JsExportedProto and
adopter.getEnclosingDecl() instanceof JsExportedType
base.getEnclosingDecl().asNominalTypeDecl() instanceof JsExportedProto and
adopter.getEnclosingDecl().asNominalTypeDecl() instanceof JsExportedType
|
this.(DataFlow::ParameterNode).getParameter().getDeclaringFunction() = adopter and
pragma[only_bind_out](adopter.getName()) = pragma[only_bind_out](base.getName())
)
or
exists(FieldDecl adopter, FieldDecl base |
base.getEnclosingDecl() instanceof JsExportedProto and
adopter.getEnclosingDecl() instanceof JsExportedType
base.getEnclosingDecl().asNominalTypeDecl() instanceof JsExportedProto and
adopter.getEnclosingDecl().asNominalTypeDecl() instanceof JsExportedType
|
this.asExpr().(MemberRefExpr).getMember() = adopter and
pragma[only_bind_out](adopter.getName()) = pragma[only_bind_out](base.getName())
@@ -210,7 +210,7 @@ private class WKUserScriptInheritsTaint extends TaintInheritingContent,
{
WKUserScriptInheritsTaint() {
exists(FieldDecl f | this.getField() = f |
f.getEnclosingDecl().(ClassOrStructDecl).getName() = "WKUserScript" and
f.getEnclosingDecl().asNominalTypeDecl().getName() = "WKUserScript" and
f.getName() = "source"
)
}

10
swift/ql/lib/codeql/swift/frameworks/Xml/AEXML.qll
View File

@@ -7,14 +7,16 @@ import swift
/** The creation of an `AEXMLParser`. */
class AexmlParser extends ApplyExpr {
AexmlParser() {
this.getStaticTarget().(Initializer).getEnclosingDecl() instanceof AexmlParserDecl
this.getStaticTarget().(Initializer).getEnclosingDecl().asNominalTypeDecl() instanceof
AexmlParserDecl
}
}
/** The creation of an `AEXMLDocument`. */
class AexmlDocument extends ApplyExpr {
AexmlDocument() {
this.getStaticTarget().(Initializer).getEnclosingDecl() instanceof AexmlDocumentDecl
this.getStaticTarget().(Initializer).getEnclosingDecl().asNominalTypeDecl() instanceof
AexmlDocumentDecl
}
}
@@ -24,7 +26,7 @@ class AexmlDocumentLoadXml extends MethodApplyExpr {
exists(Method f |
this.getStaticTarget() = f and
f.hasName("loadXML(_:)") and
f.getEnclosingDecl() instanceof AexmlDocumentDecl
f.getEnclosingDecl().asNominalTypeDecl() instanceof AexmlDocumentDecl
)
}
}
@@ -44,7 +46,7 @@ class AexmlShouldResolveExternalEntities extends MemberRefExpr {
AexmlShouldResolveExternalEntities() {
exists(FieldDecl f | this.getMember() = f |
f.getName() = "shouldResolveExternalEntities" and
f.getEnclosingDecl().(NominalTypeDecl).getType() instanceof AexmlOptionsParserSettingsType
f.getEnclosingDecl().asNominalTypeDecl().getType() instanceof AexmlOptionsParserSettingsType
)
}
}

2
swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll
View File

@@ -64,7 +64,7 @@ private class OsLogPrivacyRef extends MemberRefExpr {
OsLogPrivacyRef() {
exists(FieldDecl f | this.getMember() = f |
f.getEnclosingDecl().(NominalTypeDecl).getName() = "OSLogPrivacy" and
f.getEnclosingDecl().asNominalTypeDecl().getName() = "OSLogPrivacy" and
optionName = f.getName()
)
}

4
swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
View File

@@ -38,9 +38,9 @@ private class DefaultPathInjectionBarrier extends PathInjectionBarrier {
// This is a simplified implementation.
exists(CallExpr starts, CallExpr normalize, DataFlow::Node validated |
starts.getStaticTarget().getName() = "starts(with:)" and
starts.getStaticTarget().getEnclosingDecl() instanceof FilePath and
starts.getStaticTarget().getEnclosingDecl().asNominalTypeDecl() instanceof FilePath and
normalize.getStaticTarget().getName() = "lexicallyNormalized()" and
normalize.getStaticTarget().getEnclosingDecl() instanceof FilePath
normalize.getStaticTarget().getEnclosingDecl().asNominalTypeDecl() instanceof FilePath
|
TaintTracking::localTaint(validated, DataFlow::exprNode(normalize.getQualifier())) and
DataFlow::localExprFlow(normalize, starts.getQualifier()) and

4
swift/ql/lib/codeql/swift/security/XXEExtensions.qll
View File

@@ -80,7 +80,7 @@ private class XmlDocumentXxeSink extends XxeSink {
/** An `XMLDocument` that sets `nodeLoadExternalEntitiesAlways` in its options. */
private class VulnerableXmlDocument extends ApplyExpr {
VulnerableXmlDocument() {
this.getStaticTarget().(Initializer).getEnclosingDecl().(NominalTypeDecl).getFullName() =
this.getStaticTarget().(Initializer).getEnclosingDecl().asNominalTypeDecl().getFullName() =
"XMLDocument" and
this.getArgument(1).getExpr().(ArrayExpr).getAnElement().(MemberRefExpr).getMember() instanceof
NodeLoadExternalEntitiesAlways
@@ -91,7 +91,7 @@ private class VulnerableXmlDocument extends ApplyExpr {
private class NodeLoadExternalEntitiesAlways extends VarDecl {
NodeLoadExternalEntitiesAlways() {
this.getName() = "nodeLoadExternalEntitiesAlways" and
this.getEnclosingDecl().(StructDecl).getFullName() = "XMLNode.Options"
this.getEnclosingDecl().asNominalTypeDecl().(StructDecl).getFullName() = "XMLNode.Options"
}
}