Swift: Update CleartextStorageDatabase to use DataFlow::ConfigSig

2026-04-28 02:05:14 +02:00 · 2023-04-04 21:53:29 +02:00
parent 21f9527444
commit 3bd6fd0f51
2 changed files with 45 additions and 4 deletions
--- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.CleartextStorageDatabaseExtensions
 * A taint configuration from sensitive information to expressions that are
 * transmitted over a network.
 */
-class CleartextStorageConfig extends TaintTracking::Configuration {
+deprecated class CleartextStorageConfig extends TaintTracking::Configuration {
  CleartextStorageConfig() { this = "CleartextStorageConfig" }

  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
@@ -48,3 +48,44 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
    super.allowImplicitRead(node, c)
  }
 }
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node node) { node instanceof CleartextStorageDatabaseSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextStorageDatabaseSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextStorageDatabaseAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from fields of an `NSManagedObject` or `RealmSwiftObject` at the sink,
+    // for example in `realmObj.data = sensitive`.
+    isSink(node) and
+    exists(NominalTypeDecl d, Decl cx |
+      d.getType().getABaseType*().getUnderlyingType().getName() =
+        ["NSManagedObject", "RealmSwiftObject"] and
+      cx.asNominalTypeDecl() = d and
+      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+    )
+  }
+}
+
+/**
+ * Detect taint flow of sensitive information to expressions that are
+ * transmitted over a network.
+ */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;
--- a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
+++ b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -14,7 +14,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.CleartextStorageDatabaseQuery
-import DataFlow::PathGraph
+import CleartextStorageFlow::PathGraph

 /**
 * Gets a prettier node to use in the results.
@@ -27,10 +27,10 @@ DataFlow::Node cleanupNode(DataFlow::Node n) {
 }

 from
-  CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode,
+  CleartextStorageFlow::PathNode sourceNode, CleartextStorageFlow::PathNode sinkNode,
  DataFlow::Node cleanSink
 where
-  config.hasFlowPath(sourceNode, sinkNode) and
+  CleartextStorageFlow::flowPath(sourceNode, sinkNode) and
  cleanSink = cleanupNode(sinkNode.getNode())
 select cleanSink, sourceNode, sinkNode,
  "This operation stores '" + cleanSink.toString() +