Swift: Convert URL sinks for swift/cleartext-transmission to be defined in QL.

2025-12-17 01:03:14 +01:00 · 2024-08-12 15:58:31 +01:00
parent 345e1840f2
commit 897bfb5517
1 changed files with 18 additions and 7 deletions
--- a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -48,6 +48,23 @@ private class AlamofireTransmittedSink extends CleartextTransmissionSink {
  }
 }

+/**
+ * A `URL` that is a sink for this query. Not all URLs are considered sinks, depending
+ * on their content.
+ */
+private class URLTransmittedSink extends CleartextTransmissionSink {
+  URLTransmittedSink() {
+    // sinks are the first argument containing the URL, and the `parameters`
+    // and `headers` arguments to appropriate methods of `Session`.
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+}
+
 /**
 * A barrier for cleartext transmission vulnerabilities.
 *  - encryption; encrypted values are not cleartext.
@@ -81,12 +98,6 @@ private class DefaultCleartextTransmissionSink extends CleartextTransmissionSink
 private class TransmissionSinks extends SinkModelCsv {
  override predicate row(string row) {
    row =
-      [
-        ";NWConnection;true;send(content:contentContext:isComplete:completion:);;;Argument[0];transmission",
-        // an `Expr` that is used to form a `URL` is very likely to be transmitted over a network, because
-        // that's what URLs are for.
-        ";URL;true;init(string:);;;Argument[0];transmission",
-        ";URL;true;init(string:relativeTo:);;;Argument[0];transmission",
-      ]
+      ";NWConnection;true;send(content:contentContext:isComplete:completion:);;;Argument[0];transmission"
  }
 }