Swift: {Method,Initializer}CallExpr + SelfRefExpr

Adds a bit of symmetry in the API. Also, fix a couple of tests that were using the old types.
2026-04-19 22:14:01 +02:00 · 2022-12-13 16:52:58 -05:00
parent 5f03099000
commit 89cd082f0a
9 changed files with 46 additions and 6 deletions
--- a/swift/ql/lib/codeql/swift/elements/expr/InitializerCallExpr.qll
+++ b/swift/ql/lib/codeql/swift/elements/expr/InitializerCallExpr.qll
@@ -0,0 +1,9 @@
+private import codeql.swift.elements.expr.MethodCallExpr
+private import codeql.swift.elements.expr.InitializerLookupExpr
+private import codeql.swift.elements.decl.ConstructorDecl
+
+class InitializerCallExpr extends MethodCallExpr {
+  InitializerCallExpr() { this.getFunction() instanceof InitializerLookupExpr }
+
+  override ConstructorDecl getStaticTarget() { result = super.getStaticTarget() }
+}
--- a/swift/ql/lib/codeql/swift/elements/expr/MethodCallExpr.qll
+++ b/swift/ql/lib/codeql/swift/elements/expr/MethodCallExpr.qll
@@ -0,0 +1,10 @@
+private import codeql.swift.elements.expr.CallExpr
+private import codeql.swift.elements.expr.ApplyExpr
+private import codeql.swift.elements.expr.SuperRefExpr
+private import codeql.swift.elements.expr.SelfRefExpr
+
+class MethodCallExpr extends CallExpr, MethodApplyExpr {
+  predicate isSelfCall() { this.getQualifier() instanceof SelfRefExpr }
+
+  predicate isSuperCall() { this.getQualifier() instanceof SuperRefExpr }
+}
--- a/swift/ql/lib/codeql/swift/elements/expr/MethodCallExprConstructor.qll
+++ b/swift/ql/lib/codeql/swift/elements/expr/MethodCallExprConstructor.qll
@@ -1 +0,0 @@
-predicate constructMethodCallExpr(@call_expr id) { exists(@self_apply_expr e | apply_exprs(id, e)) }
--- a/swift/ql/lib/codeql/swift/elements/expr/SelfRefExpr.qll
+++ b/swift/ql/lib/codeql/swift/elements/expr/SelfRefExpr.qll
@@ -0,0 +1,14 @@
+private import codeql.swift.elements.expr.DeclRefExpr
+private import codeql.swift.elements.decl.MethodDecl
+private import codeql.swift.elements.decl.VarDecl
+
+/** A reference to `self`. */
+class SelfRefExpr extends DeclRefExpr {
+  MethodDecl methodDecl;
+
+  SelfRefExpr() { this.getDecl() = methodDecl.getSelfParam() }
+
+  VarDecl getSelf() { result = this.getDecl() }
+
+  MethodDecl getMethodDecl() { result = methodDecl }
+}
--- a/swift/ql/lib/codeql/swift/elements/expr/SuperRefExpr.qll
+++ b/swift/ql/lib/codeql/swift/elements/expr/SuperRefExpr.qll
@@ -1,5 +1,9 @@
 private import codeql.swift.generated.expr.SuperRefExpr
+private import codeql.swift.elements.decl.MethodDecl

+/** A reference to `super`. */
 class SuperRefExpr extends Generated::SuperRefExpr {
  override string toString() { result = "super" }
+
+  MethodDecl getMethodDecl() { this.getSelf() = result.getSelfParam() }
 }
--- a/swift/ql/lib/codeql/swift/security/XXE.qll
+++ b/swift/ql/lib/codeql/swift/security/XXE.qll
@@ -31,7 +31,7 @@ private class XmlParserXxeSink extends XxeSink {
 /** The construction of a `XMLParser` that enables external entities. */
 private class VulnerableParser extends CallExpr {
  VulnerableParser() {
-    resolvesExternalEntities(this) and this.getFunction() instanceof ConstructorRefCallExpr
+    resolvesExternalEntities(this) and this.getFunction() instanceof InitializerLookupExpr
  }
 }

--- a/swift/ql/lib/swift.qll
+++ b/swift/ql/lib/swift.qll
@@ -5,6 +5,9 @@ import codeql.swift.elements.expr.ArithmeticOperation
 import codeql.swift.elements.expr.BitwiseOperation
 import codeql.swift.elements.expr.LogicalOperation
 import codeql.swift.elements.expr.InitializerLookupExpr
+import codeql.swift.elements.expr.MethodCallExpr
+import codeql.swift.elements.expr.InitializerCallExpr
+import codeql.swift.elements.expr.SelfRefExpr
 import codeql.swift.elements.decl.MethodDecl
 import codeql.swift.elements.decl.ClassOrStructDecl
 import codeql.swift.Unit
--- a/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
+++ b/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
@@ -32,14 +32,15 @@ class StaticInitializationVectorSource extends Expr {
 class EncryptionInitializationSink extends Expr {
  EncryptionInitializationSink() {
    // `iv` arg in `init` is a sink
-    exists(CallExpr call, string fName |
+    exists(InitializerCallExpr call, string fName |
      call.getStaticTarget()
-          .(ConstructorDecl)
          .hasQualifiedName([
              "AES", "ChaCha20", "Blowfish", "Rabbit", "CBC", "CFB", "GCM", "OCB", "OFB", "PCBC",
              "CCM", "CTR"
            ], fName) and
-      call.getArgumentWithLabel("iv").getExpr() = this
+      call.getArgumentWithLabel("iv").getExpr() = this and
+      not call.isSelfCall() and
+      not call.isSuperCall()
    )
  }
 }
--- a/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql
+++ b/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql
@@ -26,7 +26,7 @@ class InsecureTlsConfig extends TaintTracking::Configuration {
   * Holds for enum values that represent an insecure version of TLS
   */
  override predicate isSource(DataFlow::Node node) {
-    node.asExpr().(MethodRefExpr).getMember().(EnumElementDecl).getName() =
+    node.asExpr().(MethodLookupExpr).getMember().(EnumElementDecl).getName() =
      ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
  }
				`@@ -1 +0,0 @@`
				`predicate constructMethodCallExpr(@call_expr id) { exists(@self_apply_expr e \| apply_exprs(id, e)) }`