Swift: Implementation classes should be private.

2025-12-24 04:36:35 +01:00 · 2023-02-27 22:49:19 +00:00
parent c21ec1c3f5
commit c533334470
3 changed files with 16 additions and 16 deletions
--- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
@@ -32,7 +32,7 @@ class CleartextStorageDatabaseAdditionalTaintStep extends Unit {
 /**
 * A `DataFlow::Node` that is an expression stored with the Core Data library.
 */
-class CoreDataStore extends CleartextStorageDatabaseSink {
+private class CoreDataStore extends CleartextStorageDatabaseSink {
  CoreDataStore() {
    // values written into Core Data objects through `set*Value` methods are a sink.
    exists(CallExpr call |
@@ -60,7 +60,7 @@ class CoreDataStore extends CleartextStorageDatabaseSink {
 * A `DataFlow::Node` that is an expression stored with the Realm database
 * library.
 */
-class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostUpdateNode {
+private class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostUpdateNode {
  RealmStore() {
    // any write into a class derived from `RealmSwiftObject` is a sink. For
    // example in `realmObj.data = sensitive` the post-update node corresponding
@@ -77,7 +77,7 @@ class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostU
 /**
 * A `DataFlow::Node` that is an expression stored with the GRDB library.
 */
-class GrdbStore extends CleartextStorageDatabaseSink {
+private class GrdbStore extends CleartextStorageDatabaseSink {
  GrdbStore() {
    exists(CallExpr call, MethodDecl method |
      call.getStaticTarget() = method and
@@ -132,7 +132,7 @@ class GrdbStore extends CleartextStorageDatabaseSink {
 /**
 * An encryption sanitizer for cleartext database storage vulnerabilities.
 */
-class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
+private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
  CleartextStorageDatabaseEncryptionSanitizer() {
    this.asExpr() instanceof EncryptedExpr
  }
@@ -142,7 +142,7 @@ class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDataba
 * An additional taint step for cleartext database storage vulnerabilities.
 * Needed until we have proper content flow through arrays.
 */
-class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
+private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
    exists(ArrayExpr arr |
      nodeFrom.asExpr() = arr.getAnElement() and
--- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll
@@ -33,7 +33,7 @@ class CleartextStoragePreferencesAdditionalTaintStep extends Unit {
 }

 /** The `DataFlow::Node` of an expression that gets written to the user defaults database */
-class UserDefaultsStore extends CleartextStoragePreferencesSink {
+private class UserDefaultsStore extends CleartextStoragePreferencesSink {
  UserDefaultsStore() {
    exists(CallExpr call |
      call.getStaticTarget().(MethodDecl).hasQualifiedName("UserDefaults", "set(_:forKey:)") and
@@ -45,7 +45,7 @@ class UserDefaultsStore extends CleartextStoragePreferencesSink {
 }

 /** The `DataFlow::Node` of an expression that gets written to the iCloud-backed NSUbiquitousKeyValueStore */
-class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
+private class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
  NSUbiquitousKeyValueStore() {
    exists(CallExpr call |
      call.getStaticTarget()
@@ -64,7 +64,7 @@ class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
 * object via reflection (`perform(Selector)`) or the `NSKeyValueCoding`,
 * `NSKeyValueBindingCreation` APIs. (TODO)
 */
-class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
+private class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
  NSUserDefaultsControllerStore() { none() }

  override string getStoreName() { result = "the user defaults database" }
@@ -73,7 +73,7 @@ class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
 /**
 * An encryption sanitizer for cleartext preferences storage vulnerabilities.
 */
-class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer {
+private class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer {
  CleartextStoragePreferencesEncryptionSanitizer() {
    this.asExpr() instanceof EncryptedExpr
  }
--- a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -32,8 +32,8 @@ class CleartextTransmissionAdditionalTaintStep extends Unit {
 /**
 * An `Expr` that is transmitted with `NWConnection.send`.
 */
-class NWConnectionSend extends CleartextTransmissionSink {
-  NWConnectionSend() {
+private class NWConnectionSendSink extends CleartextTransmissionSink {
+  NWConnectionSendSink() {
    // `content` arg to `NWConnection.send` is a sink
    exists(CallExpr call |
      call.getStaticTarget()
@@ -48,8 +48,8 @@ class NWConnectionSend extends CleartextTransmissionSink {
 * An `Expr` that is used to form a `URL`. Such expressions are very likely to
 * be transmitted over a network, because that's what URLs are for.
 */
-class Url extends CleartextTransmissionSink {
-  Url() {
+private class UrlSink extends CleartextTransmissionSink {
+  UrlSink() {
    // `string` arg in `URL.init` is a sink
    // (we assume here that the URL goes on to be used in a network operation)
    exists(CallExpr call |
@@ -64,8 +64,8 @@ class Url extends CleartextTransmissionSink {
 /**
 * An `Expr` that transmitted through the Alamofire library.
 */
-class AlamofireTransmitted extends CleartextTransmissionSink {
-  AlamofireTransmitted() {
+private class AlamofireTransmittedSink extends CleartextTransmissionSink {
+  AlamofireTransmittedSink() {
    // sinks are the first argument containing the URL, and the `parameters`
    // and `headers` arguments to appropriate methods of `Session`.
    exists(CallExpr call, string fName |
@@ -82,7 +82,7 @@ class AlamofireTransmitted extends CleartextTransmissionSink {
 /**
 * An encryption sanitizer for cleartext transmission vulnerabilities.
 */
-class CleartextTransmissionEncryptionSanitizer extends CleartextTransmissionSanitizer {
+private class CleartextTransmissionEncryptionSanitizer extends CleartextTransmissionSanitizer {
  CleartextTransmissionEncryptionSanitizer() {
    this.asExpr() instanceof EncryptedExpr
  }