Swift: Add additional taint steps into fields.

ed
This commit is contained in:
Geoffrey White
2023-03-09 11:45:57 +00:00
parent da338c26ba
commit ffa279e87b
3 changed files with 112 additions and 8 deletions

View File

@@ -122,14 +122,21 @@ private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStora
/**
* An additional taint step for cleartext database storage vulnerabilities.
* Needed until we have proper content flow through arrays.
*/
private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// needed until we have proper content flow through arrays.
exists(ArrayExpr arr |
nodeFrom.asExpr() = arr.getAnElement() and
nodeTo.asExpr() = arr
)
or
// if an object is sensitive, its fields are always sensitive
// (this is needed because the sensitive data sources are in a sense
// approximate; for example we might identify `passwordBox` as a source,
// whereas it is more accurate to say that `passwordBox.textField` is the
// true source).
nodeTo.asExpr().(LookupExpr).getBase() = nodeFrom.asExpr()
}
}

View File

@@ -28,13 +28,56 @@ edges
| testCoreData2.swift:62:30:62:30 | bankAccountNo : | testCoreData2.swift:62:4:62:4 | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] : | testCoreData2.swift:65:3:65:3 | [post] obj |
| testCoreData2.swift:65:29:65:29 | bankAccountNo : | testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:70:9:70:9 | self : | file://:0:0:0:0 | .value : |
| testCoreData2.swift:71:9:71:9 | self : | file://:0:0:0:0 | .value2 : |
| testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] : | testCoreData2.swift:79:2:79:2 | [post] dbObj |
| testCoreData2.swift:79:18:79:28 | .bankAccountNo : | testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] : | testCoreData2.swift:80:2:80:2 | [post] dbObj |
| testCoreData2.swift:80:18:80:28 | ...! : | testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:80:18:80:28 | .bankAccountNo2 : | testCoreData2.swift:80:18:80:28 | ...! : |
| testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] : | testCoreData2.swift:82:2:82:2 | [post] dbObj |
| testCoreData2.swift:82:18:82:18 | bankAccountNo : | testCoreData2.swift:70:9:70:9 | self : |
| testCoreData2.swift:82:18:82:18 | bankAccountNo : | testCoreData2.swift:82:18:82:32 | .value : |
| testCoreData2.swift:82:18:82:32 | .value : | testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] : | testCoreData2.swift:83:2:83:2 | [post] dbObj |
| testCoreData2.swift:83:18:83:18 | bankAccountNo : | testCoreData2.swift:71:9:71:9 | self : |
| testCoreData2.swift:83:18:83:18 | bankAccountNo : | testCoreData2.swift:83:18:83:32 | ...! : |
| testCoreData2.swift:83:18:83:18 | bankAccountNo : | testCoreData2.swift:83:18:83:32 | .value2 : |
| testCoreData2.swift:83:18:83:32 | ...! : | testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:83:18:83:32 | .value2 : | testCoreData2.swift:83:18:83:32 | ...! : |
| testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] : | testCoreData2.swift:84:2:84:2 | [post] dbObj |
| testCoreData2.swift:84:18:84:18 | ...! : | testCoreData2.swift:70:9:70:9 | self : |
| testCoreData2.swift:84:18:84:18 | ...! : | testCoreData2.swift:84:18:84:33 | .value : |
| testCoreData2.swift:84:18:84:18 | bankAccountNo2 : | testCoreData2.swift:84:18:84:18 | ...! : |
| testCoreData2.swift:84:18:84:18 | bankAccountNo2 : | testCoreData2.swift:84:18:84:33 | .value : |
| testCoreData2.swift:84:18:84:33 | .value : | testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] : | testCoreData2.swift:85:2:85:2 | [post] dbObj |
| testCoreData2.swift:85:18:85:18 | ...! : | testCoreData2.swift:71:9:71:9 | self : |
| testCoreData2.swift:85:18:85:18 | ...! : | testCoreData2.swift:85:18:85:33 | .value2 : |
| testCoreData2.swift:85:18:85:18 | bankAccountNo2 : | testCoreData2.swift:85:18:85:18 | ...! : |
| testCoreData2.swift:85:18:85:18 | bankAccountNo2 : | testCoreData2.swift:85:18:85:33 | ...! : |
| testCoreData2.swift:85:18:85:33 | ...! : | testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] : |
| testCoreData2.swift:85:18:85:33 | .value2 : | testCoreData2.swift:85:18:85:33 | ...! : |
| testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] : | testCoreData2.swift:87:2:87:10 | [post] ...? |
| testCoreData2.swift:87:22:87:32 | .bankAccountNo : | testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] : |
| testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] : | testCoreData2.swift:88:2:88:10 | [post] ...? |
| testCoreData2.swift:88:22:88:22 | bankAccountNo : | testCoreData2.swift:70:9:70:9 | self : |
| testCoreData2.swift:88:22:88:22 | bankAccountNo : | testCoreData2.swift:88:22:88:36 | .value : |
| testCoreData2.swift:88:22:88:36 | .value : | testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] : |
| testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] : | testCoreData2.swift:89:2:89:10 | [post] ...? |
| testCoreData2.swift:89:22:89:22 | ...! : | testCoreData2.swift:71:9:71:9 | self : |
| testCoreData2.swift:89:22:89:22 | ...! : | testCoreData2.swift:89:22:89:37 | .value2 : |
| testCoreData2.swift:89:22:89:22 | bankAccountNo2 : | testCoreData2.swift:89:22:89:22 | ...! : |
| testCoreData2.swift:89:22:89:22 | bankAccountNo2 : | testCoreData2.swift:89:22:89:37 | ...! : |
| testCoreData2.swift:89:22:89:37 | ...! : | testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] : |
| testCoreData2.swift:89:22:89:37 | .value2 : | testCoreData2.swift:89:22:89:37 | ...! : |
| testCoreData2.swift:91:10:91:10 | bankAccountNo : | testCoreData2.swift:92:10:92:10 | a : |
| testCoreData2.swift:91:10:91:10 | bankAccountNo : | testCoreData2.swift:93:18:93:18 | b : |
| testCoreData2.swift:92:10:92:10 | a : | testCoreData2.swift:70:9:70:9 | self : |
| testCoreData2.swift:92:10:92:10 | a : | testCoreData2.swift:92:10:92:12 | .value : |
| testCoreData2.swift:92:10:92:12 | .value : | testCoreData2.swift:93:18:93:18 | b : |
| testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] : | testCoreData2.swift:93:2:93:2 | [post] dbObj |
| testCoreData2.swift:93:18:93:18 | b : | testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] : |
| testCoreData.swift:18:19:18:26 | value : | testCoreData.swift:19:12:19:12 | value |
| testCoreData.swift:31:3:31:3 | newValue : | testCoreData.swift:32:13:32:13 | newValue |
| testCoreData.swift:61:25:61:25 | password : | testCoreData.swift:18:19:18:26 | value : |
@@ -111,6 +154,8 @@ edges
| testRealm.swift:59:11:59:11 | myPassword : | testRealm.swift:16:6:16:6 | value : |
| testRealm.swift:59:11:59:11 | myPassword : | testRealm.swift:59:2:59:2 | [post] g [data] : |
nodes
| file://:0:0:0:0 | .value2 : | semmle.label | .value2 : |
| file://:0:0:0:0 | .value : | semmle.label | .value : |
| file://:0:0:0:0 | [post] self [data] : | semmle.label | [post] self [data] : |
| file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | semmle.label | [post] self [notStoredBankAccountNumber] : |
| file://:0:0:0:0 | value : | semmle.label | value : |
@@ -152,6 +197,8 @@ nodes
| testCoreData2.swift:65:3:65:3 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:65:3:65:3 | [post] obj [myBankAccountNumber] : | semmle.label | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:65:29:65:29 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:70:9:70:9 | self : | semmle.label | self : |
| testCoreData2.swift:71:9:71:9 | self : | semmle.label | self : |
| testCoreData2.swift:79:2:79:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:79:2:79:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:79:18:79:28 | .bankAccountNo : | semmle.label | .bankAccountNo : |
@@ -159,9 +206,45 @@ nodes
| testCoreData2.swift:80:2:80:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:80:18:80:28 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:80:18:80:28 | .bankAccountNo2 : | semmle.label | .bankAccountNo2 : |
| testCoreData2.swift:82:2:82:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:82:2:82:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:82:18:82:18 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:82:18:82:32 | .value : | semmle.label | .value : |
| testCoreData2.swift:83:2:83:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:83:2:83:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:83:18:83:18 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:83:18:83:32 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:83:18:83:32 | .value2 : | semmle.label | .value2 : |
| testCoreData2.swift:84:2:84:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:84:2:84:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:84:18:84:18 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:84:18:84:18 | bankAccountNo2 : | semmle.label | bankAccountNo2 : |
| testCoreData2.swift:84:18:84:33 | .value : | semmle.label | .value : |
| testCoreData2.swift:85:2:85:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:85:2:85:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:85:18:85:18 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:85:18:85:18 | bankAccountNo2 : | semmle.label | bankAccountNo2 : |
| testCoreData2.swift:85:18:85:33 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:85:18:85:33 | .value2 : | semmle.label | .value2 : |
| testCoreData2.swift:87:2:87:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:87:2:87:10 | [post] ...? [myValue] : | semmle.label | [post] ...? [myValue] : |
| testCoreData2.swift:87:22:87:32 | .bankAccountNo : | semmle.label | .bankAccountNo : |
| testCoreData2.swift:88:2:88:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:88:2:88:10 | [post] ...? [myValue] : | semmle.label | [post] ...? [myValue] : |
| testCoreData2.swift:88:22:88:22 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:88:22:88:36 | .value : | semmle.label | .value : |
| testCoreData2.swift:89:2:89:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:89:2:89:10 | [post] ...? [myValue] : | semmle.label | [post] ...? [myValue] : |
| testCoreData2.swift:89:22:89:22 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:89:22:89:22 | bankAccountNo2 : | semmle.label | bankAccountNo2 : |
| testCoreData2.swift:89:22:89:37 | ...! : | semmle.label | ...! : |
| testCoreData2.swift:89:22:89:37 | .value2 : | semmle.label | .value2 : |
| testCoreData2.swift:91:10:91:10 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:92:10:92:10 | a : | semmle.label | a : |
| testCoreData2.swift:92:10:92:12 | .value : | semmle.label | .value : |
| testCoreData2.swift:93:2:93:2 | [post] dbObj | semmle.label | [post] dbObj |
| testCoreData2.swift:93:2:93:2 | [post] dbObj [myValue] : | semmle.label | [post] dbObj [myValue] : |
| testCoreData2.swift:93:18:93:18 | b : | semmle.label | b : |
| testCoreData.swift:18:19:18:26 | value : | semmle.label | value : |
| testCoreData.swift:19:12:19:12 | value | semmle.label | value |
| testCoreData.swift:31:3:31:3 | newValue : | semmle.label | newValue : |
@@ -302,6 +385,13 @@ nodes
subpaths
| testCoreData2.swift:43:35:43:35 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] : |
| testCoreData2.swift:52:41:52:41 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] : |
| testCoreData2.swift:82:18:82:18 | bankAccountNo : | testCoreData2.swift:70:9:70:9 | self : | file://:0:0:0:0 | .value : | testCoreData2.swift:82:18:82:32 | .value : |
| testCoreData2.swift:83:18:83:18 | bankAccountNo : | testCoreData2.swift:71:9:71:9 | self : | file://:0:0:0:0 | .value2 : | testCoreData2.swift:83:18:83:32 | .value2 : |
| testCoreData2.swift:84:18:84:18 | ...! : | testCoreData2.swift:70:9:70:9 | self : | file://:0:0:0:0 | .value : | testCoreData2.swift:84:18:84:33 | .value : |
| testCoreData2.swift:85:18:85:18 | ...! : | testCoreData2.swift:71:9:71:9 | self : | file://:0:0:0:0 | .value2 : | testCoreData2.swift:85:18:85:33 | .value2 : |
| testCoreData2.swift:88:22:88:22 | bankAccountNo : | testCoreData2.swift:70:9:70:9 | self : | file://:0:0:0:0 | .value : | testCoreData2.swift:88:22:88:36 | .value : |
| testCoreData2.swift:89:22:89:22 | ...! : | testCoreData2.swift:71:9:71:9 | self : | file://:0:0:0:0 | .value2 : | testCoreData2.swift:89:22:89:37 | .value2 : |
| testCoreData2.swift:92:10:92:10 | a : | testCoreData2.swift:70:9:70:9 | self : | file://:0:0:0:0 | .value : | testCoreData2.swift:92:10:92:12 | .value : |
| testRealm.swift:34:11:34:11 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:34:2:34:2 | [post] a [data] : |
| testRealm.swift:42:11:42:11 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:42:2:42:2 | [post] c [data] : |
| testRealm.swift:52:12:52:12 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:52:2:52:3 | [post] ...! [data] : |
@@ -321,7 +411,14 @@ subpaths
| testCoreData2.swift:65:3:65:3 | obj | testCoreData2.swift:65:29:65:29 | bankAccountNo : | testCoreData2.swift:65:3:65:3 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:65:29:65:29 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:79:2:79:2 | dbObj | testCoreData2.swift:79:18:79:28 | .bankAccountNo : | testCoreData2.swift:79:2:79:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:79:18:79:28 | .bankAccountNo : | .bankAccountNo |
| testCoreData2.swift:80:2:80:2 | dbObj | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 : | testCoreData2.swift:80:2:80:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:80:18:80:28 | .bankAccountNo2 : | .bankAccountNo2 |
| testCoreData2.swift:82:2:82:2 | dbObj | testCoreData2.swift:82:18:82:18 | bankAccountNo : | testCoreData2.swift:82:2:82:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:82:18:82:18 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:83:2:83:2 | dbObj | testCoreData2.swift:83:18:83:18 | bankAccountNo : | testCoreData2.swift:83:2:83:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:83:18:83:18 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:84:2:84:2 | dbObj | testCoreData2.swift:84:18:84:18 | bankAccountNo2 : | testCoreData2.swift:84:2:84:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:84:18:84:18 | bankAccountNo2 : | bankAccountNo2 |
| testCoreData2.swift:85:2:85:2 | dbObj | testCoreData2.swift:85:18:85:18 | bankAccountNo2 : | testCoreData2.swift:85:2:85:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:85:18:85:18 | bankAccountNo2 : | bankAccountNo2 |
| testCoreData2.swift:87:2:87:10 | ...? | testCoreData2.swift:87:22:87:32 | .bankAccountNo : | testCoreData2.swift:87:2:87:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:87:22:87:32 | .bankAccountNo : | .bankAccountNo |
| testCoreData2.swift:88:2:88:10 | ...? | testCoreData2.swift:88:22:88:22 | bankAccountNo : | testCoreData2.swift:88:2:88:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:88:22:88:22 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:89:2:89:10 | ...? | testCoreData2.swift:89:22:89:22 | bankAccountNo2 : | testCoreData2.swift:89:2:89:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:89:22:89:22 | bankAccountNo2 : | bankAccountNo2 |
| testCoreData2.swift:93:2:93:2 | dbObj | testCoreData2.swift:91:10:91:10 | bankAccountNo : | testCoreData2.swift:93:2:93:2 | [post] dbObj | This operation stores '[post] dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:91:10:91:10 | bankAccountNo : | bankAccountNo |
| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password : | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password : | password |
| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password : | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password : | password |
| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password |

View File

@@ -79,16 +79,16 @@ func testCoreData2_3(dbObj: MyManagedObject2, maybeObj: MyManagedObject2?, conta
dbObj.myValue = container.bankAccountNo // BAD
dbObj.myValue = container.bankAccountNo2 // BAD
dbObj.myValue = bankAccountNo.value // BAD [NOT DETECTED]
dbObj.myValue = bankAccountNo.value2 // BAD [NOT DETECTED]
dbObj.myValue = bankAccountNo2.value // BAD [NOT DETECTED]
dbObj.myValue = bankAccountNo2.value2 // BAD [NOT DETECTED]
dbObj.myValue = bankAccountNo.value // BAD
dbObj.myValue = bankAccountNo.value2 // BAD
dbObj.myValue = bankAccountNo2.value // BAD
dbObj.myValue = bankAccountNo2.value2 // BAD
maybeObj?.myValue = container.bankAccountNo // BAD
maybeObj?.myValue = bankAccountNo.value // BAD [NOT DETECTED]
maybeObj?.myValue = bankAccountNo2.value2 // BAD [NOT DETECTED]
maybeObj?.myValue = bankAccountNo.value // BAD
maybeObj?.myValue = bankAccountNo2.value2 // BAD
var a = bankAccountNo // sensitive
var b = a.value
dbObj.myValue = b // BAD [NOT DETECTED]
dbObj.myValue = b // BAD
}