Swift: Switch from isSanitizerIn to isSanitizer.

geoffw0 · geoffw0 · commit 0741266ceaa2 · 2022-09-06T13:37:49.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -82,7 +82,9 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
   override predicate isSanitizerIn(DataFlow::Node node) {
     // make sources barriers so that we only report the closest instance
     isSource(node)
-    or
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
     // encryption barrier
     node.asExpr() instanceof EncryptedExpr
   }
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql b/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
@@ -75,7 +75,9 @@ class CleartextTransmissionConfig extends TaintTracking::Configuration {
   override predicate isSanitizerIn(DataFlow::Node node) {
     // make sources barriers so that we only report the closest instance
     isSource(node)
-    or
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
     // encryption barrier
     node.asExpr() instanceof EncryptedExpr
   }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -1,58 +1,35 @@
 edges
 | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  |
-| testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  |
 | testSend.swift:45:13:45:13 | password :  | testSend.swift:52:27:52:27 | str1 |
 | testSend.swift:46:13:46:13 | password :  | testSend.swift:53:27:53:27 | str2 |
 | testSend.swift:47:13:47:25 | call to pad(_:) :  | testSend.swift:54:27:54:27 | str3 |
 | testSend.swift:47:17:47:17 | password :  | testSend.swift:41:10:41:18 | data :  |
 | testSend.swift:47:17:47:17 | password :  | testSend.swift:47:13:47:25 | call to pad(_:) :  |
-| testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  | testSend.swift:55:27:55:27 | str4 |
-| testSend.swift:48:23:48:23 | password :  | testSend.swift:42:16:42:24 | data :  |
-| testSend.swift:48:23:48:23 | password :  | testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  |
-| testSend.swift:49:13:49:36 | call to pad(_:) :  | testSend.swift:56:27:56:27 | str5 |
-| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:41:10:41:18 | data :  |
-| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:49:13:49:36 | call to pad(_:) :  |
-| testSend.swift:49:27:49:27 | password :  | testSend.swift:42:16:42:24 | data :  |
-| testSend.swift:49:27:49:27 | password :  | testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  |
 | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
 nodes
 | testSend.swift:29:19:29:19 | passwordPlain | semmle.label | passwordPlain |
 | testSend.swift:41:10:41:18 | data :  | semmle.label | data :  |
 | testSend.swift:41:45:41:45 | data :  | semmle.label | data :  |
-| testSend.swift:42:16:42:24 | data :  | semmle.label | data :  |
-| testSend.swift:42:51:42:51 | data :  | semmle.label | data :  |
 | testSend.swift:45:13:45:13 | password :  | semmle.label | password :  |
 | testSend.swift:46:13:46:13 | password :  | semmle.label | password :  |
 | testSend.swift:47:13:47:25 | call to pad(_:) :  | semmle.label | call to pad(_:) :  |
 | testSend.swift:47:17:47:17 | password :  | semmle.label | password :  |
-| testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  | semmle.label | call to aes_crypt(_:) :  |
-| testSend.swift:48:23:48:23 | password :  | semmle.label | password :  |
-| testSend.swift:49:13:49:36 | call to pad(_:) :  | semmle.label | call to pad(_:) :  |
-| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | semmle.label | call to aes_crypt(_:) :  |
-| testSend.swift:49:27:49:27 | password :  | semmle.label | password :  |
 | testSend.swift:52:27:52:27 | str1 | semmle.label | str1 |
 | testSend.swift:53:27:53:27 | str2 | semmle.label | str2 |
 | testSend.swift:54:27:54:27 | str3 | semmle.label | str3 |
-| testSend.swift:55:27:55:27 | str4 | semmle.label | str4 |
-| testSend.swift:56:27:56:27 | str5 | semmle.label | str5 |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:13:54:13:54 | passwd :  | semmle.label | passwd :  |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no :  | semmle.label | credit_card_no :  |
 | testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
 subpaths
 | testSend.swift:47:17:47:17 | password :  | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  | testSend.swift:47:13:47:25 | call to pad(_:) :  |
-| testSend.swift:48:23:48:23 | password :  | testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  | testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  |
-| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  | testSend.swift:49:13:49:36 | call to pad(_:) :  |
-| testSend.swift:49:27:49:27 | password :  | testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  | testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  |
 #select
 | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@ | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
 | testSend.swift:52:27:52:27 | str1 | testSend.swift:45:13:45:13 | password :  | testSend.swift:52:27:52:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@ | testSend.swift:45:13:45:13 | password :  | password |
 | testSend.swift:53:27:53:27 | str2 | testSend.swift:46:13:46:13 | password :  | testSend.swift:53:27:53:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@ | testSend.swift:46:13:46:13 | password :  | password |
 | testSend.swift:54:27:54:27 | str3 | testSend.swift:47:17:47:17 | password :  | testSend.swift:54:27:54:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@ | testSend.swift:47:17:47:17 | password :  | password |
-| testSend.swift:55:27:55:27 | str4 | testSend.swift:48:23:48:23 | password :  | testSend.swift:55:27:55:27 | str4 | This operation transmits 'str4', which may contain unencrypted sensitive data from $@ | testSend.swift:48:23:48:23 | password :  | password |
-| testSend.swift:56:27:56:27 | str5 | testSend.swift:49:27:49:27 | password :  | testSend.swift:56:27:56:27 | str5 | This operation transmits 'str5', which may contain unencrypted sensitive data from $@ | testSend.swift:49:27:49:27 | password :  | password |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:16:55:16:55 | credit_card_no :  | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:20:22:20:22 | passwd | passwd |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testSend.swift b/swift/ql/test/query-tests/Security/CWE-311/testSend.swift
@@ -52,7 +52,7 @@ func test2(password : String, connection : NWConnection) {
 	connection.send(content: str1, completion: .idempotent) // BAD
 	connection.send(content: str2, completion: .idempotent) // BAD
 	connection.send(content: str3, completion: .idempotent) // BAD
-	connection.send(content: str4, completion: .idempotent) // GOOD (encrypted) [FALSE POSITIVE]
-	connection.send(content: str5, completion: .idempotent) // GOOD (encrypted) [FALSE POSITIVE]
+	connection.send(content: str4, completion: .idempotent) // GOOD (encrypted)
+	connection.send(content: str5, completion: .idempotent) // GOOD (encrypted)
 	connection.send(content: str6, completion: .idempotent) // GOOD (encrypted)
 }
