Merge pull request github#12045 from atorralba/atorralba/more-custom-url-schemes

atorralba · web-flow · commit 407e7cbbded2 · 2023-02-01T17:40:20.000+01:00
Swift: Add more sources for custom URL schemes
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll
@@ -2,6 +2,7 @@ import swift
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
 private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.FlowSteps
 
 /**
  * A model for custom URL remote flow sources. iOS apps can receive arbitrary
@@ -14,10 +15,14 @@ private class CustomUrlRemoteFlowSource extends SourceModelCsv {
         ";UIApplicationDelegate;true;application(_:open:options:);;;Parameter[1];remote",
         ";UIApplicationDelegate;true;application(_:handleOpen:);;;Parameter[1];remote",
         ";UIApplicationDelegate;true;application(_:open:sourceApplication:annotation:);;;Parameter[1];remote",
-        // TODO: The actual source is the value of `UIApplication.LaunchOptionsKey.url` in the launchOptions dictionary.
+        // TODO 1: The actual source is the value of `UIApplication.LaunchOptionsKey.url` in the launchOptions dictionary.
         //       Use dictionary value contents when available.
         // ";UIApplicationDelegate;true;application(_:didFinishLaunchingWithOptions:);;;Parameter[1].MapValue;remote",
         // ";UIApplicationDelegate;true;application(_:willFinishLaunchingWithOptions:);;;Parameter[1].MapValue;remote"
+        ";UISceneDelegate;true;scene(_:continue:);;;Parameter[1];remote",
+        ";UISceneDelegate;true;scene(_:didUpdate:);;;Parameter[1];remote",
+        ";UISceneDelegate;true;scene(_:openURLContexts:);;;Parameter[1];remote",
+        ";UISceneDelegate;true;scene(_:willConnectTo:options:);;;Parameter[2];remote"
       ]
   }
 }
@@ -27,7 +32,7 @@ private class CustomUrlRemoteFlowSource extends SourceModelCsv {
  * `UIApplicationDelegate.application(_:didFinishLaunchingWithOptions:)` or
  * `UIApplicationDelegate.application(_:willFinishLaunchingWithOptions:)`.
  */
-// This is a temporary workaround until the TODO above is addressed.
+// This is a temporary workaround until the TODO 1 above is addressed.
 private class UrlLaunchOptionsRemoteFlowSource extends RemoteFlowSource {
   UrlLaunchOptionsRemoteFlowSource() {
     exists(ApplicationWithLaunchOptionsFunc f, SubscriptExpr e |
@@ -56,3 +61,37 @@ private class LaunchOptionsUrlVarDecl extends VarDecl {
     this.getName() = "url"
   }
 }
+
+/**
+ * A content implying that, if a `UIOpenURLContext` is tainted, then its field `url` is also tainted.
+ */
+private class UiOpenUrlContextUrlInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  UiOpenUrlContextUrlInheritTaint() {
+    this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "UIOpenURLContext" and
+    this.getField().getName() = "url"
+  }
+}
+
+/**
+ * A content implying that, if a `NSUserActivity` is tainted, then its field `webpageURL` is also tainted.
+ */
+private class UserActivityUrlInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  UserActivityUrlInheritTaint() {
+    this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "NSUserActivity" and
+    this.getField().getName() = "webpageURL"
+  }
+}
+
+/**
+ * A content implying that, if a `UIScene.ConnectionOptions` is tainted, then its fields
+ * `userActivities` and `urlContexts` are also tainted.
+ */
+private class ConnectionOptionsFieldsInheritTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  ConnectionOptionsFieldsInheritTaint() {
+    this.getField().getEnclosingDecl().(NominalTypeDecl).getName() = "ConnectionOptions" and
+    this.getField().getName() = ["userActivities", "urlContexts"]
+  }
+}
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected b/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected
@@ -17,11 +17,19 @@
 | alamofire.swift:448:20:448:49 | call to String.init(contentsOfFile:) | external |
 | alamofire.swift:455:23:455:32 | .data | external |
 | alamofire.swift:461:23:461:32 | .data | external |
-| customurlschemes.swift:30:44:30:54 | url | external |
-| customurlschemes.swift:34:52:34:68 | url | external |
-| customurlschemes.swift:38:52:38:62 | url | external |
-| customurlschemes.swift:43:9:43:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
-| customurlschemes.swift:48:9:48:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
+| customurlschemes.swift:53:44:53:54 | url | external |
+| customurlschemes.swift:57:52:57:68 | url | external |
+| customurlschemes.swift:61:52:61:62 | url | external |
+| customurlschemes.swift:66:9:66:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
+| customurlschemes.swift:71:9:71:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
+| customurlschemes.swift:77:59:77:76 | options | external |
+| customurlschemes.swift:78:28:78:38 | continue | external |
+| customurlschemes.swift:79:28:79:39 | didUpdate | external |
+| customurlschemes.swift:80:28:80:65 | openURLContexts | external |
+| customurlschemes.swift:86:59:86:76 | options | external |
+| customurlschemes.swift:87:28:87:38 | continue | external |
+| customurlschemes.swift:88:28:88:39 | didUpdate | external |
+| customurlschemes.swift:89:28:89:65 | openURLContexts | external |
 | data.swift:18:20:18:54 | call to Data.init(contentsOf:options:) | external |
 | file://:0:0:0:0 | .data | external |
 | file://:0:0:0:0 | .result | external |
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift b/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift
@@ -24,6 +24,29 @@ protocol UIApplicationDelegate {
     func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool
 }
 
+class UIScene {
+    class ConnectionOptions {}
+}
+
+class UISceneSession {}
+
+class NSUserActivity {}
+
+class UIOpenURLContext: Hashable {
+    static func == (lhs: UIOpenURLContext, rhs: UIOpenURLContext) -> Bool {
+        return true;
+    }
+
+    func hash(into hasher: inout Hasher) {}
+}
+
+protocol UISceneDelegate {
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions)
+    func scene(_: UIScene, continue: NSUserActivity)
+    func scene(_: UIScene, didUpdate: NSUserActivity)
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>)
+}
+
 // --- tests ---
 
 class AppDelegate: UIApplicationDelegate {
@@ -48,5 +71,20 @@ class AppDelegate: UIApplicationDelegate {
         launchOptions?[.url] // SOURCE
         return true
     }
+}
+
+class SceneDelegate : UISceneDelegate {
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // SOURCE
+    func scene(_: UIScene, continue: NSUserActivity) {} // SOURCE
+    func scene(_: UIScene, didUpdate: NSUserActivity) {} // SOURCE
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // SOURCE
+}
+
+class Extended {}
 
+extension Extended : UISceneDelegate {
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // SOURCE
+    func scene(_: UIScene, continue: NSUserActivity) {} // SOURCE
+    func scene(_: UIScene, didUpdate: NSUserActivity) {} // SOURCE
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // SOURCE
 }
diff --git a/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected b/swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
@@ -964,6 +964,128 @@
 | try.swift:17:18:17:24 | call to clean() | try.swift:17:13:17:24 | try? ... |
 | try.swift:18:13:18:25 | try? ... | try.swift:18:12:18:27 | ...! |
 | try.swift:18:18:18:25 | call to source() | try.swift:18:13:18:25 | try? ... |
+| ui.swift:3:8:3:8 | SSA def(self) | ui.swift:3:8:3:8 | self[return] |
+| ui.swift:3:8:3:8 | self | ui.swift:3:8:3:8 | SSA def(self) |
+| ui.swift:5:7:5:7 | SSA def(self) | ui.swift:5:7:5:7 | self[return] |
+| ui.swift:5:7:5:7 | SSA def(self) | ui.swift:5:7:5:7 | self[return] |
+| ui.swift:5:7:5:7 | self | ui.swift:5:7:5:7 | SSA def(self) |
+| ui.swift:5:7:5:7 | self | ui.swift:5:7:5:7 | SSA def(self) |
+| ui.swift:6:17:6:17 | SSA def(self) | ui.swift:6:5:8:5 | self[return] |
+| ui.swift:6:17:6:17 | self | ui.swift:6:17:6:17 | SSA def(self) |
+| ui.swift:10:10:10:10 | SSA def(self) | ui.swift:10:5:10:43 | self[return] |
+| ui.swift:10:10:10:10 | self | ui.swift:10:10:10:10 | SSA def(self) |
+| ui.swift:10:15:10:34 | SSA def(hasher) | ui.swift:10:5:10:43 | hasher[return] |
+| ui.swift:10:15:10:34 | hasher | ui.swift:10:15:10:34 | SSA def(hasher) |
+| ui.swift:13:7:13:7 | SSA def(self) | ui.swift:13:7:13:7 | self[return] |
+| ui.swift:13:7:13:7 | SSA def(self) | ui.swift:13:7:13:7 | self[return] |
+| ui.swift:13:7:13:7 | self | ui.swift:13:7:13:7 | SSA def(self) |
+| ui.swift:13:7:13:7 | self | ui.swift:13:7:13:7 | SSA def(self) |
+| ui.swift:15:7:15:7 | SSA def(self) | ui.swift:15:7:15:7 | self[return] |
+| ui.swift:15:7:15:7 | SSA def(self) | ui.swift:15:7:15:7 | self[return] |
+| ui.swift:15:7:15:7 | self | ui.swift:15:7:15:7 | SSA def(self) |
+| ui.swift:15:7:15:7 | self | ui.swift:15:7:15:7 | SSA def(self) |
+| ui.swift:16:9:16:9 | self | ui.swift:16:9:16:9 | SSA def(self) |
+| ui.swift:16:9:16:9 | self | ui.swift:16:9:16:9 | SSA def(self) |
+| ui.swift:16:9:16:9 | self | ui.swift:16:9:16:9 | SSA def(self) |
+| ui.swift:16:9:16:9 | value | ui.swift:16:9:16:9 | SSA def(value) |
+| ui.swift:17:9:17:9 | self | ui.swift:17:9:17:9 | SSA def(self) |
+| ui.swift:17:9:17:9 | self | ui.swift:17:9:17:9 | SSA def(self) |
+| ui.swift:17:9:17:9 | self | ui.swift:17:9:17:9 | SSA def(self) |
+| ui.swift:17:9:17:9 | value | ui.swift:17:9:17:9 | SSA def(value) |
+| ui.swift:19:17:19:17 | SSA def(self) | ui.swift:19:5:21:5 | self[return] |
+| ui.swift:19:17:19:17 | self | ui.swift:19:17:19:17 | SSA def(self) |
+| ui.swift:23:10:23:10 | SSA def(self) | ui.swift:23:5:23:43 | self[return] |
+| ui.swift:23:10:23:10 | self | ui.swift:23:10:23:10 | SSA def(self) |
+| ui.swift:23:15:23:34 | SSA def(hasher) | ui.swift:23:5:23:43 | hasher[return] |
+| ui.swift:23:15:23:34 | hasher | ui.swift:23:15:23:34 | SSA def(hasher) |
+| ui.swift:26:8:26:8 | SSA def(self) | ui.swift:26:8:26:8 | self[return] |
+| ui.swift:26:8:26:8 | self | ui.swift:26:8:26:8 | SSA def(self) |
+| ui.swift:28:7:28:7 | SSA def(self) | ui.swift:28:7:28:7 | self[return] |
+| ui.swift:28:7:28:7 | SSA def(self) | ui.swift:28:7:28:7 | self[return] |
+| ui.swift:28:7:28:7 | self | ui.swift:28:7:28:7 | SSA def(self) |
+| ui.swift:28:7:28:7 | self | ui.swift:28:7:28:7 | SSA def(self) |
+| ui.swift:30:7:30:7 | SSA def(self) | ui.swift:30:7:30:7 | self[return] |
+| ui.swift:30:7:30:7 | SSA def(self) | ui.swift:30:7:30:7 | self[return] |
+| ui.swift:30:7:30:7 | self | ui.swift:30:7:30:7 | SSA def(self) |
+| ui.swift:30:7:30:7 | self | ui.swift:30:7:30:7 | SSA def(self) |
+| ui.swift:31:11:31:11 | SSA def(self) | ui.swift:31:11:31:11 | self[return] |
+| ui.swift:31:11:31:11 | SSA def(self) | ui.swift:31:11:31:11 | self[return] |
+| ui.swift:31:11:31:11 | self | ui.swift:31:11:31:11 | SSA def(self) |
+| ui.swift:31:11:31:11 | self | ui.swift:31:11:31:11 | SSA def(self) |
+| ui.swift:32:13:32:13 | self | ui.swift:32:13:32:13 | SSA def(self) |
+| ui.swift:32:13:32:13 | self | ui.swift:32:13:32:13 | SSA def(self) |
+| ui.swift:32:13:32:13 | self | ui.swift:32:13:32:13 | SSA def(self) |
+| ui.swift:32:13:32:13 | value | ui.swift:32:13:32:13 | SSA def(value) |
+| ui.swift:33:13:33:13 | self | ui.swift:33:13:33:13 | SSA def(self) |
+| ui.swift:33:13:33:13 | self | ui.swift:33:13:33:13 | SSA def(self) |
+| ui.swift:33:13:33:13 | self | ui.swift:33:13:33:13 | SSA def(self) |
+| ui.swift:33:13:33:13 | value | ui.swift:33:13:33:13 | SSA def(value) |
+| ui.swift:34:13:34:13 | self | ui.swift:34:13:34:13 | SSA def(self) |
+| ui.swift:34:13:34:13 | self | ui.swift:34:13:34:13 | SSA def(self) |
+| ui.swift:34:13:34:13 | self | ui.swift:34:13:34:13 | SSA def(self) |
+| ui.swift:34:13:34:13 | value | ui.swift:34:13:34:13 | SSA def(value) |
+| ui.swift:35:13:35:13 | self | ui.swift:35:13:35:13 | SSA def(self) |
+| ui.swift:35:13:35:13 | self | ui.swift:35:13:35:13 | SSA def(self) |
+| ui.swift:35:13:35:13 | self | ui.swift:35:13:35:13 | SSA def(self) |
+| ui.swift:35:13:35:13 | value | ui.swift:35:13:35:13 | SSA def(value) |
+| ui.swift:36:13:36:13 | self | ui.swift:36:13:36:13 | SSA def(self) |
+| ui.swift:36:13:36:13 | self | ui.swift:36:13:36:13 | SSA def(self) |
+| ui.swift:36:13:36:13 | self | ui.swift:36:13:36:13 | SSA def(self) |
+| ui.swift:36:13:36:13 | value | ui.swift:36:13:36:13 | SSA def(value) |
+| ui.swift:37:13:37:13 | self | ui.swift:37:13:37:13 | SSA def(self) |
+| ui.swift:37:13:37:13 | self | ui.swift:37:13:37:13 | SSA def(self) |
+| ui.swift:37:13:37:13 | self | ui.swift:37:13:37:13 | SSA def(self) |
+| ui.swift:37:13:37:13 | value | ui.swift:37:13:37:13 | SSA def(value) |
+| ui.swift:38:13:38:13 | self | ui.swift:38:13:38:13 | SSA def(self) |
+| ui.swift:38:13:38:13 | self | ui.swift:38:13:38:13 | SSA def(self) |
+| ui.swift:38:13:38:13 | self | ui.swift:38:13:38:13 | SSA def(self) |
+| ui.swift:38:13:38:13 | value | ui.swift:38:13:38:13 | SSA def(value) |
+| ui.swift:41:11:41:11 | SSA def(self) | ui.swift:41:11:41:11 | self[return] |
+| ui.swift:41:11:41:11 | SSA def(self) | ui.swift:41:11:41:11 | self[return] |
+| ui.swift:41:11:41:11 | self | ui.swift:41:11:41:11 | SSA def(self) |
+| ui.swift:41:11:41:11 | self | ui.swift:41:11:41:11 | SSA def(self) |
+| ui.swift:50:9:50:9 | SSA def(safe) | ui.swift:53:10:53:10 | safe |
+| ui.swift:50:16:50:33 | call to UIOpenURLContext.init() | ui.swift:50:9:50:9 | SSA def(safe) |
+| ui.swift:51:9:51:9 | SSA def(tainted) | ui.swift:55:10:55:10 | tainted |
+| ui.swift:51:19:51:26 | call to source() | ui.swift:51:9:51:9 | SSA def(tainted) |
+| ui.swift:53:10:53:10 | [post] safe | ui.swift:54:10:54:10 | safe |
+| ui.swift:53:10:53:10 | safe | ui.swift:53:10:53:15 | .url |
+| ui.swift:53:10:53:10 | safe | ui.swift:54:10:54:10 | safe |
+| ui.swift:55:10:55:10 | [post] tainted | ui.swift:56:10:56:10 | tainted |
+| ui.swift:55:10:55:10 | tainted | ui.swift:55:10:55:18 | .url |
+| ui.swift:55:10:55:10 | tainted | ui.swift:56:10:56:10 | tainted |
+| ui.swift:60:9:60:9 | SSA def(safe) | ui.swift:63:10:63:10 | safe |
+| ui.swift:60:16:60:42 | call to UIScene.ConnectionOptions.init() | ui.swift:60:9:60:9 | SSA def(safe) |
+| ui.swift:61:9:61:9 | SSA def(tainted) | ui.swift:64:10:64:10 | tainted |
+| ui.swift:61:19:61:26 | call to source() | ui.swift:61:9:61:9 | SSA def(tainted) |
+| ui.swift:63:10:63:10 | [post] safe | ui.swift:65:10:65:10 | safe |
+| ui.swift:63:10:63:10 | safe | ui.swift:63:10:63:15 | .userActivities |
+| ui.swift:63:10:63:10 | safe | ui.swift:65:10:65:10 | safe |
+| ui.swift:64:10:64:10 | [post] tainted | ui.swift:66:10:66:10 | tainted |
+| ui.swift:64:10:64:10 | tainted | ui.swift:64:10:64:18 | .userActivities |
+| ui.swift:64:10:64:10 | tainted | ui.swift:66:10:66:10 | tainted |
+| ui.swift:65:10:65:10 | [post] safe | ui.swift:67:10:67:10 | safe |
+| ui.swift:65:10:65:10 | safe | ui.swift:67:10:67:10 | safe |
+| ui.swift:66:10:66:10 | [post] tainted | ui.swift:68:10:68:10 | tainted |
+| ui.swift:66:10:66:10 | tainted | ui.swift:68:10:68:10 | tainted |
+| ui.swift:67:10:67:10 | [post] safe | ui.swift:69:10:69:10 | safe |
+| ui.swift:67:10:67:10 | safe | ui.swift:67:10:67:15 | .urlContexts |
+| ui.swift:67:10:67:10 | safe | ui.swift:69:10:69:10 | safe |
+| ui.swift:68:10:68:10 | [post] tainted | ui.swift:70:10:70:10 | tainted |
+| ui.swift:68:10:68:10 | tainted | ui.swift:68:10:68:18 | .urlContexts |
+| ui.swift:68:10:68:10 | tainted | ui.swift:70:10:70:10 | tainted |
+| ui.swift:69:10:69:10 | [post] safe | ui.swift:71:10:71:10 | safe |
+| ui.swift:69:10:69:10 | safe | ui.swift:71:10:71:10 | safe |
+| ui.swift:70:10:70:10 | [post] tainted | ui.swift:72:10:72:10 | tainted |
+| ui.swift:70:10:70:10 | tainted | ui.swift:72:10:72:10 | tainted |
+| ui.swift:71:10:71:10 | [post] safe | ui.swift:73:10:73:10 | safe |
+| ui.swift:71:10:71:10 | safe | ui.swift:73:10:73:10 | safe |
+| ui.swift:72:10:72:10 | [post] tainted | ui.swift:74:10:74:10 | tainted |
+| ui.swift:72:10:72:10 | tainted | ui.swift:74:10:74:10 | tainted |
+| ui.swift:73:10:73:10 | [post] safe | ui.swift:75:10:75:10 | safe |
+| ui.swift:73:10:73:10 | safe | ui.swift:75:10:75:10 | safe |
+| ui.swift:74:10:74:10 | [post] tainted | ui.swift:76:10:76:10 | tainted |
+| ui.swift:74:10:74:10 | tainted | ui.swift:76:10:76:10 | tainted |
 | url.swift:2:7:2:7 | SSA def(self) | url.swift:2:7:2:7 | self[return] |
 | url.swift:2:7:2:7 | SSA def(self) | url.swift:2:7:2:7 | self[return] |
 | url.swift:2:7:2:7 | self | url.swift:2:7:2:7 | SSA def(self) |
diff --git a/swift/ql/test/library-tests/dataflow/taint/Taint.expected b/swift/ql/test/library-tests/dataflow/taint/Taint.expected
diff --git a/swift/ql/test/library-tests/dataflow/taint/ui.swift b/swift/ql/test/library-tests/dataflow/taint/ui.swift
