Swift: Initial CleartextStoragePreferences impl.

Clearly based on CleartextStorageDatabase by @geoffw0.

Author: d10c

swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Sensitive information that is stored unencrypted in the defaults database is accessible to an attacker who gains access to that database. For example, the information could be accessed by any process or user in a rooted device, or exposed through another vulnerability.</p>
+
+</overview>
+<recommendation>
+
+<p>Either store the data in an encrypted database, or ensure that each piece of sensitive information is encrypted before being stored. In general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext. Avoid storing sensitive information at all if you do not need to keep it.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows three cases of storing information using NSUserDefaults. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+
+<sample src="CleartextStoragePreferences.swift" />
+
+</example>
+<references>
+
+<li>
+  OWASP Top 10:2021:
+  <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
+</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql

@@ -0,0 +1,105 @@
+/**
+ * @name Cleartext storage of sensitive information in application preferences
+ * @description Storing sensitive information in a non-encrypted database can expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id swift/cleartext-storage-preferences
+ * @tags security
+ *       external/cwe/cwe-312
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * A `DataFlow::Node` of something that gets stored in a preferences store.
+ */
+abstract class Stored extends DataFlow::Node {
+  abstract string getStoreName();
+}
+
+/** The `DataFlow::Node` of an expression that gets written to the defaults database */
+class UserDefaultsStore extends Stored {
+  UserDefaultsStore() {
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = ["UserDefaults"] and
+      c.getAMember() = f and
+      f.getName() = ["set(_:forKey:)"] and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "the user defaults database" }
+}
+
+/** The `DataFlow::Node` of an expression that gets written to iCloud */
+class NSUbiquitousKeyValueStore extends Stored {
+  NSUbiquitousKeyValueStore() {
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = ["NSUbiquitousKeyValueStore"] and
+      c.getAMember() = f and
+      f.getName() = ["set(_:forKey:)"] and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "iCloud" }
+}
+
+/**
+ * TODO: A more complicated case, this is a macOS-only way of writing to
+ * NSUserDefaults by modifying the `NSUserDefaultsController.values: Any`
+ * object via reflection (`perform(Selector)`) or the `NSKeyValueCoding`, `NSKeyValueBindingCreation` APIs.
+ */
+class NSUserDefaultsControllerStore extends Stored {
+  NSUserDefaultsControllerStore() { none() }
+
+  override string getStoreName() { result = "the user defaults database" }
+}
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored as preferences.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof Stored }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // encryption barrier
+    node.asExpr() instanceof EncryptedExpr
+  }
+}
+
+/**
+ * Gets a prettier node to use in the results.
+ */
+DataFlow::Node cleanupNode(DataFlow::Node n) {
+  result = n.(DataFlow::PostUpdateNode).getPreUpdateNode()
+  or
+  not n instanceof DataFlow::PostUpdateNode and
+  result = n
+}
+
+from CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select cleanupNode(sinkNode.getNode()), sourceNode, sinkNode,
+  "This operation stores '" + sinkNode.getNode().toString() + "' in " +
+    sinkNode.getNode().(Stored).getStoreName() +
+    ". It may contain unencrypted sensitive data from $@", sourceNode,
+  sourceNode.getNode().toString()

swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.swift

@@ -0,0 +1,15 @@
+
+func storeMyData(faveSong : String, creditCardNo : String) {
+	// ...
+
+	// GOOD: not sensitive information
+	UserDefaults.standard.set(faveSong, forKey: "myFaveSong")
+
+	// BAD: sensitive information saved in cleartext
+	UserDefaults.standard.set(creditCardNo, forKey: "myCreditCardNo")
+
+	// GOOD: encrypted sensitive information saved
+	UserDefaults.standard.set(encrypt(creditCardNo), forKey: "myCreditCardNo")
+
+	// ...
+}