Swift: Exclude tel:, mailto: and similar URLs from the query.

geoffw0 · geoffw0 · commit 446c9921817c · 2024-08-13T11:23:40.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -7,6 +7,7 @@ import swift
 import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.ExternalFlow
+import codeql.swift.dataflow.TaintTracking
 
 /**
  * A dataflow sink for cleartext transmission vulnerabilities. That is,
@@ -48,20 +49,45 @@ private class AlamofireTransmittedSink extends CleartextTransmissionSink {
   }
 }
 
+/**
+ * A call to `URL.init`.
+ */
+private predicate urlInit(CallExpr urlInit, Expr withString) {
+  urlInit
+      .getStaticTarget()
+      .(Method)
+      .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
+  urlInit.getArgument(0).getExpr() = withString
+}
+
+/**
+ * A data flow configuration for tracking string literals representing `tel:` and similar
+ * URLs to creation of URL objects.
+ */
+private module ExcludeUrlConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    node.asExpr()
+        .(StringLiteralExpr)
+        .getValue()
+        .regexpMatch("^(mailto|file|tel|telprompt|callto|sms):.*")
+  }
+
+  predicate isSink(DataFlow::Node node) { urlInit(_, node.asExpr()) }
+}
+
+private module ExcludeUrlFlow = TaintTracking::Global<ExcludeUrlConfig>;
+
 /**
  * A `URL` that is a sink for this query. Not all URLs are considered sinks, depending
  * on their content.
  */
-private class URLTransmittedSink extends CleartextTransmissionSink {
-  URLTransmittedSink() {
-    // sinks are the first argument containing the URL, and the `parameters`
-    // and `headers` arguments to appropriate methods of `Session`.
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(Method)
-          .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
-      call.getArgument(0).getExpr() = this.asExpr()
-    )
+private class UrlTransmittedSink extends CleartextTransmissionSink {
+  UrlTransmittedSink() {
+    urlInit(_, this.asExpr()) and
+    // exclude `tel:` and similar URLs. These URLs necessarily contain
+    // sensitive data which you expect to transmit only by making the
+    // phone call (or similar operation).
+    not ExcludeUrlFlow::flow(_, this)
   }
 }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -33,15 +33,7 @@ edges
 | testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | testURL.swift:105:6:105:10 | let ...? [some:0] | provenance |  |
 | testURL.swift:105:32:105:32 | data | testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | provenance |  |
 | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | provenance |  |
-| testURL.swift:117:28:117:28 | email | testURL.swift:117:18:117:18 | "..." | provenance |  |
-| testURL.swift:118:53:118:53 | secret_key | testURL.swift:118:18:118:18 | "..." | provenance |  |
-| testURL.swift:119:60:119:60 | email | testURL.swift:119:18:119:18 | "..." | provenance |  |
 | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | provenance |  |
-| testURL.swift:124:25:124:25 | phone_number | testURL.swift:124:18:124:18 | "..." | provenance |  |
-| testURL.swift:125:31:125:31 | phone_number | testURL.swift:125:18:125:18 | "..." | provenance |  |
-| testURL.swift:126:28:126:28 | phone_number | testURL.swift:126:18:126:18 | "..." | provenance |  |
-| testURL.swift:127:25:127:25 | phone_number | testURL.swift:127:18:127:18 | "..." | provenance |  |
-| testURL.swift:131:37:131:37 | account_no | testURL.swift:131:18:131:18 | "..." | provenance |  |
 | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | provenance |  |
 nodes
 | file://:0:0:0:0 | .value | semmle.label | .value |
@@ -103,24 +95,8 @@ nodes
 | testURL.swift:106:20:106:20 | "..." | semmle.label | "..." |
 | testURL.swift:116:18:116:18 | "..." | semmle.label | "..." |
 | testURL.swift:116:52:116:52 | email | semmle.label | email |
-| testURL.swift:117:18:117:18 | "..." | semmle.label | "..." |
-| testURL.swift:117:28:117:28 | email | semmle.label | email |
-| testURL.swift:118:18:118:18 | "..." | semmle.label | "..." |
-| testURL.swift:118:53:118:53 | secret_key | semmle.label | secret_key |
-| testURL.swift:119:18:119:18 | "..." | semmle.label | "..." |
-| testURL.swift:119:60:119:60 | email | semmle.label | email |
 | testURL.swift:123:18:123:18 | "..." | semmle.label | "..." |
 | testURL.swift:123:52:123:52 | phone_number | semmle.label | phone_number |
-| testURL.swift:124:18:124:18 | "..." | semmle.label | "..." |
-| testURL.swift:124:25:124:25 | phone_number | semmle.label | phone_number |
-| testURL.swift:125:18:125:18 | "..." | semmle.label | "..." |
-| testURL.swift:125:31:125:31 | phone_number | semmle.label | phone_number |
-| testURL.swift:126:18:126:18 | "..." | semmle.label | "..." |
-| testURL.swift:126:28:126:28 | phone_number | semmle.label | phone_number |
-| testURL.swift:127:18:127:18 | "..." | semmle.label | "..." |
-| testURL.swift:127:25:127:25 | phone_number | semmle.label | phone_number |
-| testURL.swift:131:18:131:18 | "..." | semmle.label | "..." |
-| testURL.swift:131:37:131:37 | account_no | semmle.label | account_no |
 | testURL.swift:132:18:132:18 | "..." | semmle.label | "..." |
 | testURL.swift:132:39:132:39 | account_no | semmle.label | account_no |
 subpaths
@@ -155,13 +131,5 @@ subpaths
 | testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate |
 | testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) |
 | testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email |
-| testURL.swift:117:18:117:18 | "..." | testURL.swift:117:28:117:28 | email | testURL.swift:117:18:117:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:117:28:117:28 | email | email |
-| testURL.swift:118:18:118:18 | "..." | testURL.swift:118:53:118:53 | secret_key | testURL.swift:118:18:118:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:118:53:118:53 | secret_key | secret_key |
-| testURL.swift:119:18:119:18 | "..." | testURL.swift:119:60:119:60 | email | testURL.swift:119:18:119:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:119:60:119:60 | email | email |
 | testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number |
-| testURL.swift:124:18:124:18 | "..." | testURL.swift:124:25:124:25 | phone_number | testURL.swift:124:18:124:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:124:25:124:25 | phone_number | phone_number |
-| testURL.swift:125:18:125:18 | "..." | testURL.swift:125:31:125:31 | phone_number | testURL.swift:125:18:125:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:125:31:125:31 | phone_number | phone_number |
-| testURL.swift:126:18:126:18 | "..." | testURL.swift:126:28:126:28 | phone_number | testURL.swift:126:18:126:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:126:28:126:28 | phone_number | phone_number |
-| testURL.swift:127:18:127:18 | "..." | testURL.swift:127:25:127:25 | phone_number | testURL.swift:127:18:127:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:127:25:127:25 | phone_number | phone_number |
-| testURL.swift:131:18:131:18 | "..." | testURL.swift:131:37:131:37 | account_no | testURL.swift:131:18:131:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:131:37:131:37 | account_no | account_no |
 | testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
@@ -114,20 +114,20 @@ func test5() {
 	let secret_key = get_string()
 
 	_ = URL(string: "http://example.com/login?email=\(email)"); // BAD
-	_ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected) [FALSE POSITIVE]
-	_ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD
-	_ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD [FALSE POSITIVE]
+	_ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected)
+	_ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD [NOT DETECTED]
+	_ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD
 
 	let phone_number = get_string()
 
 	_ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // BAD
-	_ = URL(string: "tel:\(phone_number)") // GOOD [FALSE POSITIVE]
-	_ = URL(string: "telprompt:\(phone_number)") // GOOD [FALSE POSITIVE]
-	_ = URL(string: "callto:\(phone_number)") // GOOD [FALSE POSITIVE]
-	_ = URL(string: "sms:\(phone_number)") // GOOD [FALSE POSITIVE]
+	_ = URL(string: "tel:\(phone_number)") // GOOD
+	_ = URL(string: "telprompt:\(phone_number)") // GOOD
+	_ = URL(string: "callto:\(phone_number)") // GOOD
+	_ = URL(string: "sms:\(phone_number)") // GOOD
 
 	let account_no = get_string()
 
-	_ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted) [FALSE POSITIVE]
+	_ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted)
 	_ = URL(string: "ftp://example.com/\(account_no).csv") // BAD
 }
