Swift: Convert URL sinks for swift/cleartext-transmission to be defined in QL.

geoffw0 · geoffw0 · commit 897bfb5517af · 2024-08-13T11:23:39.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -48,6 +48,23 @@ private class AlamofireTransmittedSink extends CleartextTransmissionSink {
   }
 }
 
+/**
+ * A `URL` that is a sink for this query. Not all URLs are considered sinks, depending
+ * on their content.
+ */
+private class URLTransmittedSink extends CleartextTransmissionSink {
+  URLTransmittedSink() {
+    // sinks are the first argument containing the URL, and the `parameters`
+    // and `headers` arguments to appropriate methods of `Session`.
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(Method)
+          .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+}
+
 /**
  * A barrier for cleartext transmission vulnerabilities.
  *  - encryption; encrypted values are not cleartext.
@@ -81,12 +98,6 @@ private class DefaultCleartextTransmissionSink extends CleartextTransmissionSink
 private class TransmissionSinks extends SinkModelCsv {
   override predicate row(string row) {
     row =
-      [
-        ";NWConnection;true;send(content:contentContext:isComplete:completion:);;;Argument[0];transmission",
-        // an `Expr` that is used to form a `URL` is very likely to be transmitted over a network, because
-        // that's what URLs are for.
-        ";URL;true;init(string:);;;Argument[0];transmission",
-        ";URL;true;init(string:relativeTo:);;;Argument[0];transmission",
-      ]
+      ";NWConnection;true;send(content:contentContext:isComplete:completion:);;;Argument[0];transmission"
   }
 }
