Swift: Turn sink models into flow summary models, where appropriate.

Author: geoffw0

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Stream.qll

@@ -6,14 +6,19 @@ import swift
 private import codeql.swift.dataflow.ExternalFlow
 
 /**
- * A model for members of `TextOutputStream` and similar classes that permit taint flow.
+ * A model for members of `TextOutputStream` and similar classes and methods that permit taint flow.
  */
 private class StringSummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
         ";TextOutputStream;true;write(_:);;;Argument[0];Argument[-1];taint",
         ";TextOutputStreamable;true;write(to:);;;Argument[-1];Argument[0];taint",
+        ";;false;print(_:separator:terminator:to:);;;Argument[0].CollectionElement;Argument[3];taint",
+        ";;false;print(_:separator:terminator:to:);;;Argument[1..2];Argument[3];taint",
+        ";;false;debugPrint(_:separator:terminator:to:);;;Argument[0].CollectionElement;Argument[3];taint",
+        ";;false;debugPrint(_:separator:terminator:to:);;;Argument[1..2];Argument[3];taint",
+        ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[0,2];Argument[1];taint",
       ]
   }
 }

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

@@ -99,12 +99,8 @@ private class LoggingSinks extends SinkModelCsv {
       [
         ";;false;print(_:separator:terminator:);;;Argument[0..2];log-injection",
         ";;false;print(_:separator:terminator:toStream:);;;Argument[0..2];log-injection",
-        ";;false;print(_:separator:terminator:to:);;;Argument[0..2];log-injection",
         ";;false;debugPrint(_:separator:terminator:);;;Argument[0..2];log-injection",
-        ";;false;debugPrint(_:separator:terminator:to:);;;Argument[0..2];log-injection",
         ";;false;dump(_:name:indent:maxDepth:maxItems:);;;Argument[0..1];log-injection",
-        ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[0];log-injection",
-        ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[2];log-injection",
         ";;false;assert(_:_:file:line:);;;Argument[1];log-injection",
         ";;false;assertionFailure(_:file:line:);;;Argument[0];log-injection",
         ";;false;precondition(_:_:file:line:);;;Argument[1];log-injection",

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.ql

@@ -3,7 +3,9 @@
  */
 
 import swift
+import FlowConfig
+import TestFlow::PathGraph
 
-from Function f
-where f.getName().matches("os_log%")
-select f, concat(f.getInterfaceType().toString(), ", ")
+from TestFlow::PathNode src, TestFlow::PathNode sink
+where TestFlow::flowPath(src, sink)
+select sink, src, sink, "result"

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

@@ -222,23 +222,23 @@ func test4(harmless: String, password: String) {
 	print(harmless, to: &myString1)
 	print(myString1) // safe
 
-	print(password, to: &myString2) // $ SPURIOUS: hasCleartextLogging=225
-	print(myString2) // $ MISSING: hasCleartextLogging=225
+	print(password, to: &myString2)
+	print(myString2) // $ hasCleartextLogging=225
 
-	print("log: " + password, to: &myString3) // $ SPURIOUS: hasCleartextLogging=228
-	print(myString3) // $ MISSING: hasCleartextLogging=228
+	print("log: " + password, to: &myString3)
+	print(myString3) // $ hasCleartextLogging=228
 
 	debugPrint(harmless, to: &myString4)
 	debugPrint(myString4) // safe
 
-	debugPrint(password, to: &myString5) // $ SPURIOUS: hasCleartextLogging=234
-	debugPrint(myString5) // $ MISSING: hasCleartextLogging=234
+	debugPrint(password, to: &myString5)
+	debugPrint(myString5) // $ hasCleartextLogging=234
 
 	dump(harmless, to: &myString6)
 	dump(myString6) // safe
 
-	dump(password, to: &myString7) // $ SPURIOUS: hasCleartextLogging=240
-	dump(myString7) // $ MISSING: hasCleartextLogging=240
+	dump(password, to: &myString7)
+	dump(myString7) // $ hasCleartextLogging=240
 
 	myString8.write(harmless)
 	print(myString8)
@@ -257,9 +257,9 @@ func test4(harmless: String, password: String) {
 	password.write(to: &myString12)
 	print(myString12) // $ hasCleartextLogging=257
 
-	print(password, to: &myString13) // $ SPURIOUS: hasCleartextLogging=260
-    debugPrint(password, to: &myString13) // $ SPURIOUS: hasCleartextLogging=261
-	dump(password, to: &myString13) // $ SPURIOUS: hasCleartextLogging=262
+	print(password, to: &myString13) // $ safe - only printed to another string
+    debugPrint(password, to: &myString13) // $ safe - only printed to another string
+	dump(password, to: &myString13) // $ safe - only printed to another string
 	myString13.write(password) // safe - only printed to another string
 	password.write(to: &myString13) // safe - only printed to another string
 }