Swift: add basic Alamofire taint source model.

geoffw0 · geoffw0 · commit 37cdef7ab1fb · 2022-11-25T00:14:23.000Z
diff --git a/swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll b/swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll
@@ -86,6 +86,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
   private import codeql.swift.frameworks.StandardLibrary.WebView
+  private import codeql.swift.frameworks.Alamofire.Alamofire
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/frameworks/Alamofire/Alamofire.qll b/swift/ql/lib/codeql/swift/frameworks/Alamofire/Alamofire.qll
@@ -0,0 +1,39 @@
+/**
+ * Models for the Alamofire networking library.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
+
+/**
+ * An Alamofire response handler type.
+ */
+private class AlamofireResponseType extends NominalTypeDecl {
+  AlamofireResponseType() {
+    this.getFullName() = ["DataResponse", "DownloadResponse"] or
+    this.getABaseTypeDecl() instanceof AlamofireResponseType
+  }
+
+  /**
+   * A response handler field that contains remote data.
+   */
+  FieldDecl getADataField() {
+    result = this.getAMember() and
+    result.getName() = ["data", "value", "result"]
+  }
+}
+
+/**
+ * A remote flow source that is an access to a remote data from an Alamofire response handler.
+ */
+private class AlamofireResponseSource extends RemoteFlowSource {
+  AlamofireResponseSource() {
+    exists(AlamofireResponseType responseType |
+      this.asExpr().(MemberRefExpr).getMember() = responseType.getADataField()
+    )
+  }
+
+  override string getSourceType() { result = "Data from an Alamofire response" }
+}
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected b/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected
@@ -1,16 +1,35 @@
+| alamofire.swift:91:27:91:27 | .result | Data from an Alamofire response |
+| alamofire.swift:99:27:99:27 | .result | Data from an Alamofire response |
+| alamofire.swift:342:23:342:32 | .data | Data from an Alamofire response |
+| alamofire.swift:349:22:349:31 | .value | Data from an Alamofire response |
+| alamofire.swift:356:23:356:32 | .value | Data from an Alamofire response |
+| alamofire.swift:363:22:363:31 | .value | Data from an Alamofire response |
+| alamofire.swift:370:23:370:32 | .value | Data from an Alamofire response |
+| alamofire.swift:377:28:377:37 | .value | Data from an Alamofire response |
 | alamofire.swift:387:28:387:28 | call to init(contentsOfFile:) | external |
 | alamofire.swift:387:28:387:55 | call to init(contentsOfFile:) | external |
+| alamofire.swift:394:22:394:31 | .value | Data from an Alamofire response |
+| alamofire.swift:401:22:401:31 | .value | Data from an Alamofire response |
 | alamofire.swift:402:28:402:28 | call to init(contentsOf:) | external |
 | alamofire.swift:402:28:402:50 | call to init(contentsOf:) | external |
+| alamofire.swift:409:23:409:32 | .value | Data from an Alamofire response |
+| alamofire.swift:416:22:416:31 | .value | Data from an Alamofire response |
+| alamofire.swift:423:23:423:32 | .value | Data from an Alamofire response |
+| alamofire.swift:429:28:429:37 | .value | Data from an Alamofire response |
 | alamofire.swift:446:20:446:20 | call to init(contentsOfFile:) | external |
 | alamofire.swift:446:20:446:49 | call to init(contentsOfFile:) | external |
+| alamofire.swift:453:23:453:32 | .data | Data from an Alamofire response |
+| alamofire.swift:459:23:459:32 | .data | Data from an Alamofire response |
 | customurlschemes.swift:30:44:30:54 | url | external |
 | customurlschemes.swift:34:52:34:68 | url | external |
 | customurlschemes.swift:38:52:38:62 | url | external |
 | customurlschemes.swift:43:9:43:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
 | customurlschemes.swift:48:9:48:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
 | data.swift:18:20:18:20 | call to init(contentsOf:options:) | external |
 | data.swift:18:20:18:54 | call to init(contentsOf:options:) | external |
+| file://:0:0:0:0 | .data | Data from an Alamofire response |
+| file://:0:0:0:0 | .result | Data from an Alamofire response |
+| file://:0:0:0:0 | .result | Data from an Alamofire response |
 | nsdata.swift:18:17:18:17 | call to init(contentsOf:) | external |
 | nsdata.swift:18:17:18:40 | call to init(contentsOf:) | external |
 | nsdata.swift:19:17:19:17 | call to init(contentsOf:options:) | external |
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/alamofire.swift b/swift/ql/test/library-tests/dataflow/flowsources/alamofire.swift
@@ -88,15 +88,15 @@ struct DataResponse<Success, Failure: Error> {
 
     let result: Result<Success, Failure>
 
-    var value: Success? { result.success }
+    var value: Success? { result.success } // SOURCE
 }
 
 struct DownloadResponse<Success, Failure: Error> {
     let fileURL: URL?
 
     let result: Result<Success, Failure>
 
-    var value: Success? { result.success }
+    var value: Success? { result.success } // SOURCE
 }
 
 typealias AFDataResponse<Success> = DataResponse<Success, AFError>
@@ -339,42 +339,42 @@ func testAlamofire() {
 
     AF.request("http://example.com/").response {
         response in
-        if let data = response.data { // SOURCE [NOT DETECTED]
+        if let data = response.data { // SOURCE
             // ...
         }
     }
 
     AF.request("http://example.com/").response(responseSerializer: MySerializer()) {
         response in
-        if let obj = response.value { // SOURCE [NOT DETECTED]
+        if let obj = response.value { // SOURCE
             // ...
         }
     }
 
     AF.request("http://example.com/").responseData {
         response in
-        if let data = response.value { // SOURCE [NOT DETECTED]
+        if let data = response.value { // SOURCE
             // ...
         }
     }
 
     AF.request("http://example.com/").responseString {
         response in
-        if let str = response.value { // SOURCE [NOT DETECTED]
+        if let str = response.value { // SOURCE
             // ...
         }
     }
 
     AF.request("http://example.com/").responseJSON {
         response in
-        if let json = response.value { // SOURCE [NOT DETECTED]
+        if let json = response.value { // SOURCE
             // ...
         }
     }
 
     AF.request("http://example.com/").responseDecodable(of: MyDecodable.self) {
         response in
-        if let decodable = response.value { // SOURCE [NOT DETECTED]
+        if let decodable = response.value { // SOURCE
             // ...
         }
     }
@@ -391,42 +391,42 @@ func testAlamofire() {
 
     AF.download("http://example.com/").response(responseSerializer: MySerializer()) {
         response in
-        if let obj = response.value { // SOURCE [NOT DETECTED]
+        if let obj = response.value { // SOURCE
             // ...
         }
     }
 
     AF.download("http://example.com/").responseURL {
         response in
-        if let url = response.value {
+        if let url = response.value { // just the URL [FALSE POSITIVE]
             let str = try? String(contentsOf: url) // SOURCE
             // ...
         }
     }
 
     AF.download("http://example.com/").responseData {
         response in
-        if let data = response.value { // SOURCE [NOT DETECTED]
+        if let data = response.value { // SOURCE
             // ...
         }
     }
 
     AF.download("http://example.com/").responseString {
         response in
-        if let str = response.value { // SOURCE [NOT DETECTED]
+        if let str = response.value { // SOURCE
             // ...
         }
     }
 
     AF.download("http://example.com/").responseJSON {
         response in
-        if let json = response.value { // SOURCE [NOT DETECTED]
+        if let json = response.value { // SOURCE
         }
     }
 
     AF.download("http://example.com/").responseDecodable(of: MyDecodable.self) {
         response in
-        if let decodable = response.value { // SOURCE [NOT DETECTED]
+        if let decodable = response.value { // SOURCE
             // ...
         }
     }
@@ -450,13 +450,13 @@ func testAlamofire() {
 
     AF.request("http://example.com/").response {
         response in
-        if let data = response.data { // SOURCE [NOT DETECTED]
+        if let data = response.data { // SOURCE
             // ...
         }
     }
     .response {
         response in
-        if let data = response.data { // SOURCE [NOT DETECTED]
+        if let data = response.data { // SOURCE
             // ...
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ private module Frameworks {`
`86`	`86`	`private import codeql.swift.frameworks.StandardLibrary.Url`
`87`	`87`	`private import codeql.swift.frameworks.StandardLibrary.UrlSession`
`88`	`88`	`private import codeql.swift.frameworks.StandardLibrary.WebView`
	`89`	`+ private import codeql.swift.frameworks.Alamofire.Alamofire`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -88,15 +88,15 @@ struct DataResponse<Success, Failure: Error> {`
`88`	`88`
`89`	`89`	`let result: Result<Success, Failure>`
`90`	`90`
`91`		`- var value: Success? { result.success }`
	`91`	`+ var value: Success? { result.success } // SOURCE`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`struct DownloadResponse<Success, Failure: Error> {`
`95`	`95`	`let fileURL: URL?`
`96`	`96`
`97`	`97`	`let result: Result<Success, Failure>`
`98`	`98`
`99`		`- var value: Success? { result.success }`
	`99`	`+ var value: Success? { result.success } // SOURCE`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`typealias AFDataResponse<Success> = DataResponse<Success, AFError>`
`@@ -339,42 +339,42 @@ func testAlamofire() {`
`339`	`339`
`340`	`340`	`AF.request("http://example.com/").response {`
`341`	`341`	`response in`
`342`		`- if let data = response.data { // SOURCE [NOT DETECTED]`
	`342`	`+ if let data = response.data { // SOURCE`
`343`	`343`	`// ...`
`344`	`344`	`}`
`345`	`345`	`}`
`346`	`346`
`347`	`347`	`AF.request("http://example.com/").response(responseSerializer: MySerializer()) {`
`348`	`348`	`response in`
`349`		`- if let obj = response.value { // SOURCE [NOT DETECTED]`
	`349`	`+ if let obj = response.value { // SOURCE`
`350`	`350`	`// ...`
`351`	`351`	`}`
`352`	`352`	`}`
`353`	`353`
`354`	`354`	`AF.request("http://example.com/").responseData {`
`355`	`355`	`response in`
`356`		`- if let data = response.value { // SOURCE [NOT DETECTED]`
	`356`	`+ if let data = response.value { // SOURCE`
`357`	`357`	`// ...`
`358`	`358`	`}`
`359`	`359`	`}`
`360`	`360`
`361`	`361`	`AF.request("http://example.com/").responseString {`
`362`	`362`	`response in`
`363`		`- if let str = response.value { // SOURCE [NOT DETECTED]`
	`363`	`+ if let str = response.value { // SOURCE`
`364`	`364`	`// ...`
`365`	`365`	`}`
`366`	`366`	`}`
`367`	`367`
`368`	`368`	`AF.request("http://example.com/").responseJSON {`
`369`	`369`	`response in`
`370`		`- if let json = response.value { // SOURCE [NOT DETECTED]`
	`370`	`+ if let json = response.value { // SOURCE`
`371`	`371`	`// ...`
`372`	`372`	`}`
`373`	`373`	`}`
`374`	`374`
`375`	`375`	`AF.request("http://example.com/").responseDecodable(of: MyDecodable.self) {`
`376`	`376`	`response in`
`377`		`- if let decodable = response.value { // SOURCE [NOT DETECTED]`
	`377`	`+ if let decodable = response.value { // SOURCE`
`378`	`378`	`// ...`
`379`	`379`	`}`
`380`	`380`	`}`
`@@ -391,42 +391,42 @@ func testAlamofire() {`
`391`	`391`
`392`	`392`	`AF.download("http://example.com/").response(responseSerializer: MySerializer()) {`
`393`	`393`	`response in`
`394`		`- if let obj = response.value { // SOURCE [NOT DETECTED]`
	`394`	`+ if let obj = response.value { // SOURCE`
`395`	`395`	`// ...`
`396`	`396`	`}`
`397`	`397`	`}`
`398`	`398`
`399`	`399`	`AF.download("http://example.com/").responseURL {`
`400`	`400`	`response in`
`401`		`- if let url = response.value {`
	`401`	`+ if let url = response.value { // just the URL [FALSE POSITIVE]`
`402`	`402`	`let str = try? String(contentsOf: url) // SOURCE`
`403`	`403`	`// ...`
`404`	`404`	`}`
`405`	`405`	`}`
`406`	`406`
`407`	`407`	`AF.download("http://example.com/").responseData {`
`408`	`408`	`response in`
`409`		`- if let data = response.value { // SOURCE [NOT DETECTED]`
	`409`	`+ if let data = response.value { // SOURCE`
`410`	`410`	`// ...`
`411`	`411`	`}`
`412`	`412`	`}`
`413`	`413`
`414`	`414`	`AF.download("http://example.com/").responseString {`
`415`	`415`	`response in`
`416`		`- if let str = response.value { // SOURCE [NOT DETECTED]`
	`416`	`+ if let str = response.value { // SOURCE`
`417`	`417`	`// ...`
`418`	`418`	`}`
`419`	`419`	`}`
`420`	`420`
`421`	`421`	`AF.download("http://example.com/").responseJSON {`
`422`	`422`	`response in`
`423`		`- if let json = response.value { // SOURCE [NOT DETECTED]`
	`423`	`+ if let json = response.value { // SOURCE`
`424`	`424`	`}`
`425`	`425`	`}`
`426`	`426`
`427`	`427`	`AF.download("http://example.com/").responseDecodable(of: MyDecodable.self) {`
`428`	`428`	`response in`
`429`		`- if let decodable = response.value { // SOURCE [NOT DETECTED]`
	`429`	`+ if let decodable = response.value { // SOURCE`
`430`	`430`	`// ...`
`431`	`431`	`}`
`432`	`432`	`}`
`@@ -450,13 +450,13 @@ func testAlamofire() {`
`450`	`450`
`451`	`451`	`AF.request("http://example.com/").response {`
`452`	`452`	`response in`
`453`		`- if let data = response.data { // SOURCE [NOT DETECTED]`
	`453`	`+ if let data = response.data { // SOURCE`
`454`	`454`	`// ...`
`455`	`455`	`}`
`456`	`456`	`}`
`457`	`457`	`.response {`
`458`	`458`	`response in`
`459`		`- if let data = response.data { // SOURCE [NOT DETECTED]`
	`459`	`+ if let data = response.data { // SOURCE`
`460`	`460`	`// ...`
`461`	`461`	`}`
`462`	`462`	`}`