Merge pull request github#11027 from atorralba/atorralba/swift/webview-js-native-bridge-sources

Swift: WebView JS-native bridge sources

Author: atorralba

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -82,6 +82,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
+  private import codeql.swift.frameworks.StandardLibrary.WebView
 }
 
 /**

swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll

@@ -574,6 +574,14 @@ private module PostUpdateNodes {
 
     override DataFlowCallable getEnclosingCallable() { result = TDataFlowFunc(n.getScope()) }
   }
+
+  class SummaryPostUpdateNode extends SummaryNode, PostUpdateNodeImpl {
+    SummaryPostUpdateNode() { FlowSummaryImpl::Private::summaryPostUpdateNode(this, _) }
+
+    override Node getPreUpdateNode() {
+      FlowSummaryImpl::Private::summaryPostUpdateNode(this, result)
+    }
+  }
 }
 
 private import PostUpdateNodes

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll

@@ -0,0 +1,133 @@
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for WKScriptMessage sources. Classes implementing the `WKScriptMessageHandler` protocol
+ * act as a bridge between JavaScript and native code. The messages sent from JavaScript code are
+ * stored in the `message` parameter of `userContentController`.
+ */
+private class WKScriptMessageSources extends SourceModelCsv {
+  override predicate row(string row) {
+    row = ";WKScriptMessageHandler;true;userContentController(_:didReceive:);;;Parameter[1];remote"
+  }
+}
+
+/** The class `WKScriptMessage`. */
+private class WKScriptMessageDecl extends ClassDecl {
+  WKScriptMessageDecl() { this.getName() = "WKScriptMessage" }
+}
+
+/**
+ * A content implying that, if a `WKScriptMessage` is tainted, its `body` field is tainted.
+ */
+private class WKScriptMessageBodyInheritsTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  WKScriptMessageBodyInheritsTaint() {
+    exists(FieldDecl f | this.getField() = f |
+      f.getEnclosingDecl() instanceof WKScriptMessageDecl and
+      f.getName() = "body"
+    )
+  }
+}
+
+/**
+ * A model for `JSContext` sources. `JSContext` acts as a bridge between JavaScript and
+ * native code, so any object obtained from it has the potential of being tainted by a malicious
+ * website visited in the WebView.
+ */
+private class JsContextSources extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";JSContext;true;globalObject;;;;remote",
+        ";JSContext;true;objectAtIndexedSubscript(_:);;;ReturnValue;remote",
+        ";JSContext;true;objectForKeyedSubscript(_:);;;ReturnValue;remote"
+      ]
+  }
+}
+
+/**
+ * A model for `JSValue` summaries. If a `JSValue` is tainted, any object it is converted into
+ * is also tainted.
+ */
+private class JsValueSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";JSValue;true;init(object:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(bool:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(double:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(int32:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(uInt32:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(point:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(range:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(rect:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;init(size:in:);;;Argument[0];ReturnValue;taint",
+        ";JSValue;true;toObject();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toObjectOf(_:);;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toBool();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toDouble();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toInt32();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toUInt32();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toNumber();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toString();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toDate();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toArray();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toDictionary();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toPoint();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toRange();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toRect();;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;toSize();;;Argument[-1];ReturnValue;taint",
+        // TODO: These models could use content flow to be more precise
+        ";JSValue;true;atIndex(_:);;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;defineProperty(_:descriptor:);;;Argument[1];Argument[-1];taint",
+        ";JSValue;true;forProperty(_:);;;Argument[-1];ReturnValue;taint",
+        ";JSValue;true;setValue(_:at:);;;Argument[0];Argument[-1];taint",
+        ";JSValue;true;setValue(_:forProperty:);;;Argument[0];Argument[-1];taint"
+      ]
+  }
+}
+
+/** The `JSExport` protocol. */
+private class JsExport extends ProtocolDecl {
+  JsExport() { this.getName() = "JSExport" }
+}
+
+/** A protocol inheriting `JSExport`. */
+private class JsExportedProto extends ProtocolDecl {
+  JsExportedProto() { this.getABaseTypeDecl+() instanceof JsExport }
+}
+
+/** A type that adopts a `JSExport`-inherited protocol. */
+private class JsExportedType extends ClassOrStructDecl {
+  JsExportedType() { this.getABaseTypeDecl*() instanceof JsExportedProto }
+}
+
+/**
+ * A flow source that models properties and methods defined in a `JSExport`-inherited protocol
+ * and implemented in a type adopting that protcol. These members are accessible from JavaScript
+ * when the object is assigned to a `JSContext`.
+ */
+private class JsExportedSource extends RemoteFlowSource {
+  JsExportedSource() {
+    exists(MethodDecl adopter, MethodDecl base |
+      base.getEnclosingDecl() instanceof JsExportedProto and
+      adopter.getEnclosingDecl() instanceof JsExportedType
+    |
+      this.(DataFlow::ParameterNode).getParameter().getDeclaringFunction() = adopter and
+      adopter.getName() = base.getName()
+    )
+    or
+    exists(FieldDecl adopter, FieldDecl base |
+      base.getEnclosingDecl() instanceof JsExportedProto and
+      adopter.getEnclosingDecl() instanceof JsExportedType
+    |
+      this.asExpr().(MemberRefExpr).getMember() = adopter and adopter.getName() = base.getName()
+    )
+  }
+
+  override string getSourceType() { result = "Member of a type exposed through JSExport" }
+}

swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected

@@ -8,3 +8,10 @@
 | url.swift:53:15:53:19 | .resourceBytes | external |
 | url.swift:60:15:60:19 | .lines | external |
 | url.swift:67:16:67:22 | .lines | external |
+| webview.swift:20:82:20:102 | message | external |
+| webview.swift:25:5:25:13 | .globalObject | external |
+| webview.swift:26:5:26:39 | call to objectForKeyedSubscript(_:) | external |
+| webview.swift:39:9:39:9 | .tainted | Member of a type exposed through JSExport |
+| webview.swift:43:10:43:10 | self | Member of a type exposed through JSExport |
+| webview.swift:43:18:43:24 | arg1 | Member of a type exposed through JSExport |
+| webview.swift:43:29:43:35 | arg2 | Member of a type exposed through JSExport |

swift/ql/test/library-tests/dataflow/flowsources/webview.swift

@@ -0,0 +1,48 @@
+
+// --- stubs ---
+class WKUserContentController {}
+class WKScriptMessage {}
+protocol WKScriptMessageHandler {
+    func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage)
+}
+protocol NSCopying {}
+protocol NSObjectProtocol {}
+class JSValue {}
+class JSContext {
+    var globalObject: JSValue { get { return JSValue() } }
+    func objectForKeyedSubscript(_: Any!) -> JSValue! { return JSValue() } 
+    func setObject(_: Any, forKeyedSubscript: (NSCopying & NSObjectProtocol) ) {}
+}
+protocol JSExport {}
+
+// --- tests ---
+class TestMessageHandler: WKScriptMessageHandler {
+    func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) { // SOURCE
+    }
+}
+
+func testJsContext(context: JSContext) {
+    context.globalObject // SOURCE
+    context.objectForKeyedSubscript("") // SOURCE
+}
+
+protocol Exported : JSExport {
+    var tainted: Any { get }
+    func tainted(arg1: Any, arg2: Any)
+}
+class ExportedImpl : Exported {
+    var tainted: Any { get { return "" } }
+
+    var notTainted: Any { get { return ""} }
+
+    func readFields() {
+        tainted // SOURCE
+        notTainted
+    }
+
+    func tainted(arg1: Any, arg2: Any) { // SOURCES
+    }
+
+    func notTainted(arg1: Any, arg2: Any) {
+    }
+} 

swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected

@@ -161,3 +161,4 @@
 | url.swift:100:12:100:54 | ...! | url.swift:100:12:100:56 | .standardizedFileURL |
 | url.swift:101:15:101:57 | ...! | url.swift:101:15:101:59 | .user |
 | url.swift:102:15:102:57 | ...! | url.swift:102:15:102:59 | .password |
+| webview.swift:52:11:52:18 | call to source() | webview.swift:52:10:52:41 | .body |