Swift: allow self./super. sinks in StaticInitializationVector

d10c · d10c · commit 8b0da01e0dd1 · 2022-12-19T17:39:44.000-05:00
Assumption: the extra path is not an issue in practice as the body of
the cryptographic library's init methods are not normally extracted,
only the stubs in this test are.
diff --git a/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql b/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
@@ -38,9 +38,7 @@ class EncryptionInitializationSink extends Expr {
               "AES", "ChaCha20", "Blowfish", "Rabbit", "CBC", "CFB", "GCM", "OCB", "OFB", "PCBC",
               "CCM", "CTR"
             ], fName) and
-      call.getArgumentWithLabel("iv").getExpr() = this and
-      not call.isSelfCall() and
-      not call.isSuperCall()
+      call.getArgumentWithLabel("iv").getExpr() = this
     )
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected b/swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected
@@ -1,4 +1,5 @@
 edges
+| test.swift:53:19:53:34 | iv :  | test.swift:54:17:54:17 | iv |
 | test.swift:85:3:85:3 | this string is constant :  | test.swift:101:17:101:35 | call to getConstantString() :  |
 | test.swift:99:25:99:120 | [...] :  | test.swift:128:33:128:33 | iv |
 | test.swift:99:25:99:120 | [...] :  | test.swift:135:22:135:22 | iv |
@@ -7,6 +8,7 @@ edges
 | test.swift:99:25:99:120 | [...] :  | test.swift:145:22:145:22 | iv |
 | test.swift:99:25:99:120 | [...] :  | test.swift:146:22:146:22 | iv |
 | test.swift:99:25:99:120 | [...] :  | test.swift:147:22:147:22 | iv |
+| test.swift:99:25:99:120 | [...] :  | test.swift:147:22:147:22 | iv :  |
 | test.swift:99:25:99:120 | [...] :  | test.swift:153:22:153:22 | iv |
 | test.swift:99:25:99:120 | [...] :  | test.swift:157:24:157:24 | iv |
 | test.swift:99:25:99:120 | [...] :  | test.swift:161:22:161:22 | iv |
@@ -19,7 +21,10 @@ edges
 | test.swift:101:17:101:35 | call to getConstantString() :  | test.swift:122:41:122:41 | ivString |
 | test.swift:101:17:101:35 | call to getConstantString() :  | test.swift:123:41:123:41 | ivString |
 | test.swift:101:17:101:35 | call to getConstantString() :  | test.swift:130:39:130:39 | ivString |
+| test.swift:147:22:147:22 | iv :  | test.swift:53:19:53:34 | iv :  |
 nodes
+| test.swift:53:19:53:34 | iv :  | semmle.label | iv :  |
+| test.swift:54:17:54:17 | iv | semmle.label | iv |
 | test.swift:85:3:85:3 | this string is constant :  | semmle.label | this string is constant :  |
 | test.swift:99:25:99:120 | [...] :  | semmle.label | [...] :  |
 | test.swift:101:17:101:35 | call to getConstantString() :  | semmle.label | call to getConstantString() :  |
@@ -36,6 +41,7 @@ nodes
 | test.swift:145:22:145:22 | iv | semmle.label | iv |
 | test.swift:146:22:146:22 | iv | semmle.label | iv |
 | test.swift:147:22:147:22 | iv | semmle.label | iv |
+| test.swift:147:22:147:22 | iv :  | semmle.label | iv :  |
 | test.swift:153:22:153:22 | iv | semmle.label | iv |
 | test.swift:157:24:157:24 | iv | semmle.label | iv |
 | test.swift:161:22:161:22 | iv | semmle.label | iv |
@@ -44,6 +50,7 @@ nodes
 | test.swift:168:22:168:22 | iv | semmle.label | iv |
 subpaths
 #select
+| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. |
 | test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant :  | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |
 | test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant :  | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |
 | test.swift:118:41:118:41 | ivString | test.swift:85:3:85:3 | this string is constant :  | test.swift:118:41:118:41 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |
@@ -62,4 +69,4 @@ subpaths
 | test.swift:161:22:161:22 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:161:22:161:22 | iv | The static value '[...]' is used as an initialization vector for encryption. |
 | test.swift:162:22:162:22 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:162:22:162:22 | iv | The static value '[...]' is used as an initialization vector for encryption. |
 | test.swift:167:22:167:22 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:167:22:167:22 | iv | The static value '[...]' is used as an initialization vector for encryption. |
-| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. |
+| test.swift:168:22:168:22 | iv | test.swift:99:25:99:120 | [...] :  | test.swift:168:22:168:22 | iv | The static value '[...]' is used as an initialization vector for encryption. |

Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,7 @@ class EncryptionInitializationSink extends Expr {`
`38`	`38`	`"AES", "ChaCha20", "Blowfish", "Rabbit", "CBC", "CFB", "GCM", "OCB", "OFB", "PCBC",`
`39`	`39`	`"CCM", "CTR"`
`40`	`40`	`], fName) and`
`41`		`- call.getArgumentWithLabel("iv").getExpr() = this and`
`42`		`- not call.isSelfCall() and`
`43`		`- not call.isSuperCall()`
	`41`	`+ call.getArgumentWithLabel("iv").getExpr() = this`
`44`	`42`	`)`
`45`	`43`	`}`
`46`	`44`	`}`