Fix issue in JsExportedSource

atorralba · atorralba · commit b62ede1544c3 · 2022-10-31T12:08:03.000+01:00
Model the source as an access to the tainted field, instead of the field itself (which didn't work)
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll
@@ -125,7 +125,7 @@ private class JsExportedSource extends RemoteFlowSource {
       base.getEnclosingDecl() instanceof JsExportedProto and
       adopter.getEnclosingDecl() instanceof JsExportedType
     |
-      this.asDefinition().getSourceVariable() = adopter and adopter.getName() = base.getName()
+      this.asExpr().(MemberRefExpr).getMember() = adopter and adopter.getName() = base.getName()
     )
   }
 
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected b/swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected
@@ -11,6 +11,7 @@
 | webview.swift:20:82:20:102 | message | external |
 | webview.swift:25:5:25:13 | .globalObject | external |
 | webview.swift:26:5:26:39 | call to objectForKeyedSubscript(_:) | external |
-| webview.swift:38:10:38:10 | self | Member of a type exposed through JSExport |
-| webview.swift:38:18:38:24 | arg1 | Member of a type exposed through JSExport |
-| webview.swift:38:29:38:35 | arg2 | Member of a type exposed through JSExport |
+| webview.swift:39:9:39:9 | .tainted | Member of a type exposed through JSExport |
+| webview.swift:43:10:43:10 | self | Member of a type exposed through JSExport |
+| webview.swift:43:18:43:24 | arg1 | Member of a type exposed through JSExport |
+| webview.swift:43:29:43:35 | arg2 | Member of a type exposed through JSExport |
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/webview.swift b/swift/ql/test/library-tests/dataflow/flowsources/webview.swift
@@ -31,10 +31,15 @@ protocol Exported : JSExport {
     func tainted(arg1: Any, arg2: Any)
 }
 class ExportedImpl : Exported {
-    var tainted: Any { get { return "" } } // SOURCE
+    var tainted: Any { get { return "" } }
 
     var notTainted: Any { get { return ""} }
 
+    func readFields() {
+        tainted // SOURCE
+        notTainted
+    }
+
     func tainted(arg1: Any, arg2: Any) { // SOURCES
     }
 

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ private class JsExportedSource extends RemoteFlowSource {`
`125`	`125`	`base.getEnclosingDecl() instanceof JsExportedProto and`
`126`	`126`	`adopter.getEnclosingDecl() instanceof JsExportedType`
`127`	`127`	`\|`
`128`		`- this.asDefinition().getSourceVariable() = adopter and adopter.getName() = base.getName()`
	`128`	`+ this.asExpr().(MemberRefExpr).getMember() = adopter and adopter.getName() = base.getName()`
`129`	`129`	`)`
`130`	`130`	`}`
`131`	`131`
Original file line number	Diff line number	Diff line change
`@@ -31,10 +31,15 @@ protocol Exported : JSExport {`
`31`	`31`	`func tainted(arg1: Any, arg2: Any)`
`32`	`32`	`}`
`33`	`33`	`class ExportedImpl : Exported {`
`34`		`- var tainted: Any { get { return "" } } // SOURCE`
	`34`	`+ var tainted: Any { get { return "" } }`
`35`	`35`
`36`	`36`	`var notTainted: Any { get { return ""} }`
`37`	`37`
	`38`	`+ func readFields() {`
	`39`	`+ tainted // SOURCE`
	`40`	`+ notTainted`
	`41`	`+ }`
	`42`	`+`
`38`	`43`	`func tainted(arg1: Any, arg2: Any) { // SOURCES`
`39`	`44`	`}`
`40`	`45`