Add a new Custom URL Scheme source

atorralba · atorralba · commit e2c92409735d · 2022-10-19T16:55:14.000+02:00
Also adds a couple of data flow steps to model flow through `?` expressions.
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll
@@ -148,6 +148,11 @@ private module Cached {
     // flow through `!`
     nodeFrom.asExpr() = nodeTo.asExpr().(ForceValueExpr).getSubExpr()
     or
+    // flow through `?`
+    nodeFrom.asExpr() = nodeTo.asExpr().(BindOptionalExpr).getSubExpr()
+    or
+    nodeFrom.asExpr() = nodeTo.asExpr().(OptionalEvaluationExpr).getSubExpr()
+    or
     // flow through a flow summary (extension of `SummaryModelCsv`)
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
   }
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll
@@ -1,13 +1,54 @@
 import swift
+private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
 
 private class UrlRemoteFlowSource extends SourceModelCsv {
   override predicate row(string row) {
     row =
       [
         ";UIApplicationDelegate;true;application(_:open:options:);;;Parameter[1];remote",
         ";UIApplicationDelegate;true;application(_:handleOpen:);;;Parameter[1];remote",
-        ";UIApplicationDelegate;true;application(_:open:sourceApplication:annotation:);;;Parameter[1];remote"
+        ";UIApplicationDelegate;true;application(_:open:sourceApplication:annotation:);;;Parameter[1];remote",
+        // TODO: The actual source is the value of `UIApplication.LaunchOptionsKey.url` in the launchOptions dictionary.
+        //       Use dictionary value contents when available.
+        // ";UIApplicationDelegate;true;application(_:didFinishLaunchingWithOptions:);;;Parameter[1].MapValue;remote",
+        // ";UIApplicationDelegate;true;application(_:willFinishLaunchingWithOptions:);;;Parameter[1].MapValue;remote"
       ]
   }
 }
+
+/**
+ * A read of `UIApplication.LaunchOptionsKey.url` on a dictionary received in
+ * `UIApplicationDelegate.application(_:didFinishLaunchingWithOptions:)` or
+ * `UIApplicationDelegate.application(_:willFinishLaunchingWithOptions:)`.
+ */
+// This is a temporary workaround until the TODO above is addressed.
+private class UrlLaunchOptionsRemoteFlowSource extends RemoteFlowSource {
+  UrlLaunchOptionsRemoteFlowSource() {
+    exists(ApllicationWithLaunchOptionsFunc f, SubscriptExpr e |
+      DataFlow::localExprFlow(f.getParam(1).getAnAccess(), e.getBase()) and
+      e.getAnArgument().getExpr().(MemberRefExpr).getMember() instanceof LaunchOptionsUrlVarDecl and
+      this.asExpr() = e
+    )
+  }
+
+  override string getSourceType() {
+    result = "Remote URL in UIApplicationDelegate.application.launchOptions"
+  }
+}
+
+private class ApllicationWithLaunchOptionsFunc extends FuncDecl {
+  ApllicationWithLaunchOptionsFunc() {
+    this.getName() = "application(_:" + ["did", "will"] + "FinishLaunchingWithOptions:)" and
+    this.getEnclosingDecl().(ClassOrStructDecl).getABaseTypeDecl*().(ProtocolDecl).getName() =
+      "UIApplicationDelegate"
+  }
+}
+
+private class LaunchOptionsUrlVarDecl extends VarDecl {
+  LaunchOptionsUrlVarDecl() {
+    this.getEnclosingDecl().(StructDecl).getName() = "UIApplication.LaunchOptionsKey" and
+    this.getName() = "url"
+  }
+}
diff --git a/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift b/swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift
@@ -1,26 +1,45 @@
 // --- stubs ---
 class UIApplication {
-    struct OpenURLOptionsKey {}
+    struct OpenURLOptionsKey: Hashable {}
+    struct LaunchOptionsKey: Hashable {
+        init(rawValue: String) {}
+        public static let url: UIApplication.LaunchOptionsKey = UIApplication.LaunchOptionsKey(rawValue: "")
+    }
 }
 
 struct URL {}
 
 protocol UIApplicationDelegate {
-    optional func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any]) -> Bool
-    optional func application(_ application: UIApplication, handleOpen url: URL) -> Bool
-    optional func application(_ application: UIApplication, open url: URL, sourceApplication: String?, annotation: Any) -> Bool
+    func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any]) -> Bool
+    func application(_ application: UIApplication, handleOpen url: URL) -> Bool
+    func application(_ application: UIApplication, open url: URL, sourceApplication: String?, annotation: Any) -> Bool
+    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool
+    func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool
 }
 
 // --- tests ---
 
 class AppDelegate: UIApplicationDelegate {
     func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any]) -> Bool { // SOURCE
+        return false
     }
 
     func application(_ application: UIApplication, handleOpen url: URL) -> Bool { // SOURCE
+        return false
     }
 
     func application(_ application: UIApplication, open url: URL, sourceApplication: String?, annotation: Any) -> Bool { // SOURCE
+        return false
+    }
+
+    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
+        launchOptions?[.url] // SOURCE
+        return false
+    }
+
+    func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
+        launchOptions?[.url] // SOURCE
+        return false
     }
 
 }
