Merge pull request github#12695 from jketema/swift-configsig

Swift: Refactor a number of queries to use `DataFlow::ConfigSig`

Author: jketema

swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql

@@ -14,7 +14,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
-import DataFlow::PathGraph
+import StaticInitializationVectorFlow::PathGraph
 
 /**
  * A static IV is created through either a byte array or string literals.
@@ -56,23 +56,21 @@ class EncryptionInitializationSink extends Expr {
  * A dataflow configuration from the source of a static IV to expressions that use
  * it to initialize a cipher.
  */
-class StaticInitializationVectorConfig extends TaintTracking::Configuration {
-  StaticInitializationVectorConfig() { this = "StaticInitializationVectorConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     node.asExpr() instanceof StaticInitializationVectorSource
   }
 
-  override predicate isSink(DataFlow::Node node) {
-    node.asExpr() instanceof EncryptionInitializationSink
-  }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof EncryptionInitializationSink }
 }
 
+module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
+
 // The query itself
 from
-  StaticInitializationVectorConfig config, DataFlow::PathNode sourceNode,
-  DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+  StaticInitializationVectorFlow::PathNode sourceNode,
+  StaticInitializationVectorFlow::PathNode sinkNode
+where StaticInitializationVectorFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The static value '" + sourceNode.getNode().toString() +
     "' is used as an initialization vector for encryption."

swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql

@@ -14,7 +14,7 @@ import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.FlowSteps
-import DataFlow::PathGraph
+import ConstantPasswordFlow::PathGraph
 
 /**
  * A constant password is created through either a byte array or string literals.
@@ -60,18 +60,16 @@ class ConstantPasswordSink extends Expr {
  * A taint configuration from the source of constants passwords to expressions that use
  * them to initialize password-based encryption keys.
  */
-class ConstantPasswordConfig extends TaintTracking::Configuration {
-  ConstantPasswordConfig() { this = "ConstantPasswordConfig" }
+module ConstantPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSource }
 
-  override predicate isSource(DataFlow::Node node) {
-    node.asExpr() instanceof ConstantPasswordSource
-  }
-
-  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSink }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSink }
 }
 
+module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
+
 // The query itself
-from ConstantPasswordConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+from ConstantPasswordFlow::PathNode sourceNode, ConstantPasswordFlow::PathNode sinkNode
+where ConstantPasswordFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The value '" + sourceNode.getNode().toString() + "' is used as a constant password."

swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql

@@ -13,7 +13,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
-import DataFlow::PathGraph
+import HardcodedKeyFlow::PathGraph
 
 /**
  * An `Expr` that is used to initialize a key.
@@ -62,17 +62,17 @@ class EncryptionKeySink extends Expr {
  * A taint configuration from the key source to expressions that use
  * it to initialize a cipher.
  */
-class HardcodedKeyConfig extends TaintTracking::Configuration {
-  HardcodedKeyConfig() { this = "HardcodedKeyConfig" }
+module HardcodedKeyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof KeySource }
 
-  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof KeySource }
-
-  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof EncryptionKeySink }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof EncryptionKeySink }
 }
 
+module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;
+
 // The query itself
-from HardcodedKeyConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+from HardcodedKeyFlow::PathNode sourceNode, HardcodedKeyFlow::PathNode sinkNode
+where HardcodedKeyFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The key '" + sinkNode.getNode().toString() +
     "' has been initialized with hard-coded values from $@.", sourceNode,

swift/ql/src/queries/Security/CWE-327/ECBEncryption.ql

@@ -13,7 +13,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
-import DataFlow::PathGraph
+import EcbEncryptionFlow::PathGraph
 
 /**
  * An `Expr` that is used to initialize the block mode of a cipher.
@@ -54,22 +54,22 @@ class Blowfish extends BlockMode {
  * A taint configuration from the constructor of ECB mode to expressions that use
  * it to initialize a cipher.
  */
-class EcbEncryptionConfig extends DataFlow::Configuration {
-  EcbEncryptionConfig() { this = "EcbEncryptionConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+module EcbEncryptionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     exists(CallExpr call |
       call.getStaticTarget().(MethodDecl).hasQualifiedName("ECB", "init()") and
       node.asExpr() = call
     )
   }
 
-  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof BlockMode }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof BlockMode }
 }
 
+module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;
+
 // The query itself
-from EcbEncryptionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+from EcbEncryptionFlow::PathNode sourceNode, EcbEncryptionFlow::PathNode sinkNode
+where EcbEncryptionFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The initialization of the cipher '" + sinkNode.getNode().toString() +
     "' uses the insecure ECB block mode from $@.", sourceNode, sourceNode.getNode().toString()

swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql

@@ -15,17 +15,17 @@ import swift
 import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
-import DataFlow::PathGraph
+import WeakHashingFlow::PathGraph
 
-class WeakHashingConfig extends TaintTracking::Configuration {
-  WeakHashingConfig() { this = "WeakHashingConfig" }
+module WeakHashingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof WeakHashingConfigImpl::Source }
 
-  override predicate isSource(DataFlow::Node node) { node instanceof WeakHashingConfig::Source }
-
-  override predicate isSink(DataFlow::Node node) { node instanceof WeakHashingConfig::Sink }
+  predicate isSink(DataFlow::Node node) { node instanceof WeakHashingConfigImpl::Sink }
 }
 
-module WeakHashingConfig {
+module WeakHashingFlow = TaintTracking::Global<WeakHashingConfig>;
+
+module WeakHashingConfigImpl {
   class Source extends DataFlow::Node {
     Source() { this.asExpr() instanceof SensitiveExpr }
   }
@@ -52,11 +52,11 @@ module WeakHashingConfig {
 }
 
 from
-  WeakHashingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink, string algorithm,
+  WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm,
   SensitiveExpr expr
 where
-  config.hasFlowPath(source, sink) and
-  algorithm = sink.getNode().(WeakHashingConfig::Sink).getAlgorithm() and
+  WeakHashingFlow::flowPath(source, sink) and
+  algorithm = sink.getNode().(WeakHashingConfigImpl::Sink).getAlgorithm() and
   expr = source.getNode().asExpr()
 select sink.getNode(), source, sink,
   "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),

swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql

@@ -14,26 +14,24 @@ import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.FlowSources
-import DataFlow::PathGraph
+import InsecureTlsFlow::PathGraph
 
 /**
  * A taint config to detect insecure configuration of `NSURLSessionConfiguration`
  */
-class InsecureTlsConfig extends TaintTracking::Configuration {
-  InsecureTlsConfig() { this = "InsecureTLSConfig" }
-
+module InsecureTlsConfig implements DataFlow::ConfigSig {
   /**
    * Holds for enum values that represent an insecure version of TLS
    */
-  override predicate isSource(DataFlow::Node node) {
+  predicate isSource(DataFlow::Node node) {
     node.asExpr().(MethodLookupExpr).getMember().(EnumElementDecl).getName() =
       ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
   }
 
   /**
    * Holds for assignment of TLS-related properties of `NSURLSessionConfiguration`
    */
-  override predicate isSink(DataFlow::Node node) {
+  predicate isSink(DataFlow::Node node) {
     exists(AssignExpr assign |
       assign.getSource() = node.asExpr() and
       assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
@@ -45,6 +43,8 @@ class InsecureTlsConfig extends TaintTracking::Configuration {
   }
 }
 
-from InsecureTlsConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;
+
+from InsecureTlsFlow::PathNode sourceNode, InsecureTlsFlow::PathNode sinkNode
+where InsecureTlsFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode, "This TLS configuration is insecure."

swift/ql/src/queries/Security/CWE-760/ConstantSalt.ql

@@ -14,7 +14,7 @@ import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.FlowSteps
-import DataFlow::PathGraph
+import ConstantSaltFlow::PathGraph
 
 /**
  * A constant salt is created through either a byte array or string literals.
@@ -52,19 +52,19 @@ class ConstantSaltSink extends Expr {
 
 /**
  * A taint configuration from the source of constants salts to expressions that use
- * them to initialize password-based enecryption keys.
+ * them to initialize password-based encryption keys.
  */
-class ConstantSaltConfig extends TaintTracking::Configuration {
-  ConstantSaltConfig() { this = "ConstantSaltConfig" }
+module ConstantSaltConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSource }
 
-  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSource }
-
-  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSink }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSink }
 }
 
+module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;
+
 // The query itself
-from ConstantSaltConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+from ConstantSaltFlow::PathNode sourceNode, ConstantSaltFlow::PathNode sinkNode
+where ConstantSaltFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The value '" + sourceNode.getNode().toString() +
     "' is used as a constant salt, which is insecure for hashing passwords."

swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql

@@ -13,7 +13,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
-import DataFlow::PathGraph
+import InsufficientHashIterationsFlow::PathGraph
 
 /**
  * An `Expr` that is used to initialize a password-based encryption key.
@@ -46,21 +46,19 @@ class InsufficientHashIterationsSink extends Expr {
  * A dataflow configuration from the hash iterations source to expressions that use
  * it to initialize hash functions.
  */
-class InsufficientHashIterationsConfig extends TaintTracking::Configuration {
-  InsufficientHashIterationsConfig() { this = "InsufficientHashIterationsConfig" }
+module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof IterationsSource }
 
-  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof IterationsSource }
-
-  override predicate isSink(DataFlow::Node node) {
-    node.asExpr() instanceof InsufficientHashIterationsSink
-  }
+  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof InsufficientHashIterationsSink }
 }
 
+module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;
+
 // The query itself
 from
-  InsufficientHashIterationsConfig config, DataFlow::PathNode sourceNode,
-  DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+  InsufficientHashIterationsFlow::PathNode sourceNode,
+  InsufficientHashIterationsFlow::PathNode sinkNode
+where InsufficientHashIterationsFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "The value '" + sourceNode.getNode().toString() +
     "' is an insufficient number of iterations for secure password hashing."