Merge pull request github#13756 from geoffw0/sources2

Swift: CustomUrlSchemes test enhancements and minor model improvement

Author: geoffw0

swift/ql/lib/change-notes/2023-07-17-nsuseractivity-referrer-url.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added taint flow for `NSUserActivity.referrerURL`.

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CustomUrlSchemes.qll

@@ -83,7 +83,7 @@ private class UserActivityUrlInheritTaint extends TaintInheritingContent,
 {
   UserActivityUrlInheritTaint() {
     this.getField().getEnclosingDecl().asNominalTypeDecl().getName() = "NSUserActivity" and
-    this.getField().getName() = "webpageURL"
+    this.getField().getName() = ["webpageURL", "referrerURL"]
   }
 }
 

swift/ql/test/library-tests/dataflow/flowsources/CONSISTENCY/CfgConsistency.expected

@@ -0,0 +1,3 @@
+deadEnd
+| customurlschemes.swift:94:59:94:76 | options |
+| customurlschemes.swift:133:59:133:76 | options |

swift/ql/test/library-tests/dataflow/flowsources/FlowSourcesInline.ql

@@ -1,6 +1,21 @@
 import swift
 import TestUtilities.InlineExpectationsTest
 import FlowConfig
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.DataFlow
+
+module TestConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CallExpr sinkCall |
+      sinkCall.getStaticTarget().getName().matches("sink%") and
+      sinkCall.getAnArgument().getExpr() = sink.asExpr()
+    )
+  }
+}
+
+module TestFlow = TaintTracking::Global<TestConfiguration>;
 
 string describe(FlowSource source) {
   source instanceof RemoteFlowSource and result = "remote"
@@ -9,7 +24,7 @@ string describe(FlowSource source) {
 }
 
 module FlowSourcesTest implements TestSig {
-  string getARelevantTag() { result = "source" }
+  string getARelevantTag() { result = ["source", "tainted"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(FlowSource source |
@@ -19,6 +34,16 @@ module FlowSourcesTest implements TestSig {
       tag = "source" and
       value = describe(source)
     )
+    or
+    exists(DataFlow::Node sink |
+      // this is not really what the "flowsources" test is about, but sometimes it's helpful to
+      // have sinks and confirm that taint reaches obvious points in the flow source test code.
+      TestFlow::flowTo(sink) and
+      location = sink.getLocation() and
+      element = sink.toString() and
+      tag = "tainted" and
+      value = ""
+    )
   }
 }
 

swift/ql/test/library-tests/dataflow/flowsources/customurlschemes.swift

@@ -26,19 +26,33 @@ protocol UIApplicationDelegate {
 }
 
 class UIScene {
-    class ConnectionOptions {}
+    class ConnectionOptions {
+        var userActivities: Set<NSUserActivity> { get { return Set() } }
+        var urlContexts: Set<UIOpenURLContext> { get { return Set() } }
+    }
 }
 
 class UISceneSession {}
 
-class NSUserActivity {}
+class NSUserActivity: Hashable {
+    static func == (lhs: NSUserActivity, rhs: NSUserActivity) -> Bool {
+        return true;
+    }
+
+    func hash(into hasher: inout Hasher) {}
+
+    var webpageURL: URL? { get { return nil } set { } }
+    var referrerURL: URL? { get { return nil } set { } }
+}
 
 class UIOpenURLContext: Hashable {
     static func == (lhs: UIOpenURLContext, rhs: UIOpenURLContext) -> Bool {
         return true;
     }
 
     func hash(into hasher: inout Hasher) {}
+
+    var url: URL { get { return URL() } }
 }
 
 protocol UISceneDelegate {
@@ -48,6 +62,8 @@ protocol UISceneDelegate {
     func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>)
 }
 
+func sink(arg: Any) {}
+
 // --- tests ---
 
 class AppDelegate: UIApplicationDelegate {
@@ -64,28 +80,88 @@ class AppDelegate: UIApplicationDelegate {
     }
 
     func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
-        launchOptions?[.url] // $ source=remote
+        _ = launchOptions?[.url] // $ source=remote
         return true
     }
 
     func application(_ application: UIApplication, willFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey : Any]?) -> Bool {
-        launchOptions?[.url] // $ source=remote
+        _ = launchOptions?[.url] // $ source=remote
         return true
     }
 }
 
 class SceneDelegate : UISceneDelegate {
-    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // $ source=remote
-    func scene(_: UIScene, continue: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, didUpdate: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // $ source=remote
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
+      for userActivity in options.userActivities {
+        let x = userActivity.webpageURL
+        sink(arg: x) // $ MISSING: tainted
+        let y = userActivity.referrerURL
+        sink(arg: y) // $ MISSING: tainted
+      }
+
+      for urlContext in options.urlContexts {
+        let z = urlContext.url
+        sink(arg: z) // $ MISSING: tainted
+      }
+    }
+
+    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
+      let x = `continue`.webpageURL
+      sink(arg: x) // $ tainted
+      let y = `continue`.referrerURL
+      sink(arg: y) // $ tainted
+    }
+
+    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
+      let x = didUpdate.webpageURL
+      sink(arg: x) // $ tainted
+      let y = didUpdate.referrerURL
+      sink(arg: y) // $ tainted
+    }
+
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
+      for openURLContext in openURLContexts {
+        let x = openURLContext.url
+        sink(arg: x) // $ MISSING: tainted
+      }
+    }
 }
 
 class Extended {}
 
 extension Extended : UISceneDelegate {
-    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) {} // $ source=remote
-    func scene(_: UIScene, continue: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, didUpdate: NSUserActivity) {} // $ source=remote
-    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) {} // $ source=remote
+    func scene(_: UIScene, willConnectTo: UISceneSession, options: UIScene.ConnectionOptions) { // $ source=remote
+      for userActivity in options.userActivities {
+        let x = userActivity.webpageURL
+        sink(arg: x) // $ MISSING: tainted
+        let y = userActivity.referrerURL
+        sink(arg: y) // $ MISSING: tainted
+      }
+
+      for urlContext in options.urlContexts {
+        let z = urlContext.url
+        sink(arg: z) // $ MISSING: tainted
+      }
+    }
+
+    func scene(_: UIScene, continue: NSUserActivity) { // $ source=remote
+      let x = `continue`.webpageURL
+      sink(arg: x) // $ tainted
+      let y = `continue`.referrerURL
+      sink(arg: y) // $ tainted
+    }
+
+    func scene(_: UIScene, didUpdate: NSUserActivity) { // $ source=remote
+      let x = didUpdate.webpageURL
+      sink(arg: x) // $ tainted
+      let y = didUpdate.referrerURL
+      sink(arg: y) // $ tainted
+    }
+
+    func scene(_: UIScene, openURLContexts: Set<UIOpenURLContext>) { // $ source=remote
+      for openURLContext in openURLContexts {
+        let x = openURLContext.url
+        sink(arg: x) // $ MISSING: tainted
+      }
+    }
 }