Merge pull request github#11424 from geoffw0/alamofire3

Swift: Alamofire taint sources

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -86,6 +86,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
   private import codeql.swift.frameworks.StandardLibrary.WebView
+  private import codeql.swift.frameworks.Alamofire.Alamofire
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/Alamofire/Alamofire.qll

@@ -0,0 +1,22 @@
+/**
+ * Models for the Alamofire networking library.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
+
+private class StringSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // `DataResponse.data`, `.value`, `.result`
+        ";DataResponse;true;data;;;;remote", ";DataResponse;true;value;;;;remote",
+        ";DataResponse;true;result;;;;remote",
+        // `DownloadResponse.data`, `.value`, `.result`
+        ";DownloadResponse;true;data;;;;remote", ";DownloadResponse;true;value;;;;remote",
+        ";DownloadResponse;true;result;;;;remote",
+      ]
+  }
+}

swift/ql/test/library-tests/dataflow/flowsources/FlowSources.expected

@@ -1,10 +1,35 @@
+| alamofire.swift:91:27:91:27 | .result | external |
+| alamofire.swift:99:27:99:27 | .result | external |
+| alamofire.swift:344:23:344:32 | .data | external |
+| alamofire.swift:351:22:351:31 | .value | external |
+| alamofire.swift:358:23:358:32 | .value | external |
+| alamofire.swift:365:22:365:31 | .value | external |
+| alamofire.swift:372:23:372:32 | .value | external |
+| alamofire.swift:379:28:379:37 | .value | external |
+| alamofire.swift:389:28:389:28 | call to init(contentsOfFile:) | external |
+| alamofire.swift:389:28:389:55 | call to init(contentsOfFile:) | external |
+| alamofire.swift:396:22:396:31 | .value | external |
+| alamofire.swift:403:22:403:31 | .value | external |
+| alamofire.swift:404:28:404:28 | call to init(contentsOf:) | external |
+| alamofire.swift:404:28:404:50 | call to init(contentsOf:) | external |
+| alamofire.swift:411:23:411:32 | .value | external |
+| alamofire.swift:418:22:418:31 | .value | external |
+| alamofire.swift:425:23:425:32 | .value | external |
+| alamofire.swift:431:28:431:37 | .value | external |
+| alamofire.swift:448:20:448:20 | call to init(contentsOfFile:) | external |
+| alamofire.swift:448:20:448:49 | call to init(contentsOfFile:) | external |
+| alamofire.swift:455:23:455:32 | .data | external |
+| alamofire.swift:461:23:461:32 | .data | external |
 | customurlschemes.swift:30:44:30:54 | url | external |
 | customurlschemes.swift:34:52:34:68 | url | external |
 | customurlschemes.swift:38:52:38:62 | url | external |
 | customurlschemes.swift:43:9:43:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
 | customurlschemes.swift:48:9:48:28 | ...[...] | Remote URL in UIApplicationDelegate.application.launchOptions |
 | data.swift:18:20:18:20 | call to init(contentsOf:options:) | external |
 | data.swift:18:20:18:54 | call to init(contentsOf:options:) | external |
+| file://:0:0:0:0 | .data | external |
+| file://:0:0:0:0 | .result | external |
+| file://:0:0:0:0 | .result | external |
 | file://:0:0:0:0 | .source1 | external |
 | file://:0:0:0:0 | .source1 | external |
 | file://:0:0:0:0 | .source4 | external |