Swift: Split the three sensitive exprs queries into separate QL and QLL files.

Author: geoffw0

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -0,0 +1,112 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext database
+ * storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A `DataFlow::Node` that is something stored in a local database.
+ */
+abstract class Stored extends DataFlow::Node { }
+
+/**
+ * A `DataFlow::Node` that is an expression stored with the Core Data library.
+ */
+class CoreDataStore extends Stored {
+  CoreDataStore() {
+    // values written into Core Data objects through `set*Value` methods are a sink.
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSManagedObject",
+            ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"]) and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+    or
+    // any write into a class derived from `NSManagedObject` is a sink. For
+    // example in `coreDataObj.data = sensitive` the post-update node corresponding
+    // with `coreDataObj.data` is a sink.
+    // (ideally this would be only members with the `@NSManaged` attribute)
+    exists(ClassOrStructDecl cd, Expr e |
+      cd.getABaseTypeDecl*().getName() = "NSManagedObject" and
+      this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
+      e.getFullyConverted().getType() = cd.getType() and
+      not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
+    )
+  }
+}
+
+/**
+ * A `DataFlow::Node` that is an expression stored with the Realm database
+ * library.
+ */
+class RealmStore extends Stored instanceof DataFlow::PostUpdateNode {
+  RealmStore() {
+    // any write into a class derived from `RealmSwiftObject` is a sink. For
+    // example in `realmObj.data = sensitive` the post-update node corresponding
+    // with `realmObj.data` is a sink.
+    exists(ClassOrStructDecl cd, Expr e |
+      cd.getABaseTypeDecl*().getName() = "RealmSwiftObject" and
+      this.getPreUpdateNode().asExpr() = e and
+      e.getFullyConverted().getType() = cd.getType() and
+      not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
+    )
+  }
+}
+
+/**
+ * A `DataFlow::Node` that is an expression stored with the GRDB library.
+ */
+class GrdbStore extends Stored {
+  GrdbStore() {
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgumentWithLabel("arguments").getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName("Database",
+            ["allStatements(sql:arguments:)", "execute(sql:arguments:)",])
+      or
+      method.hasQualifiedName("SQLRequest", "init(sql:arguments:adapter:cached:)")
+      or
+      method.hasQualifiedName("SQL", ["init(sql:arguments:)", "append(sql:arguments:)"])
+      or
+      method.hasQualifiedName("SQLStatementCursor", "init(database:sql:arguments:prepFlags:)")
+      or
+      method
+          .hasQualifiedName("TableRecord",
+            [
+              "select(sql:arguments:)", "select(sql:arguments:as:)", "filter(sql:arguments:)",
+              "order(sql:arguments:)"
+            ])
+      or
+      method
+          .hasQualifiedName(["Row", "DatabaseValueConvertible", "FetchableRecord"],
+            [
+              "fetchCursor(_:sql:arguments:adapter:)", "fetchAll(_:sql:arguments:adapter:)",
+              "fetchSet(_:sql:arguments:adapter:)", "fetchOne(_:sql:arguments:adapter:)"
+            ])
+      or
+      method
+          .hasQualifiedName("FetchableRecord",
+            [
+              "fetchCursor(_:arguments:adapter:)", "fetchAll(_:arguments:adapter:)",
+              "fetchSet(_:arguments:adapter:)", "fetchOne(_:arguments:adapter:)",
+            ])
+      or
+      method.hasQualifiedName("Statement", ["execute(arguments:)"])
+      or
+      method
+          .hasQualifiedName("CommonTableExpression", "init(recursive:named:columns:sql:arguments:)")
+    )
+    or
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(0).getExpr() = this.asExpr()
+    |
+      method.hasQualifiedName("Statement", "setArguments(_:)")
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext
+ * database storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.CleartextStorageDatabaseExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof Stored }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // encryption barrier
+    node.asExpr() instanceof EncryptedExpr
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Needed until we have proper content flow through arrays
+    exists(ArrayExpr arr |
+      node1.asExpr() = arr.getAnElement() and
+      node2.asExpr() = arr
+    )
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from fields of an `NSManagedObject` or `RealmSwiftObject` at the sink,
+    // for example in `realmObj.data = sensitive`.
+    isSink(node) and
+    exists(ClassOrStructDecl cd, Decl cx |
+      cd.getABaseTypeDecl*().getName() = ["NSManagedObject", "RealmSwiftObject"] and
+      cx.asNominalTypeDecl() = cd and
+      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+    )
+    or
+    // any default implicit reads
+    super.allowImplicitRead(node, c)
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll

@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext preferences
+ * storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A `DataFlow::Node` of something that gets stored in an application preference store.
+ */
+abstract class Stored extends DataFlow::Node {
+  abstract string getStoreName();
+}
+
+/** The `DataFlow::Node` of an expression that gets written to the user defaults database */
+class UserDefaultsStore extends Stored {
+  UserDefaultsStore() {
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("UserDefaults", "set(_:forKey:)") and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "the user defaults database" }
+}
+
+/** The `DataFlow::Node` of an expression that gets written to the iCloud-backed NSUbiquitousKeyValueStore */
+class NSUbiquitousKeyValueStore extends Stored {
+  NSUbiquitousKeyValueStore() {
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSUbiquitousKeyValueStore", "set(_:forKey:)") and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "iCloud" }
+}
+
+/**
+ * A more complicated case, this is a macOS-only way of writing to
+ * NSUserDefaults by modifying the `NSUserDefaultsController.values: Any`
+ * object via reflection (`perform(Selector)`) or the `NSKeyValueCoding`,
+ * `NSKeyValueBindingCreation` APIs. (TODO)
+ */
+class NSUserDefaultsControllerStore extends Stored {
+  NSUserDefaultsControllerStore() { none() }
+
+  override string getStoreName() { result = "the user defaults database" }
+}

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext
+ * preferences storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.CleartextStoragePreferencesExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored as preferences.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof Stored }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    this.isSource(node)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // encryption barrier
+    node.asExpr() instanceof EncryptedExpr
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext transmission
+ * vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * An `Expr` that is transmitted over a network.
+ */
+abstract class Transmitted extends Expr { }
+
+/**
+ * An `Expr` that is transmitted with `NWConnection.send`.
+ */
+class NWConnectionSend extends Transmitted {
+  NWConnectionSend() {
+    // `content` arg to `NWConnection.send` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NWConnection", "send(content:contentContext:isComplete:completion:)") and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that is used to form a `URL`. Such expressions are very likely to
+ * be transmitted over a network, because that's what URLs are for.
+ */
+class Url extends Transmitted {
+  Url() {
+    // `string` arg in `URL.init` is a sink
+    // (we assume here that the URL goes on to be used in a network operation)
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that transmitted through the Alamofire library.
+ */
+class AlamofireTransmitted extends Transmitted {
+  AlamofireTransmitted() {
+    // sinks are the first argument containing the URL, and the `parameters`
+    // and `headers` arguments to appropriate methods of `Session`.
+    exists(CallExpr call, string fName |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("Session", fName) and
+      fName.regexpMatch("(request|streamRequest|download)\\(.*") and
+      (
+        call.getArgument(0).getExpr() = this or
+        call.getArgumentWithLabel(["headers", "parameters"]).getExpr() = this
+      )
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext
+ * transmission vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.CleartextTransmissionExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextTransmissionConfig extends TaintTracking::Configuration {
+  CleartextTransmissionConfig() { this = "CleartextTransmissionConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // encryption barrier
+    node.asExpr() instanceof EncryptedExpr
+  }
+}

swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll

@@ -6,7 +6,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
-private import codeql.swift.dataflow.ExternalFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for SQL injection vulnerabilities.