Swift: Implementation classes should be private.

geoffw0 · geoffw0 · commit c533334470bb · 2023-02-27T23:01:04.000Z
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
@@ -32,7 +32,7 @@ class CleartextStorageDatabaseAdditionalTaintStep extends Unit {
 /**
  * A `DataFlow::Node` that is an expression stored with the Core Data library.
  */
-class CoreDataStore extends CleartextStorageDatabaseSink {
+private class CoreDataStore extends CleartextStorageDatabaseSink {
   CoreDataStore() {
     // values written into Core Data objects through `set*Value` methods are a sink.
     exists(CallExpr call |
@@ -60,7 +60,7 @@ class CoreDataStore extends CleartextStorageDatabaseSink {
  * A `DataFlow::Node` that is an expression stored with the Realm database
  * library.
  */
-class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostUpdateNode {
+private class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostUpdateNode {
   RealmStore() {
     // any write into a class derived from `RealmSwiftObject` is a sink. For
     // example in `realmObj.data = sensitive` the post-update node corresponding
@@ -77,7 +77,7 @@ class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostU
 /**
  * A `DataFlow::Node` that is an expression stored with the GRDB library.
  */
-class GrdbStore extends CleartextStorageDatabaseSink {
+private class GrdbStore extends CleartextStorageDatabaseSink {
   GrdbStore() {
     exists(CallExpr call, MethodDecl method |
       call.getStaticTarget() = method and
@@ -132,7 +132,7 @@ class GrdbStore extends CleartextStorageDatabaseSink {
 /**
  * An encryption sanitizer for cleartext database storage vulnerabilities.
  */
-class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
+private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
   CleartextStorageDatabaseEncryptionSanitizer() {
     this.asExpr() instanceof EncryptedExpr
   }
@@ -142,7 +142,7 @@ class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDataba
  * An additional taint step for cleartext database storage vulnerabilities.
  * Needed until we have proper content flow through arrays.
  */
-class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
+private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
   override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(ArrayExpr arr |
       nodeFrom.asExpr() = arr.getAnElement() and
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll
@@ -33,7 +33,7 @@ class CleartextStoragePreferencesAdditionalTaintStep extends Unit {
 }
 
 /** The `DataFlow::Node` of an expression that gets written to the user defaults database */
-class UserDefaultsStore extends CleartextStoragePreferencesSink {
+private class UserDefaultsStore extends CleartextStoragePreferencesSink {
   UserDefaultsStore() {
     exists(CallExpr call |
       call.getStaticTarget().(MethodDecl).hasQualifiedName("UserDefaults", "set(_:forKey:)") and
@@ -45,7 +45,7 @@ class UserDefaultsStore extends CleartextStoragePreferencesSink {
 }
 
 /** The `DataFlow::Node` of an expression that gets written to the iCloud-backed NSUbiquitousKeyValueStore */
-class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
+private class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
   NSUbiquitousKeyValueStore() {
     exists(CallExpr call |
       call.getStaticTarget()
@@ -64,7 +64,7 @@ class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
  * object via reflection (`perform(Selector)`) or the `NSKeyValueCoding`,
  * `NSKeyValueBindingCreation` APIs. (TODO)
  */
-class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
+private class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
   NSUserDefaultsControllerStore() { none() }
 
   override string getStoreName() { result = "the user defaults database" }
@@ -73,7 +73,7 @@ class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
 /**
  * An encryption sanitizer for cleartext preferences storage vulnerabilities.
  */
-class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer {
+private class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer {
   CleartextStoragePreferencesEncryptionSanitizer() {
     this.asExpr() instanceof EncryptedExpr
   }
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -32,8 +32,8 @@ class CleartextTransmissionAdditionalTaintStep extends Unit {
 /**
  * An `Expr` that is transmitted with `NWConnection.send`.
  */
-class NWConnectionSend extends CleartextTransmissionSink {
-  NWConnectionSend() {
+private class NWConnectionSendSink extends CleartextTransmissionSink {
+  NWConnectionSendSink() {
     // `content` arg to `NWConnection.send` is a sink
     exists(CallExpr call |
       call.getStaticTarget()
@@ -48,8 +48,8 @@ class NWConnectionSend extends CleartextTransmissionSink {
  * An `Expr` that is used to form a `URL`. Such expressions are very likely to
  * be transmitted over a network, because that's what URLs are for.
  */
-class Url extends CleartextTransmissionSink {
-  Url() {
+private class UrlSink extends CleartextTransmissionSink {
+  UrlSink() {
     // `string` arg in `URL.init` is a sink
     // (we assume here that the URL goes on to be used in a network operation)
     exists(CallExpr call |
@@ -64,8 +64,8 @@ class Url extends CleartextTransmissionSink {
 /**
  * An `Expr` that transmitted through the Alamofire library.
  */
-class AlamofireTransmitted extends CleartextTransmissionSink {
-  AlamofireTransmitted() {
+private class AlamofireTransmittedSink extends CleartextTransmissionSink {
+  AlamofireTransmittedSink() {
     // sinks are the first argument containing the URL, and the `parameters`
     // and `headers` arguments to appropriate methods of `Session`.
     exists(CallExpr call, string fName |
@@ -82,7 +82,7 @@ class AlamofireTransmitted extends CleartextTransmissionSink {
 /**
  * An encryption sanitizer for cleartext transmission vulnerabilities.
  */
-class CleartextTransmissionEncryptionSanitizer extends CleartextTransmissionSanitizer {
+private class CleartextTransmissionEncryptionSanitizer extends CleartextTransmissionSanitizer {
   CleartextTransmissionEncryptionSanitizer() {
     this.asExpr() instanceof EncryptedExpr
   }
