Merge pull request github#12329 from geoffw0/network

Swift: Modernize the cleartext-* queries

Author: geoffw0

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -93,6 +93,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.WebView
   private import codeql.swift.frameworks.Alamofire.Alamofire
   private import codeql.swift.security.CleartextLoggingExtensions
+  private import codeql.swift.security.CleartextStorageDatabaseExtensions
   private import codeql.swift.security.PathInjectionExtensions
   private import codeql.swift.security.PredicateInjectionExtensions
 }

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -0,0 +1,141 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext database
+ * storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A dataflow sink for cleartext database storage vulnerabilities. That is,
+ * a `DataFlow::Node` that is something stored in a local database.
+ */
+abstract class CleartextStorageDatabaseSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for cleartext database storage vulnerabilities.
+ */
+abstract class CleartextStorageDatabaseSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class CleartextStorageDatabaseAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to cleartext database storage vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A `DataFlow::Node` that is an expression stored with the Core Data library.
+ */
+private class CoreDataStore extends CleartextStorageDatabaseSink {
+  CoreDataStore() {
+    // values written into Core Data objects through `set*Value` methods are a sink.
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSManagedObject",
+            ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"]) and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+    or
+    // any write into a class derived from `NSManagedObject` is a sink. For
+    // example in `coreDataObj.data = sensitive` the post-update node corresponding
+    // with `coreDataObj.data` is a sink.
+    // (ideally this would be only members with the `@NSManaged` attribute)
+    exists(ClassOrStructDecl cd, Expr e |
+      cd.getABaseTypeDecl*().getName() = "NSManagedObject" and
+      this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
+      e.getFullyConverted().getType() = cd.getType() and
+      not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
+    )
+  }
+}
+
+/**
+ * A `DataFlow::Node` that is an expression stored with the Realm database
+ * library.
+ */
+private class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlow::PostUpdateNode {
+  RealmStore() {
+    // any write into a class derived from `RealmSwiftObject` is a sink. For
+    // example in `realmObj.data = sensitive` the post-update node corresponding
+    // with `realmObj.data` is a sink.
+    exists(ClassOrStructDecl cd, Expr e |
+      cd.getABaseTypeDecl*().getName() = "RealmSwiftObject" and
+      this.getPreUpdateNode().asExpr() = e and
+      e.getFullyConverted().getType() = cd.getType() and
+      not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
+    )
+  }
+}
+
+private class CleartextStorageDatabaseSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // GRDB sinks
+        ";Database;true;allStatements(sql:arguments:);;;Argument[1];database-store",
+        ";Database;true;execute(sql:arguments:);;;Argument[1];database-store",
+        ";SQLRequest;true;init(sql:arguments:adapter:cached:);;;Argument[1];database-store",
+        ";SQL;true;init(sql:arguments:);;;Argument[1];database-store",
+        ";SQL;true;append(sql:arguments:);;;Argument[1];database-store",
+        ";SQLStatementCursor;true;init(database:sql:arguments:prepFlags:);;;Argument[2];database-store",
+        ";TableRecord;true;select(sql:arguments:);;;Argument[1];database-store",
+        ";TableRecord;true;select(sql:arguments:as:);;;Argument[1];database-store",
+        ";TableRecord;true;filter(sql:arguments:);;;Argument[1];database-store",
+        ";TableRecord;true;order(sql:arguments:);;;Argument[1];database-store",
+        ";Row;true;fetchCursor(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";Row;true;fetchAll(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";Row;true;fetchSet(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";Row;true;fetchOne(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";DatabaseValueConvertible;true;fetchCursor(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";DatabaseValueConvertible;true;fetchAll(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";DatabaseValueConvertible;true;fetchSet(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";DatabaseValueConvertible;true;fetchOne(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";FetchableRecord;true;fetchCursor(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";FetchableRecord;true;fetchAll(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";FetchableRecord;true;fetchSet(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";FetchableRecord;true;fetchOne(_:sql:arguments:adapter:);;;Argument[2];database-store",
+        ";FetchableRecord;true;fetchCursor(_:arguments:adapter:);;;Argument[1];database-store",
+        ";FetchableRecord;true;fetchAll(_:arguments:adapter:);;;Argument[1];database-store",
+        ";FetchableRecord;true;fetchSet(_:arguments:adapter:);;;Argument[1];database-store",
+        ";FetchableRecord;true;fetchOne(_:arguments:adapter:);;;Argument[1];database-store",
+        ";Statement;true;execute(arguments:);;;Argument[0];database-store",
+        ";CommonTableExpression;true;init(recursive:named:columns:sql:arguments:);;;Argument[4];database-store",
+        ";Statement;true;setArguments(_:);;;Argument[0];database-store"
+      ]
+  }
+}
+
+/**
+ * An encryption sanitizer for cleartext database storage vulnerabilities.
+ */
+private class CleartextStorageDatabaseEncryptionSanitizer extends CleartextStorageDatabaseSanitizer {
+  CleartextStorageDatabaseEncryptionSanitizer() { this.asExpr() instanceof EncryptedExpr }
+}
+
+/**
+ * An additional taint step for cleartext database storage vulnerabilities.
+ * Needed until we have proper content flow through arrays.
+ */
+private class CleartextStorageDatabaseArrayAdditionalTaintStep extends CleartextStorageDatabaseAdditionalTaintStep {
+  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(ArrayExpr arr |
+      nodeFrom.asExpr() = arr.getAnElement() and
+      nodeTo.asExpr() = arr
+    )
+  }
+}
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultCleartextStorageDatabaseSink extends CleartextStorageDatabaseSink {
+  DefaultCleartextStorageDatabaseSink() { sinkNode(this, "database-store") }
+}

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext
+ * database storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.CleartextStorageDatabaseExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof CleartextStorageDatabaseSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextStorageDatabaseSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextStorageDatabaseAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from fields of an `NSManagedObject` or `RealmSwiftObject` at the sink,
+    // for example in `realmObj.data = sensitive`.
+    isSink(node) and
+    exists(ClassOrStructDecl cd, Decl cx |
+      cd.getABaseTypeDecl*().getName() = ["NSManagedObject", "RealmSwiftObject"] and
+      cx.asNominalTypeDecl() = cd and
+      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+    )
+    or
+    // any default implicit reads
+    super.allowImplicitRead(node, c)
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesExtensions.qll

@@ -0,0 +1,88 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext preferences
+ * storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A dataflow sink for cleartext preferences storage vulnerabilities. That is,
+ * a `DataFlow::Node` of something that gets stored in an application
+ * preference store.
+ */
+abstract class CleartextStoragePreferencesSink extends DataFlow::Node {
+  abstract string getStoreName();
+}
+
+/**
+ * A sanitizer for cleartext preferences storage vulnerabilities.
+ */
+abstract class CleartextStoragePreferencesSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class CleartextStoragePreferencesAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to cleartext preferences storage vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/** The `DataFlow::Node` of an expression that gets written to the user defaults database */
+private class UserDefaultsStore extends CleartextStoragePreferencesSink {
+  UserDefaultsStore() {
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("UserDefaults", "set(_:forKey:)") and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "the user defaults database" }
+}
+
+/** The `DataFlow::Node` of an expression that gets written to the iCloud-backed NSUbiquitousKeyValueStore */
+private class NSUbiquitousKeyValueStore extends CleartextStoragePreferencesSink {
+  NSUbiquitousKeyValueStore() {
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSUbiquitousKeyValueStore", "set(_:forKey:)") and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+
+  override string getStoreName() { result = "iCloud" }
+}
+
+/**
+ * A more complicated case, this is a macOS-only way of writing to
+ * NSUserDefaults by modifying the `NSUserDefaultsController.values: Any`
+ * object via reflection (`perform(Selector)`) or the `NSKeyValueCoding`,
+ * `NSKeyValueBindingCreation` APIs. (TODO)
+ */
+private class NSUserDefaultsControllerStore extends CleartextStoragePreferencesSink {
+  NSUserDefaultsControllerStore() { none() }
+
+  override string getStoreName() { result = "the user defaults database" }
+}
+
+/**
+ * An encryption sanitizer for cleartext preferences storage vulnerabilities.
+ */
+private class CleartextStoragePreferencesEncryptionSanitizer extends CleartextStoragePreferencesSanitizer {
+  CleartextStoragePreferencesEncryptionSanitizer() { this.asExpr() instanceof EncryptedExpr }
+}
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultCleartextStoragePreferencesSink extends CleartextStoragePreferencesSink {
+  DefaultCleartextStoragePreferencesSink() { sinkNode(this, "preferences-store") }
+
+  override string getStoreName() { result = "a preferences store" }
+}

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext
+ * preferences storage vulnerabilities.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.CleartextStoragePreferencesExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored as preferences.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof CleartextStoragePreferencesSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextStoragePreferencesSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextStoragePreferencesAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    this.isSource(node)
+  }
+}