Merge pull request #3 from MathiasVP/add-puns-to-mad-2

Swift: Syntax for selecting `PostUpdateNode`s in CSV rows

Author: geoffw0

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -200,14 +200,19 @@ predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode nod
 }
 
 predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode node) {
-  // Allow fields to be picked as input nodes.
   exists(Node n, AstNode ast, MemberRefExpr e |
     n = node.asNode() and
-    ast = mid.asElement()
+    ast = mid.asElement() and
+    e.getMember() = ast
   |
+    // Allow fields to be picked as input nodes.
     c = "" and
-    e.getBase() = n.asExpr() and
-    e.getMember() = ast
+    e.getBase() = n.asExpr()
+    or
+    // Allow post update nodes to be picked as input nodes when the `input` column
+    // of the row is `PostUpdate`.
+    c = "PostUpdate" and
+    e.getBase() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
   )
 }
 

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll

@@ -26,4 +26,14 @@ predicate localTaintStep = localTaintStepCached/2;
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs) {
+  // If a `PostUpdateNode` is specified as a sink, there's (almost) always a store step preceding it.
+  // So when the node is a `PostUpdateNode` we allow any sequence of implicit read steps of an appropriate
+  // type to make sure we arrive at the sink with an empty access path.
+  exists(NominalTypeDecl d, Decl cx |
+    node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getType() =
+      d.getType().getABaseType*() and
+    cx.asNominalTypeDecl() = d and
+    cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+  )
+}

swift/ql/lib/codeql/swift/elements/type/DynamicSelfType.qll

@@ -1,4 +1,9 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.DynamicSelfType
 
-class DynamicSelfType extends Generated::DynamicSelfType { }
+class DynamicSelfType extends Generated::DynamicSelfType {
+  override Type getResolveStep() {
+    // The type of qualifiers in a Swift constructor is assigned the type `Self` by the Swift compiler
+    // This `getResolveStep` replaces that `Self` type with the type of the enclosing class.
+    result = this.getImmediateStaticSelfType()
+  }
+}

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -50,10 +50,10 @@ private class TlsExtensionsSinks extends SinkModelCsv {
     row =
       [
         // TLS-related properties of `URLSessionConfiguration`
-        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocolVersion;;;;tls-protocol-version",
-        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocol;;;;tls-protocol-version",
-        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocolVersion;;;;tls-protocol-version",
-        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocol;;;;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocol;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocol;;;PostUpdate;tls-protocol-version",
       ]
   }
 }
@@ -62,7 +62,5 @@ private class TlsExtensionsSinks extends SinkModelCsv {
  * A sink defined in a CSV model.
  */
 private class DefaultTlsExtensionsSink extends InsecureTlsExtensionsSink {
-  DefaultTlsExtensionsSink() {
-    sinkNode(this.(DataFlow::PostUpdateNode).getPreUpdateNode(), "tls-protocol-version")
-  }
+  DefaultTlsExtensionsSink() { sinkNode(this, "tls-protocol-version") }
 }

swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll

@@ -22,17 +22,6 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // flow out from fields of an `URLSessionConfiguration` at the sink,
-    // for example in `sessionConfig.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv10`.
-    isSink(node) and
-    exists(NominalTypeDecl d, Decl cx |
-      d.getType().getABaseType*().getUnderlyingType().getName() = "URLSessionConfiguration" and
-      cx.asNominalTypeDecl() = d and
-      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
-    )
-  }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;

swift/ql/test/extractor-tests/generated/type/DynamicSelfType/DynamicSelfType.expected

@@ -1 +0,0 @@
-| Self | getName: | Self | getCanonicalType: | Self | getStaticSelfType: | X |

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -235,7 +235,7 @@ edges
 | test.swift:536:10:536:13 | s :  | test.swift:537:13:537:13 | s :  |
 | test.swift:537:7:537:7 | [post] self [str] :  | test.swift:536:5:538:5 | self[return] [str] :  |
 | test.swift:537:13:537:13 | s :  | test.swift:537:7:537:7 | [post] self [str] :  |
-| test.swift:542:17:545:5 | self[return] [str] :  | test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  |
+| test.swift:542:17:545:5 | self[return] [str] :  | test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  |
 | test.swift:543:7:543:7 | [post] self [str] :  | test.swift:542:17:545:5 | self[return] [str] :  |
 | test.swift:543:7:543:7 | [post] self [str] :  | test.swift:544:17:544:17 | self [str] :  |
 | test.swift:543:20:543:28 | call to source3() :  | test.swift:536:10:536:13 | s :  |
@@ -245,8 +245,8 @@ edges
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:536:10:536:13 | s :  |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:550:13:550:43 | .str |
 | test.swift:567:8:567:11 | x :  | test.swift:568:14:568:14 | x :  |
 | test.swift:568:5:568:5 | [post] self [x] :  | test.swift:567:3:569:3 | self[return] [x] :  |
 | test.swift:568:14:568:14 | x :  | test.swift:568:5:568:5 | [post] self [x] :  |
@@ -541,7 +541,7 @@ nodes
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | semmle.label | call to MyClass.init(s:) [str] :  |
 | test.swift:549:13:549:35 | .str | semmle.label | .str |
 | test.swift:549:24:549:32 | call to source3() :  | semmle.label | call to source3() :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | semmle.label | call to Self.init(contentsOfFile:) [str] :  |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | semmle.label | call to MyClass.init(contentsOfFile:) [str] :  |
 | test.swift:550:13:550:43 | .str | semmle.label | .str |
 | test.swift:567:3:569:3 | self[return] [x] :  | semmle.label | self[return] [x] :  |
 | test.swift:567:8:567:11 | x :  | semmle.label | x :  |
@@ -609,7 +609,7 @@ subpaths
 | test.swift:543:20:543:28 | call to source3() :  | test.swift:536:10:536:13 | s :  | test.swift:537:7:537:7 | [post] self [str] :  | test.swift:543:7:543:7 | [post] self [str] :  |
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:536:10:536:13 | s :  | test.swift:536:5:538:5 | self[return] [str] :  | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:550:13:550:43 | .str |
 | test.swift:573:16:573:23 | call to source() :  | test.swift:567:8:567:11 | x :  | test.swift:567:3:569:3 | self[return] [x] :  | test.swift:573:11:573:24 | call to S.init(x:) [x] :  |
 | test.swift:575:13:575:13 | s [x] :  | test.swift:574:11:574:14 | enter #keyPath(...) [x] :  | test.swift:574:11:574:14 | exit #keyPath(...) :  | test.swift:575:13:575:25 | \\...[...] |
 | test.swift:578:13:578:13 | s [x] :  | test.swift:577:36:577:38 | enter #keyPath(...) [x] :  | test.swift:577:36:577:38 | exit #keyPath(...) :  | test.swift:578:13:578:32 | \\...[...] |