Merge branch 'main' into deprecate-after-repeated-initializers

Author: MathiasVP

swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll

@@ -12,7 +12,7 @@ private import codeql.swift.security.SensitiveExprs
 /**
  * A taint-tracking configuration for cleartext logging of sensitive data vulnerabilities.
  */
-class CleartextLoggingConfiguration extends TaintTracking::Configuration {
+deprecated class CleartextLoggingConfiguration extends TaintTracking::Configuration {
   CleartextLoggingConfiguration() { this = "CleartextLoggingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
@@ -30,3 +30,26 @@ class CleartextLoggingConfiguration extends TaintTracking::Configuration {
     any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
   }
 }
+
+/**
+ * A taint-tracking configuration for cleartext logging of sensitive data vulnerabilities.
+ */
+module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CleartextLoggingSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof CleartextLoggingSanitizer }
+
+  // Disregard paths that contain other paths. This helps with performance.
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of cleartext logging of sensitive data vulnerabilities.
+ */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -13,7 +13,7 @@ import codeql.swift.security.CleartextStoragePreferencesExtensions
  * A taint configuration from sensitive information to expressions that are
  * stored as preferences.
  */
-class CleartextStorageConfig extends TaintTracking::Configuration {
+deprecated class CleartextStorageConfig extends TaintTracking::Configuration {
   CleartextStorageConfig() { this = "CleartextStorageConfig" }
 
   override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
@@ -33,3 +33,32 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     this.isSource(node)
   }
 }
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored as preferences.
+ */
+module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node node) { node instanceof CleartextStoragePreferencesSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextStoragePreferencesSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextStoragePreferencesAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+}
+
+/**
+ * Detect taint flow of sensitive information to expressions that are stored
+ * as preferences.
+ */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;

swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll

@@ -13,7 +13,7 @@ import codeql.swift.security.CleartextTransmissionExtensions
  * A taint configuration from sensitive information to expressions that are
  * transmitted over a network.
  */
-class CleartextTransmissionConfig extends TaintTracking::Configuration {
+deprecated class CleartextTransmissionConfig extends TaintTracking::Configuration {
   CleartextTransmissionConfig() { this = "CleartextTransmissionConfig" }
 
   override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
@@ -33,3 +33,32 @@ class CleartextTransmissionConfig extends TaintTracking::Configuration {
     isSource(node)
   }
 }
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+module CleartextTransmissionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmissionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextTransmissionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextTransmissionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+}
+
+/**
+ * Detect taint flow of sensitive information to expressions that are transmitted over
+ * a network.
+ */
+module CleartextTransmissionFlow = TaintTracking::Global<CleartextTransmissionConfig>;

swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll

@@ -13,7 +13,7 @@ private import codeql.swift.security.PathInjectionExtensions
 /**
  * A taint-tracking configuration for path injection vulnerabilities.
  */
-class PathInjectionConfiguration extends TaintTracking::Configuration {
+deprecated class PathInjectionConfiguration extends TaintTracking::Configuration {
   PathInjectionConfiguration() { this = "PathInjectionConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -28,3 +28,23 @@ class PathInjectionConfiguration extends TaintTracking::Configuration {
     any(PathInjectionAdditionalTaintStep s).step(node1, node2)
   }
 }
+
+/**
+ * A taint-tracking configuration for path injection vulnerabilities.
+ */
+module PathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof PathInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof PathInjectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+/**
+ * Detect taint flow of path injection vulnerabilities.
+ */
+module PathInjectionFlow = TaintTracking::Global<PathInjectionConfig>;

swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll

@@ -12,7 +12,7 @@ private import codeql.swift.security.PredicateInjectionExtensions
 /**
  * A taint-tracking configuration for predicate injection vulnerabilities.
  */
-class PredicateInjectionConf extends TaintTracking::Configuration {
+deprecated class PredicateInjectionConf extends TaintTracking::Configuration {
   PredicateInjectionConf() { this = "PredicateInjectionConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -27,3 +27,23 @@ class PredicateInjectionConf extends TaintTracking::Configuration {
     any(PredicateInjectionAdditionalTaintStep s).step(n1, n2)
   }
 }
+
+/**
+ * A taint-tracking configuration for predicate injection vulnerabilities.
+ */
+module PredicateInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof PredicateInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof PredicateInjectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(PredicateInjectionAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of predicate injection vulnerabilities.
+ */
+module PredicateInjectionFlow = TaintTracking::Global<PredicateInjectionConfig>;

swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll

@@ -13,7 +13,7 @@ import codeql.swift.security.SqlInjectionExtensions
 /**
  * A taint configuration for tainted data that reaches a SQL sink.
  */
-class SqlInjectionConfig extends TaintTracking::Configuration {
+deprecated class SqlInjectionConfig extends TaintTracking::Configuration {
   SqlInjectionConfig() { this = "SqlInjectionConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -28,3 +28,23 @@ class SqlInjectionConfig extends TaintTracking::Configuration {
     any(SqlInjectionAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration for tainted data that reaches a SQL sink.
+ */
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof SqlInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof SqlInjectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(SqlInjectionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of tainted data that reaches a SQL sink.
+ */
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll

@@ -13,7 +13,7 @@ import codeql.swift.security.UncontrolledFormatStringExtensions
 /**
  * A taint configuration for tainted data that reaches a format string.
  */
-class TaintedFormatConfiguration extends TaintTracking::Configuration {
+deprecated class TaintedFormatConfiguration extends TaintTracking::Configuration {
   TaintedFormatConfiguration() { this = "TaintedFormatConfiguration" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -28,3 +28,25 @@ class TaintedFormatConfiguration extends TaintTracking::Configuration {
     any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration for tainted data that reaches a format string.
+ */
+module TaintedFormatConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof UncontrolledFormatStringSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof UncontrolledFormatStringSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of tainted data that reaches a format string.
+ */
+module TaintedFormatFlow = TaintTracking::Global<TaintedFormatConfig>;

swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll

@@ -12,7 +12,7 @@ import codeql.swift.security.UnsafeJsEvalExtensions
 /**
  * A taint configuration from taint sources to sinks for this query.
  */
-class UnsafeJsEvalConfig extends TaintTracking::Configuration {
+deprecated class UnsafeJsEvalConfig extends TaintTracking::Configuration {
   UnsafeJsEvalConfig() { this = "UnsafeJsEvalConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -27,3 +27,23 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
     any(UnsafeJsEvalAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration from taint sources to sinks for this query.
+ */
+module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof UnsafeJsEvalSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof UnsafeJsEvalSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UnsafeJsEvalAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of taint sources to sinks for this query.
+ */
+module UnsafeJsEvalFlow = TaintTracking::Global<UnsafeJsEvalConfig>;

swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll

@@ -13,7 +13,7 @@ import codeql.swift.security.UnsafeWebViewFetchExtensions
  * A taint configuration from taint sources to sinks (and `baseURL` arguments)
  * for this query.
  */
-class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
+deprecated class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
   UnsafeWebViewFetchConfig() { this = "UnsafeWebViewFetchConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
@@ -33,3 +33,29 @@ class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
     any(UnsafeWebViewFetchAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration from taint sources to sinks (and `baseURL` arguments)
+ * for this query.
+ */
+module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(UnsafeWebViewFetchSink sink |
+      node = sink or
+      node.asExpr() = sink.getBaseUrl()
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof UnsafeWebViewFetchSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UnsafeWebViewFetchAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of taint sources to sinks (and `baseURL` arguments) for this query.
+ */
+module UnsafeWebViewFetchFlow = TaintTracking::Global<UnsafeWebViewFetchConfig>;

swift/ql/lib/codeql/swift/security/XXEQuery.qll

@@ -12,7 +12,7 @@ import codeql.swift.security.XXEExtensions
 /**
  * A taint-tracking configuration for XML external entities (XXE) vulnerabilities.
  */
-class XxeConfiguration extends TaintTracking::Configuration {
+deprecated class XxeConfiguration extends TaintTracking::Configuration {
   XxeConfiguration() { this = "XxeConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -25,3 +25,23 @@ class XxeConfiguration extends TaintTracking::Configuration {
     any(XxeAdditionalTaintStep s).step(n1, n2)
   }
 }
+
+/**
+ * A taint-tracking configuration for XML external entities (XXE) vulnerabilities.
+ */
+module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(XxeAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of XML external entities (XXE) vulnerabilities.
+ */
+module XxeFlow = TaintTracking::Global<XxeConfig>;