Swift: Recognize Core Data + Realm sources via type aliases.

Author: geoffw0

swift/ql/lib/codeql/swift/elements/type/Type.qll

@@ -1,4 +1,6 @@
 private import codeql.swift.generated.type.Type
+private import codeql.swift.elements.type.NominalType
+private import codeql.swift.elements.type.TypeAliasType
 
 class Type extends Generated::Type {
   override string toString() { result = this.getName() }
@@ -11,4 +13,22 @@ class Type extends Generated::Type {
    * ```
    */
   Type getUnderlyingType() { result = this }
+
+  /**
+   * Gets any base type of this type, or the result of resolving a typedef. For
+   * example in the following code, `C` has base type `B` which has underlying
+   * type `A`. Thus, `getABaseOrAliasedType*` can be used to discover the
+   * relationship between `C` and `A`.
+   * ```
+   * class A {}
+   *
+   * typealias B = A
+   *
+   * class C : B {}
+   * ```
+   */
+  Type getABaseOrAliasedType() {
+    result = this.(NominalType).getABaseType() or
+    result = this.(TypeAliasType).getAliasedType()
+  }
 }

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -49,7 +49,7 @@ private class CoreDataStore extends CleartextStorageDatabaseSink {
     // with `coreDataObj.data` is a sink.
     // (ideally this would be only members with the `@NSManaged` attribute)
     exists(NominalType t, Expr e |
-      t.getABaseType*().getName() = "NSManagedObject" and
+      t.getABaseOrAliasedType*().getName() = "NSManagedObject" and
       this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
       e.getFullyConverted().getType() = t and
       not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
@@ -67,7 +67,7 @@ private class RealmStore extends CleartextStorageDatabaseSink instanceof DataFlo
     // example in `realmObj.data = sensitive` the post-update node corresponding
     // with `realmObj.data` is a sink.
     exists(NominalType t, Expr e |
-      t.getABaseType*().getName() = "RealmSwiftObject" and
+      t.getABaseOrAliasedType*().getName() = "RealmSwiftObject" and
       this.getPreUpdateNode().asExpr() = e and
       e.getFullyConverted().getType() = t and
       not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -37,9 +37,9 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     // flow out from fields of an `NSManagedObject` or `RealmSwiftObject` at the sink,
     // for example in `realmObj.data = sensitive`.
     isSink(node) and
-    exists(ClassOrStructDecl cd, Decl cx |
-      cd.getABaseTypeDecl*().getName() = ["NSManagedObject", "RealmSwiftObject"] and
-      cx.asNominalTypeDecl() = cd and
+    exists(NominalTypeDecl d, Decl cx |
+      d.getType().getABaseOrAliasedType*().getName() = ["NSManagedObject", "RealmSwiftObject"] and
+      cx.asNominalTypeDecl() = d and
       c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
     )
     or

swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected

@@ -2,6 +2,7 @@ edges
 | file://:0:0:0:0 | self [value] :  | file://:0:0:0:0 | .value :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [data] :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [password] :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [value] :  |
 | testCoreData2.swift:23:13:23:13 | value :  | file://:0:0:0:0 | value :  |
 | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] :  | testCoreData2.swift:37:2:37:2 | [post] obj |
@@ -169,6 +170,7 @@ edges
 | testGRDB.swift:210:85:210:85 | password :  | testGRDB.swift:210:84:210:93 | [...] |
 | testGRDB.swift:212:99:212:99 | password :  | testGRDB.swift:212:98:212:107 | [...] |
 | testRealm.swift:27:6:27:6 | value :  | file://:0:0:0:0 | value :  |
+| testRealm.swift:34:6:34:6 | value :  | file://:0:0:0:0 | value :  |
 | testRealm.swift:41:2:41:2 | [post] a [data] :  | testRealm.swift:41:2:41:2 | [post] a |
 | testRealm.swift:41:11:41:11 | myPassword :  | testRealm.swift:27:6:27:6 | value :  |
 | testRealm.swift:41:11:41:11 | myPassword :  | testRealm.swift:41:2:41:2 | [post] a [data] :  |
@@ -181,17 +183,22 @@ edges
 | testRealm.swift:66:2:66:2 | [post] g [data] :  | testRealm.swift:66:2:66:2 | [post] g |
 | testRealm.swift:66:11:66:11 | myPassword :  | testRealm.swift:27:6:27:6 | value :  |
 | testRealm.swift:66:11:66:11 | myPassword :  | testRealm.swift:66:2:66:2 | [post] g [data] :  |
+| testRealm.swift:73:2:73:2 | [post] h [password] :  | testRealm.swift:73:2:73:2 | [post] h |
+| testRealm.swift:73:15:73:15 | myPassword :  | testRealm.swift:34:6:34:6 | value :  |
+| testRealm.swift:73:15:73:15 | myPassword :  | testRealm.swift:73:2:73:2 | [post] h [password] :  |
 nodes
 | file://:0:0:0:0 | .value2 :  | semmle.label | .value2 :  |
 | file://:0:0:0:0 | .value :  | semmle.label | .value :  |
 | file://:0:0:0:0 | .value :  | semmle.label | .value :  |
 | file://:0:0:0:0 | [post] self [data] :  | semmle.label | [post] self [data] :  |
 | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | semmle.label | [post] self [notStoredBankAccountNumber] :  |
+| file://:0:0:0:0 | [post] self [password] :  | semmle.label | [post] self [password] :  |
 | file://:0:0:0:0 | [post] self [value] :  | semmle.label | [post] self [value] :  |
 | file://:0:0:0:0 | self [value] :  | semmle.label | self [value] :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
 | testCoreData2.swift:23:13:23:13 | value :  | semmle.label | value :  |
 | testCoreData2.swift:37:2:37:2 | [post] obj | semmle.label | [post] obj |
 | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] :  | semmle.label | [post] obj [myValue] :  |
@@ -422,6 +429,7 @@ nodes
 | testGRDB.swift:212:98:212:107 | [...] | semmle.label | [...] |
 | testGRDB.swift:212:99:212:99 | password :  | semmle.label | password :  |
 | testRealm.swift:27:6:27:6 | value :  | semmle.label | value :  |
+| testRealm.swift:34:6:34:6 | value :  | semmle.label | value :  |
 | testRealm.swift:41:2:41:2 | [post] a | semmle.label | [post] a |
 | testRealm.swift:41:2:41:2 | [post] a [data] :  | semmle.label | [post] a [data] :  |
 | testRealm.swift:41:11:41:11 | myPassword :  | semmle.label | myPassword :  |
@@ -434,6 +442,9 @@ nodes
 | testRealm.swift:66:2:66:2 | [post] g | semmle.label | [post] g |
 | testRealm.swift:66:2:66:2 | [post] g [data] :  | semmle.label | [post] g [data] :  |
 | testRealm.swift:66:11:66:11 | myPassword :  | semmle.label | myPassword :  |
+| testRealm.swift:73:2:73:2 | [post] h | semmle.label | [post] h |
+| testRealm.swift:73:2:73:2 | [post] h [password] :  | semmle.label | [post] h [password] :  |
+| testRealm.swift:73:15:73:15 | myPassword :  | semmle.label | myPassword :  |
 subpaths
 | testCoreData2.swift:43:35:43:35 | bankAccountNo :  | testCoreData2.swift:23:13:23:13 | value :  | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] :  |
 | testCoreData2.swift:52:41:52:41 | bankAccountNo :  | testCoreData2.swift:23:13:23:13 | value :  | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] :  | testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] :  |
@@ -453,6 +464,7 @@ subpaths
 | testRealm.swift:49:11:49:11 | myPassword :  | testRealm.swift:27:6:27:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:49:2:49:2 | [post] c [data] :  |
 | testRealm.swift:59:12:59:12 | myPassword :  | testRealm.swift:27:6:27:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:59:2:59:3 | [post] ...! [data] :  |
 | testRealm.swift:66:11:66:11 | myPassword :  | testRealm.swift:27:6:27:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:66:2:66:2 | [post] g [data] :  |
+| testRealm.swift:73:15:73:15 | myPassword :  | testRealm.swift:34:6:34:6 | value :  | file://:0:0:0:0 | [post] self [password] :  | testRealm.swift:73:2:73:2 | [post] h [password] :  |
 #select
 | testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo :  | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo :  | bankAccountNo |
 | testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo :  | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo :  | bankAccountNo |
@@ -546,3 +558,4 @@ subpaths
 | testRealm.swift:49:2:49:2 | c | testRealm.swift:49:11:49:11 | myPassword :  | testRealm.swift:49:2:49:2 | [post] c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:49:11:49:11 | myPassword :  | myPassword |
 | testRealm.swift:59:2:59:3 | ...! | testRealm.swift:59:12:59:12 | myPassword :  | testRealm.swift:59:2:59:3 | [post] ...! | This operation stores '...!' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:59:12:59:12 | myPassword :  | myPassword |
 | testRealm.swift:66:2:66:2 | g | testRealm.swift:66:11:66:11 | myPassword :  | testRealm.swift:66:2:66:2 | [post] g | This operation stores 'g' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:66:11:66:11 | myPassword :  | myPassword |
+| testRealm.swift:73:2:73:2 | h | testRealm.swift:73:15:73:15 | myPassword :  | testRealm.swift:73:2:73:2 | [post] h | This operation stores 'h' in a database. It may contain unencrypted sensitive data from $@. | testRealm.swift:73:15:73:15 | myPassword :  | myPassword |

swift/ql/test/query-tests/Security/CWE-311/testRealm.swift

@@ -70,7 +70,7 @@ func test1(realm : Realm, myUsername: String, myPassword : String, myHashedPassw
 
 	let h = MyRealmSwiftObject2()
 	h.username = myUsername // GOOD (not sensitive)
-	h.password = myPassword // BAD [NOT DETECTED]
+	h.password = myPassword // BAD
 	realm.add(h)
 }