Swift: Update InsecureTLSExtensions.ql sinks to not depend on AssignExpr.

Author: geoffw0

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -50,13 +50,15 @@ private class EnumInsecureTlsExtensionsSource extends InsecureTlsExtensionsSourc
  */
 private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
   NsUrlTlsExtensionsSink() {
-    exists(AssignExpr assign |
-      assign.getSource() = this.asExpr() and
-      assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
+    exists(MemberRefExpr e |
+      e.getBase().getType().getABaseType*().getUnderlyingType().getName() =
+              "URLSessionConfiguration" and
+      e.getMember().(ConcreteVarDecl).getName() =
         [
           "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
           "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
-        ]
+        ] and
+      this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e.getBase()
     )
   }
 }

swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll

@@ -22,6 +22,17 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from fields of an `URLSessionConfiguration` at the sink,
+    // for example in `sessionConfig.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv10`.
+    isSink(node) and
+    exists(NominalTypeDecl d, Decl cx |
+      d.getType().getABaseType*().getUnderlyingType().getName() = "URLSessionConfiguration" and
+      cx.asNominalTypeDecl() = d and
+      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+    )
+  }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;