Swift: Rewrite UnsafeWebViewFetch to use DataFlow::ConfigSig

jketema · jketema · commit 5deafeaf9e50 · 2023-04-04T09:10:21.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.UnsafeWebViewFetchExtensions
  * A taint configuration from taint sources to sinks (and `baseURL` arguments)
  * for this query.
  */
-class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
+deprecated class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
   UnsafeWebViewFetchConfig() { this = "UnsafeWebViewFetchConfig" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
@@ -33,3 +33,29 @@ class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
     any(UnsafeWebViewFetchAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration from taint sources to sinks (and `baseURL` arguments)
+ * for this query.
+ */
+module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(UnsafeWebViewFetchSink sink |
+      node = sink or
+      node.asExpr() = sink.getBaseUrl()
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof UnsafeWebViewFetchSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UnsafeWebViewFetchAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of taint sources to sinks (and `baseURL` arguments) for this query.
+ */
+module UnsafeWebViewFetchFlow = TaintTracking::Global<UnsafeWebViewFetchConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
@@ -15,13 +15,13 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.UnsafeWebViewFetchQuery
-import DataFlow::PathGraph
+import UnsafeWebViewFetchFlow::PathGraph
 
 from
-  UnsafeWebViewFetchConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode,
+  UnsafeWebViewFetchFlow::PathNode sourceNode, UnsafeWebViewFetchFlow::PathNode sinkNode,
   UnsafeWebViewFetchSink sink, string message
 where
-  config.hasFlowPath(sourceNode, sinkNode) and
+  UnsafeWebViewFetchFlow::flowPath(sourceNode, sinkNode) and
   sink = sinkNode.getNode() and
   (
     // no base URL
@@ -33,7 +33,7 @@ where
     message = "Tainted data is used in a WebView fetch without restricting the base URL."
     or
     // base URL is also tainted
-    config.hasFlowToExpr(sink.getBaseUrl()) and
+    UnsafeWebViewFetchFlow::flowToExpr(sink.getBaseUrl()) and
     message = "Tainted data is used in a WebView fetch with a tainted base URL."
   )
 select sink, sourceNode, sinkNode, message
