You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/analyzing-data-flow-in-swift.rst
+9-12Lines changed: 9 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ For a more general introduction to modeling data flow, see ":ref:`About data flo
15
15
Local data flow
16
16
---------------
17
17
18
-
Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.
18
+
Local data flow tracks the flow of data within a single function. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.
19
19
20
20
Using local data flow
21
21
~~~~~~~~~~~~~~~~~~~~~
@@ -36,7 +36,7 @@ The ``Node`` class has a number of useful subclasses, such as ``ExprNode`` for e
36
36
*/
37
37
ControlFlowNode getCfgNode() { none() }
38
38
39
-
...
39
+
...
40
40
}
41
41
42
42
You can use the predicates ``exprNode`` and ``parameterNode`` to map from expressions and parameters to their data-flow node:
@@ -65,7 +65,7 @@ For example, you can find flow from an expression ``source`` to an expression ``
65
65
Using local taint tracking
66
66
~~~~~~~~~~~~~~~~~~~~~~~~~~
67
67
68
-
Local taint tracking extends local data flow to include flow steps where values are not preserved, for example, string manipulation.
68
+
Local taint tracking extends local data flow to include flow steps where values are not preserved, such as string manipulation.
69
69
For example:
70
70
71
71
.. code-block:: swift
@@ -209,10 +209,10 @@ The global taint tracking library uses the same configuration module as the glob
209
209
where MyTaintFlow::flow(source, sink)
210
210
select source, "Taint flow to $@.", sink, sink.toString()
211
211
212
-
Predefined sources and sinks
212
+
Predefined sources
213
213
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
214
214
215
-
The data flow library module ``codeql.swift.dataflow.FlowSources`` contains a number of predefined sources and sinks, providing a good starting point for defining data flow and taint flow based security queries.
215
+
The data flow library module ``codeql.swift.dataflow.FlowSources`` contains a number of predefined sources, providing a good starting point for defining data flow and taint flow based security queries.
216
216
217
217
- The class ``RemoteFlowSource`` represents data flow from remote network inputs and from other applications.
218
218
- The class ``LocalFlowSource`` represents data flow from local user input.
@@ -221,11 +221,11 @@ The data flow library module ``codeql.swift.dataflow.FlowSources`` contains a nu
221
221
Examples of global data flow
222
222
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
223
223
224
-
The following global taint-tracking query finds places where a string literal is used in a function call argument called "password".
224
+
The following global taint-tracking query finds places where a string literal is used in a function call argument named "password".
225
225
- Since this is a taint-tracking query, the ``TaintTracking::Global`` module is used.
226
226
- The ``isSource`` predicate defines sources as any ``StringLiteralExpr``.
227
227
- The ``isSink`` predicate defines sinks as arguments to a ``CallExpr`` called "password".
228
-
- The sources and sinks may need tuning to a particular use case, for example if passwords are represented by a type other than ``String`` or passed in arguments of a different name than "password".
228
+
- The sources and sinks may need tuning to a particular use, for example if passwords are represented by a type other than ``String`` or passed in arguments of a different name than "password".
229
229
230
230
.. code-block:: ql
231
231
@@ -245,8 +245,7 @@ The following global taint-tracking query finds places where a string literal is
245
245
246
246
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
247
247
where ConstantPasswordFlow::flow(sourceNode, sinkNode)
248
-
select sinkNode, sourceNode, sinkNode,
249
-
"The value '" + sourceNode.toString() + "' is used as a constant password."
248
+
select sinkNode, "The value '" + sourceNode.toString() + "' is used as a constant password."
250
249
251
250
252
251
The following global taint-tracking query finds places where a value from a remote or local user input is used as an argument to the SQLite ``Connection.execute(_:)`` function.
@@ -256,7 +255,6 @@ The following global taint-tracking query finds places where a value from a remo
256
255
257
256
.. code-block:: ql
258
257
259
-
260
258
import swift
261
259
import codeql.swift.dataflow.DataFlow
262
260
import codeql.swift.dataflow.TaintTracking
@@ -277,8 +275,7 @@ The following global taint-tracking query finds places where a value from a remo
277
275
278
276
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
279
277
where SqlInjectionFlow::flow(sourceNode, sinkNode)
280
-
select sinkNode, sourceNode, sinkNode, "This query depends on a $@.", sourceNode,
281
-
"user-provided value"
278
+
select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"
0 commit comments