Skip to content

Commit 6d4c831

Browse files
geoffw0geoffw0
committed
Swift: Compute sensitive strings centrally (much more efficient evaluation).
1 parent f52f450 commit 6d4c831

File tree

1 file changed

+25
-11
lines changed

1 file changed

+25
-11
lines changed

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

Lines changed: 25 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -85,14 +85,34 @@ private string regexpProbablySafe() {
8585
result = "(?is).*(file|path|url|invalid).*"
8686
}
8787

88+
/**
89+
* Gets a string that is to be tested for sensitivity.
90+
*/
91+
cached
92+
private string sensitiveCandidateStrings() {
93+
result = any(VarDecl v).getName()
94+
or
95+
result = any(Function f).getShortName()
96+
or
97+
result = any(Argument a).getLabel()
98+
}
99+
100+
/**
101+
* Gets a string from the candidates that is sensitive.
102+
*/
103+
cached
104+
private string sensitiveStrings(SensitiveDataType sensitiveType) {
105+
result = sensitiveCandidateStrings() and
106+
result.regexpMatch(sensitiveType.getRegexp())
107+
}
108+
88109
/**
89110
* A `VarDecl` that might be used to contain sensitive data.
90111
*/
91112
private class SensitiveVarDecl extends VarDecl {
92113
SensitiveDataType sensitiveType;
93114

94-
cached
95-
SensitiveVarDecl() { this.getName().regexpMatch(sensitiveType.getRegexp()) }
115+
SensitiveVarDecl() { this.getName() = sensitiveStrings(sensitiveType) }
96116

97117
predicate hasInfo(string label, SensitiveDataType type) {
98118
label = this.getName() and
@@ -105,16 +125,11 @@ private class SensitiveVarDecl extends VarDecl {
105125
*/
106126
private class SensitiveFunction extends Function {
107127
SensitiveDataType sensitiveType;
108-
string name; // name of the function, not including the argument list.
109128

110-
cached
111-
SensitiveFunction() {
112-
name = this.getShortName() and
113-
name.regexpMatch(sensitiveType.getRegexp())
114-
}
129+
SensitiveFunction() { this.getShortName() = sensitiveStrings(sensitiveType) }
115130

116131
predicate hasInfo(string label, SensitiveDataType type) {
117-
label = name and
132+
label = this.getShortName() and
118133
sensitiveType = type
119134
}
120135
}
@@ -125,8 +140,7 @@ private class SensitiveFunction extends Function {
125140
private class SensitiveArgument extends Argument {
126141
SensitiveDataType sensitiveType;
127142

128-
cached
129-
SensitiveArgument() { this.getLabel().regexpMatch(sensitiveType.getRegexp()) }
143+
SensitiveArgument() { this.getLabel() = sensitiveStrings(sensitiveType) }
130144

131145
predicate hasInfo(string label, SensitiveDataType type) {
132146
label = this.getLabel() and

0 commit comments

Comments
 (0)