Swift: Rewrite PredicateInjection to use DataFlow::ConfigSig

jketema · jketema · commit 70d0e987c47f · 2023-04-03T16:19:30.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll
@@ -12,7 +12,7 @@ private import codeql.swift.security.PredicateInjectionExtensions
 /**
  * A taint-tracking configuration for predicate injection vulnerabilities.
  */
-class PredicateInjectionConf extends TaintTracking::Configuration {
+deprecated class PredicateInjectionConf extends TaintTracking::Configuration {
   PredicateInjectionConf() { this = "PredicateInjectionConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -27,3 +27,25 @@ class PredicateInjectionConf extends TaintTracking::Configuration {
     any(PredicateInjectionAdditionalTaintStep s).step(n1, n2)
   }
 }
+
+/**
+ * A taint-tracking configuration for predicate injection vulnerabilities.
+ */
+module PredicateInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof PredicateInjectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof PredicateInjectionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(PredicateInjectionAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of predicate injection vulnerabilities.
+ */
+module PredicateInjectionFlow = TaintTracking::Global<PredicateInjectionConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-943/PredicateInjection.ql b/swift/ql/src/queries/Security/CWE-943/PredicateInjection.ql
@@ -14,9 +14,9 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.PredicateInjectionQuery
-import DataFlow::PathGraph
+import PredicateInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(PredicateInjectionConf c).hasFlowPath(source, sink)
+from PredicateInjectionFlow::PathNode source, PredicateInjectionFlow::PathNode sink
+where PredicateInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This predicate depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.ql b/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.ql
@@ -9,10 +9,8 @@ class PredicateInjectionTest extends InlineExpectationsTest {
   override string getARelevantTag() { result = "hasPredicateInjection" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      PredicateInjectionConf config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr
-    |
-      config.hasFlow(source, sink) and
+    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+      PredicateInjectionFlow::flow(source, sink) and
       sinkExpr = sink.asExpr() and
       location = sinkExpr.getLocation() and
       element = sinkExpr.toString() and
