Swift: Default content read step.

geoffw0 · geoffw0 · commit 89867d62143c · 2023-10-16T18:28:50.000+01:00
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll
@@ -37,4 +37,9 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs)
     cx.asNominalTypeDecl() = d and
     cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
   )
+  or
+  // We often expect taint to reach a sink inside `CollectionContent`, for example an array element
+  // or pointer contents. It is convenient to have a default implicit read step for these cases rather
+  // than implementing this step in a lot of separate `allowImplicitRead`s.
+  cs.getAReadContent() instanceof DataFlow::Content::CollectionContent
 }
diff --git a/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll
@@ -25,12 +25,6 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // flow out from collection content at the sink.
-    isSink(node) and
-    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
-  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -45,11 +45,6 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     isSink(node) and
     node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
     c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
-    or
-    // flow out from array elements (and other collection content) at the sink,
-    // for example in `database.allStatements(sql: "", arguments: [sensitive])`.
-    isSink(node) and
-    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
   }
 }
 
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
@@ -23,12 +23,6 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // flow out from array elements of at the sink, for example in `task.arguments = [tainted]`.
-    isSink(node) and
-    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
-  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll
@@ -41,12 +41,6 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // flow out of collections at the sink
-    isSink(node) and
-    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
-  }
 }
 
 module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll
@@ -22,16 +22,6 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeJsEvalAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
-
-  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    // flow out from content a the sink
-    (
-      isSink(node)
-      or
-      isAdditionalFlowStep(node, _)
-    ) and
-    c.getAReadContent() instanceof DataFlow::Content::CollectionContent
-  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -37,4 +37,9 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs)`
`37`	`37`	`cx.asNominalTypeDecl() = d and`
`38`	`38`	`cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()`
`39`	`39`	`)`
	`40`	`+ or`
	`41`	+ // We often expect taint to reach a sink inside `CollectionContent`, for example an array element
	`42`	`+ // or pointer contents. It is convenient to have a default implicit read step for these cases rather`
	`43`	+ // than implementing this step in a lot of separate `allowImplicitRead`s.
	`44`	`+ cs.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`40`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,12 +25,6 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {`
`25`	`25`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`26`	`26`	`any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)`
`27`	`27`	`}`
`28`		`-`
`29`		`- predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`30`		`- // flow out from collection content at the sink.`
`31`		`- isSink(node) and`
`32`		`- c.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`33`		`- }`
`34`	`28`	`}`
`35`	`29`
`36`	`30`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -45,11 +45,6 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {`
`45`	`45`	`isSink(node) and`
`46`	`46`	`node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and`
`47`	`47`	`c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1`
`48`		`- or`
`49`		`- // flow out from array elements (and other collection content) at the sink,`
`50`		- // for example in `database.allStatements(sql: "", arguments: [sensitive])`.
`51`		`- isSink(node) and`
`52`		`- c.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`53`	`48`	`}`
`54`	`49`	`}`
`55`	`50`
Original file line number	Diff line number	Diff line change
`@@ -23,12 +23,6 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
`26`		`-`
`27`		`- predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`28`		- // flow out from array elements of at the sink, for example in `task.arguments = [tainted]`.
`29`		`- isSink(node) and`
`30`		`- c.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`31`		`- }`
`32`	`26`	`}`
`33`	`27`
`34`	`28`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -41,12 +41,6 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {`
`41`	`41`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`42`	`42`	`any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`43`	`43`	`}`
`44`		`-`
`45`		`- predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`46`		`- // flow out of collections at the sink`
`47`		`- isSink(node) and`
`48`		`- c.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`49`		`- }`
`50`	`44`	`}`
`51`	`45`
`52`	`46`	`module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;`