Swift: Add a summary query for query sinks.

geoffw0 · geoffw0 · commit 9f1332bdb209 · 2023-09-27T18:34:32.000+01:00
diff --git a/swift/ql/src/queries/Summary/QuerySinks.ql b/swift/ql/src/queries/Summary/QuerySinks.ql
@@ -0,0 +1,84 @@
+/**
+ * @name Query Sinks
+ * @description List all query sinks found in the database. Query sinks are
+ *              potential results depending on what data flows to them and
+ *              other context.
+ * @kind problem
+ * @problem.severity info
+ * @id swift/summary/query-sinks
+ * @tags summary
+ */
+
+/*
+ * Most queries compute data flow to one of the following sinks:
+ *  - custom per-query sinks (listed by this query, `swift/summary/query-sinks`).
+ *  - regular expression evaluation (see `swift/summary/regex-evals`).
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.PathInjectionQuery
+import codeql.swift.security.UnsafeWebViewFetchQuery
+import codeql.swift.security.SqlInjectionQuery
+import codeql.swift.security.UnsafeJsEvalQuery
+import codeql.swift.security.UncontrolledFormatStringQuery
+import codeql.swift.security.StringLengthConflationQuery
+import codeql.swift.security.ConstantPasswordQuery
+import codeql.swift.security.CleartextStorageDatabaseQuery
+import codeql.swift.security.CleartextTransmissionQuery
+import codeql.swift.security.CleartextLoggingQuery
+import codeql.swift.security.CleartextStoragePreferencesQuery
+import codeql.swift.security.HardcodedEncryptionKeyQuery
+import codeql.swift.security.ECBEncryptionQuery
+import codeql.swift.security.WeakSensitiveDataHashingQuery
+import codeql.swift.security.XXEQuery
+import codeql.swift.security.InsecureTLSQuery
+import codeql.swift.security.ConstantSaltQuery
+import codeql.swift.security.InsufficientHashIterationsQuery
+import codeql.swift.security.PredicateInjectionQuery
+import codeql.swift.security.StaticInitializationVectorQuery
+
+string queryForSink(DataFlow::Node sink) {
+  PathInjectionConfig::isSink(sink) and result = "swift/path-injection"
+  or
+  UnsafeWebViewFetchConfig::isSink(sink) and result = "swift/unsafe-webview-fetch"
+  or
+  SqlInjectionConfig::isSink(sink) and result = "swift/sql-injection"
+  or
+  UnsafeJsEvalConfig::isSink(sink) and result = "swift/unsafe-js-eval"
+  or
+  TaintedFormatConfig::isSink(sink) and result = "swift/uncontrolled-format-string"
+  or
+  StringLengthConflationConfig::isSink(sink) and result = "swift/string-length-conflation"
+  or
+  ConstantPasswordConfig::isSink(sink) and result = "swift/constant-password"
+  or
+  CleartextStorageDatabaseConfig::isSink(sink) and result = "swift/cleartext-storage-database"
+  or
+  CleartextTransmissionConfig::isSink(sink) and result = "swift/cleartext-transmission"
+  or
+  CleartextLoggingConfig::isSink(sink) and result = "swift/cleartext-logging"
+  or
+  CleartextStoragePreferencesConfig::isSink(sink) and result = "swift/cleartext-storage-preferences"
+  or
+  HardcodedKeyConfig::isSink(sink) and result = "swift/hardcoded-key"
+  or
+  EcbEncryptionConfig::isSink(sink) and result = "swift/ecb-encryption"
+  or
+  WeakHashingConfig::isSink(sink) and result = "swift/weak-sensitive-data-hashing"
+  or
+  XxeConfig::isSink(sink) and result = "swift/xxe"
+  or
+  InsecureTlsConfig::isSink(sink) and result = "swift/insecure-tls"
+  or
+  ConstantSaltConfig::isSink(sink) and result = "swift/constant-salt"
+  or
+  InsufficientHashIterationsConfig::isSink(sink) and result = "swift/insufficient-hash-iterations"
+  or
+  PredicateInjectionConfig::isSink(sink) and result = "swift/predicate-injection"
+  or
+  StaticInitializationVectorConfig::isSink(sink) and result = "swift/static-initialization-vector"
+}
+
+from DataFlow::Node n
+select n, "Sink for " + queryForSink(n)
