Swift: Rewrite UncontrolledFormatString to use DataFlow::ConfigSig

jketema · jketema · commit db641e508aae · 2023-04-04T09:10:21.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.UncontrolledFormatStringExtensions
 /**
  * A taint configuration for tainted data that reaches a format string.
  */
-class TaintedFormatConfiguration extends TaintTracking::Configuration {
+deprecated class TaintedFormatConfiguration extends TaintTracking::Configuration {
   TaintedFormatConfiguration() { this = "TaintedFormatConfiguration" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -28,3 +28,25 @@ class TaintedFormatConfiguration extends TaintTracking::Configuration {
     any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
+
+/**
+ * A taint configuration for tainted data that reaches a format string.
+ */
+module TaintedFormatConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof UncontrolledFormatStringSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof UncontrolledFormatStringSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of tainted data that reaches a format string.
+ */
+module TaintedFormatFlow = TaintTracking::Global<TaintedFormatConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql b/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
@@ -13,9 +13,9 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.UncontrolledFormatStringQuery
-import DataFlow::PathGraph
+import TaintedFormatFlow::PathGraph
 
-from TaintedFormatConfiguration config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+from TaintedFormatFlow::PathNode sourceNode, TaintedFormatFlow::PathNode sinkNode
+where TaintedFormatFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode, "This format string depends on $@.",
   sourceNode.getNode(), "this user-provided value"
