Swift: Rewrite CleartextStoragePreferences to use DataFlow::ConfigSig

jketema · jketema · commit e8bfb87f67f2 · 2023-04-04T09:10:21.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.CleartextStoragePreferencesExtensions
  * A taint configuration from sensitive information to expressions that are
  * stored as preferences.
  */
-class CleartextStorageConfig extends TaintTracking::Configuration {
+deprecated class CleartextStorageConfig extends TaintTracking::Configuration {
   CleartextStorageConfig() { this = "CleartextStorageConfig" }
 
   override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
@@ -33,3 +33,32 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     this.isSource(node)
   }
 }
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored as preferences.
+ */
+module CleartextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node node) { node instanceof CleartextStoragePreferencesSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextStoragePreferencesSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(CleartextStoragePreferencesAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+}
+
+/**
+ * Detect taint flow of sensitive information to expressions that are stored
+ * as preferences.
+ */
+module CleartextStorageFlow = TaintTracking::Global<CleartextStorageConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql b/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
@@ -13,7 +13,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.CleartextStoragePreferencesQuery
-import DataFlow::PathGraph
+import CleartextStorageFlow::PathGraph
 
 /**
  * Gets a prettier node to use in the results.
@@ -26,10 +26,10 @@ DataFlow::Node cleanupNode(DataFlow::Node n) {
 }
 
 from
-  CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode,
+  CleartextStorageFlow::PathNode sourceNode, CleartextStorageFlow::PathNode sinkNode,
   DataFlow::Node cleanSink
 where
-  config.hasFlowPath(sourceNode, sinkNode) and
+  CleartextStorageFlow::flowPath(sourceNode, sinkNode) and
   cleanSink = cleanupNode(sinkNode.getNode())
 select cleanSink, sourceNode, sinkNode,
   "This operation stores '" + cleanSink.toString() + "' in " +
