Swift: Add extendible sinks, sanitizers etc and use them.

Author: geoffw0

swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll

@@ -5,3 +5,62 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for constant password vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as a password.
+ */
+abstract class ConstantPasswordSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for constant password vulnerabilities.
+ */
+abstract class ConstantPasswordSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class ConstantPasswordAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to constant password vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A password sink for the CryptoSwift library.
+ */
+private class DefaultConstantPasswordSink extends ConstantPasswordSink {
+  DefaultConstantPasswordSink() {
+    // `password` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("password").getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A password sink for the RNCryptor library.
+ */
+private class RnCryptorPasswordSink extends ConstantPasswordSink {
+  RnCryptorPasswordSink() {
+    // RNCryptor (labelled arguments)
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() = this.asExpr()
+    )
+    or
+    // RNCryptor (unlabelled arguments)
+    exists(MethodDecl f, CallExpr call |
+      f.hasQualifiedName("RNCryptor", "keyForPassword(_:salt:settings:)") and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll

@@ -19,44 +19,20 @@ class ConstantPasswordSource extends Expr {
   }
 }
 
-/**
- * A class for all ways to use a constant password.
- */
-class ConstantPasswordSink extends Expr {
-  ConstantPasswordSink() {
-    // `password` arg in `init` is a sink
-    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
-      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
-      c.getAMember() = f and
-      call.getStaticTarget() = f and
-      call.getArgumentWithLabel("password").getExpr() = this
-    )
-    or
-    // RNCryptor (labelled arguments)
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
-      c.getAMember() = f and
-      call.getStaticTarget() = f and
-      call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() = this
-    )
-    or
-    // RNCryptor (unlabelled arguments)
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("RNCryptor", "keyForPassword(_:salt:settings:)") and
-      call.getStaticTarget() = f and
-      call.getArgument(0).getExpr() = this
-    )
-  }
-}
-
 /**
  * A taint configuration from the source of constants passwords to expressions that use
  * them to initialize password-based encryption keys.
  */
 module ConstantPasswordConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSource }
 
-  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSink }
+  predicate isSink(DataFlow::Node node) { node instanceof ConstantPasswordSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantPasswordSanitizer}
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(ConstantPasswordAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
 }
 
 module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -5,3 +5,55 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for constant salt vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as a salt.
+ */
+abstract class ConstantSaltSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for constant salt vulnerabilities.
+ */
+abstract class ConstantSaltSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class ConstantSaltAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to constant salt vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+
+/**
+ * A sink for the CryptoSwift library.
+ */
+private class CryptoSwiftSaltSink extends ConstantSaltSink {
+  CryptoSwiftSaltSink() {
+    // `salt` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("salt").getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A sink for the RNCryptor library.
+ */
+ private class RnCryptorSaltSink extends ConstantSaltSink {
+  RnCryptorSaltSink() {
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() = this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll

@@ -20,37 +20,20 @@ class ConstantSaltSource extends Expr {
   }
 }
 
-/**
- * A class for all ways to use a constant salt.
- */
-class ConstantSaltSink extends Expr {
-  ConstantSaltSink() {
-    // `salt` arg in `init` is a sink
-    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
-      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
-      c.getAMember() = f and
-      call.getStaticTarget() = f and
-      call.getArgumentWithLabel("salt").getExpr() = this
-    )
-    or
-    // RNCryptor
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
-      c.getAMember() = f and
-      call.getStaticTarget() = f and
-      call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() = this
-    )
-  }
-}
-
 /**
  * A taint configuration from the source of constants salts to expressions that use
  * them to initialize password-based encryption keys.
  */
 module ConstantSaltConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSource }
 
-  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSink }
+  predicate isSink(DataFlow::Node node) { node instanceof ConstantSaltSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantSaltSanitizer}
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(ConstantSaltAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
 }
 
 module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;

swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll

@@ -1,7 +1,60 @@
 /**
  * Provides classes and predicates for reasoning about encryption using the
- * ECB encrpytion mode.
+ * ECB encryption mode.
  */
 
 import swift
 import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for ECB encryption vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as the block mode
+ * of a cipher.
+ */
+abstract class EcbEncryptionSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for ECB encryption vulnerabilities.
+ */
+abstract class EcbEncryptionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class EcbEncryptionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to ECB encryption vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A block mode being used to form an `AES` cipher.
+ */
+private class AES extends EcbEncryptionSink {
+  AES() {
+    // `blockMode` arg in `AES.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A block mode being used to form a `Blowfish` cipher.
+ */
+private class Blowfish extends EcbEncryptionSink {
+  Blowfish() {
+    // `blockMode` arg in `Blowfish.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll

@@ -1,48 +1,13 @@
 /**
  * Provides a taint tracking configuration to find encryption using the
- * ECB encrpytion mode.
+ * ECB encryption mode.
  */
 
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.security.ECBEncryptionExtensions
 
-/**
- * An `Expr` that is used to initialize the block mode of a cipher.
- */
-abstract class BlockMode extends Expr { }
-
-/**
- * An `Expr` that is used to form an `AES` cipher.
- */
-class AES extends BlockMode {
-  AES() {
-    // `blockMode` arg in `AES.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
-      call.getArgument(1).getExpr() = this
-    )
-  }
-}
-
-/**
- * An `Expr` that is used to form a `Blowfish` cipher.
- */
-class Blowfish extends BlockMode {
-  Blowfish() {
-    // `blockMode` arg in `Blowfish.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
-      call.getArgument(1).getExpr() = this
-    )
-  }
-}
-
 /**
  * A taint configuration from the constructor of ECB mode to expressions that use
  * it to initialize a cipher.
@@ -55,7 +20,13 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate isSink(DataFlow::Node node) { node.asExpr() instanceof BlockMode }
+  predicate isSink(DataFlow::Node node) { node instanceof EcbEncryptionSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof EcbEncryptionSanitizer}
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(EcbEncryptionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
 }
 
 module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;