Swift: CleartextTransmission query.

Author: geoffw0

swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql

@@ -11,7 +11,70 @@
  */
 
 import swift
+import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-select "TODO"
+/**
+ * An `Expr` that is transmitted over a network.
+ */
+abstract class Transmitted extends Expr { }
+
+/**
+ * An `Expr` that is transmitted with `NWConnection.send`.
+ */
+class NWConnectionSend extends Transmitted {
+  NWConnectionSend() {
+    // `content` arg to `NWConnection.send` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "NWConnection" and
+      c.getAMember() = f and
+      f.getName() = "send(content:contentContext:isComplete:completion:)" and
+      call.getFunction().(ApplyExpr).getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that is used to form a `URL`. Such expressions are very likely to
+ * be transmitted over a network, because that's what URLs are for.
+ */
+class URL extends Transmitted {
+  URL() {
+    // `string` arg in `URL.init` is a sink
+    // (we assume here that the URL goes on to be used in a network operation)
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "URL" and
+      c.getAMember() = f and
+      f.getName() = ["init(string:)", "init(string:relativeTo:)"] and
+      call.getFunction().(ApplyExpr).getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextTransmissionConfig extends TaintTracking::Configuration {
+  CleartextTransmissionConfig() { this = "CleartextTransmissionConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(SensitiveExpr e |
+      node.asExpr() = e and
+      not e.isProbablySafe()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }
+}
+
+from CleartextTransmissionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This operation transmits '" + sinkNode.getNode().toString() +
+    "', which may contain unencrypted sensitive data from $@", sourceNode,
+  sourceNode.getNode().toString()

swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected

@@ -1,5 +1,18 @@
 edges
+| testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... call to +(_:_:) ... |
+| testURL.swift:13:54:13:54 | passwd :  | testURL.swift:20:22:20:22 | passwd |
+| testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... call to +(_:_:) ... |
 nodes
+| testSend.swift:29:19:29:19 | passwordPlain | semmle.label | passwordPlain |
+| testURL.swift:13:22:13:54 | ... call to +(_:_:) ... | semmle.label | ... call to +(_:_:) ... |
+| testURL.swift:13:54:13:54 | passwd :  | semmle.label | passwd :  |
+| testURL.swift:16:22:16:55 | ... call to +(_:_:) ... | semmle.label | ... call to +(_:_:) ... |
+| testURL.swift:16:55:16:55 | credit_card_no :  | semmle.label | credit_card_no :  |
+| testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
 subpaths
 #select
-| TODO |
+| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@ | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
+| testURL.swift:13:22:13:54 | ... call to +(_:_:) ... | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... call to +(_:_:) ... | This operation transmits '... call to +(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
+| testURL.swift:16:22:16:55 | ... call to +(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... call to +(_:_:) ... | This operation transmits '... call to +(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:16:55:16:55 | credit_card_no :  | credit_card_no |
+| testURL.swift:20:22:20:22 | passwd | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
+| testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:20:22:20:22 | passwd | passwd |

swift/ql/test/query-tests/Security/CWE-311/testSend.swift

@@ -34,6 +34,6 @@ func test1(passwordPlain : String, passwordHash : String) {
 	let data3 = Data(passwordHash)
 
 	nw.send(content: data1, completion: .idempotent) // GOOD (not sensitive)
-	nw.send(content: data2, completion: .idempotent) // BAD
+	nw.send(content: data2, completion: .idempotent) // BAD [NOT DETECTED]
 	nw.send(content: data3, completion: .idempotent) // GOOD (not sensitive)
 }

swift/ql/test/query-tests/Security/CWE-311/testURL.swift

@@ -12,11 +12,11 @@ class URL
 func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
 	let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
 	let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
-	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD
+	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD [NOT DETECTED]
 	let d = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD
 
 	let base = URL(string: "http://example.com/"); // GOOD (not sensitive)
 	let e = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
 	let f = URL(string: passwd, relativeTo: base); // BAD
-	let g = URL(string: "abc", relativeTo: f); // BAD
+	let g = URL(string: "abc", relativeTo: f); // BAD [NOT DETECTED]
 }