Swift: Special cases to get taint flow working.

geoffw0 · geoffw0 · commit 2690732c7554 · 2022-08-25T22:15:19.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -82,6 +82,22 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // TODO: the following special case flows are required to catch any of the Realm test
+    // cases, I hope we'll be able to remove them once we have field flow???
+    // flow out from field accesses, i.e. `a.b` -> `a`
+    exists(MemberRefExpr m |
+      node1.asExpr() = m and // `a.b`
+      node2.asExpr() = m.getBaseExpr() // `a`
+    )
+    or
+    // flow through assignment (!)
+    exists(AssignExpr ae |
+      node1.asExpr() = ae.getSource() and
+      node2.asExpr() = ae.getDest()
+    )
+  }
 }
 
 from CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -18,6 +18,8 @@ edges
 | testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | WriteDef :  |
 | testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | data :  |
 | testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:100:7:100:14 | data: &... :  |
+| testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:35:12:35:12 | a |
+| testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:43:47:43:47 | c |
 nodes
 | testCoreData.swift:37:14:37:22 | WriteDef :  | semmle.label | WriteDef :  |
 | testCoreData.swift:37:14:37:22 | WriteDef :  | semmle.label | data :  |
@@ -49,6 +51,10 @@ nodes
 | testCoreData.swift:100:13:100:14 | &... :  | semmle.label | &... :  |
 | testCoreData.swift:103:15:103:15 | x | semmle.label | x |
 | testCoreData.swift:104:15:104:15 | y | semmle.label | y |
+| testRealm.swift:34:11:34:11 | myPassword :  | semmle.label | myPassword :  |
+| testRealm.swift:35:12:35:12 | a | semmle.label | a |
+| testRealm.swift:42:11:42:11 | myPassword :  | semmle.label | myPassword :  |
+| testRealm.swift:43:47:43:47 | c | semmle.label | c |
 subpaths
 | testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | WriteDef :  | testCoreData.swift:37:49:37:49 | data :  | testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  |
 | testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | data :  | testCoreData.swift:37:49:37:49 | data :  | testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  |
@@ -66,3 +72,5 @@ subpaths
 | testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd :  | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:93:10:93:10 | passwd :  | passwd |
 | testCoreData.swift:103:15:103:15 | x | testCoreData.swift:91:10:91:10 | passwd :  | testCoreData.swift:103:15:103:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:91:10:91:10 | passwd :  | passwd |
 | testCoreData.swift:104:15:104:15 | y | testCoreData.swift:92:10:92:10 | passwd :  | testCoreData.swift:104:15:104:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:92:10:92:10 | passwd :  | passwd |
+| testRealm.swift:35:12:35:12 | a | testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:35:12:35:12 | a | This operation stores 'a' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:34:11:34:11 | myPassword :  | myPassword |
+| testRealm.swift:43:47:43:47 | c | testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:43:47:43:47 | c | This operation stores 'c' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:42:11:42:11 | myPassword :  | myPassword |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift b/swift/ql/test/query-tests/Security/CWE-311/testRealm.swift
@@ -49,7 +49,7 @@ func test1(realm : Realm, myPassword : String, myHashedPassword : String) {
 	// retrieve objects ...
 
 	var e = realm.object(ofType: MyRealmSwiftObject.self, forPrimaryKey: "key")
-	e!.data = myPassword // BAD
+	e!.data = myPassword // BAD [NOT DETECTED]
 
 	var f = realm.object(ofType: MyRealmSwiftObject.self, forPrimaryKey: "key")
 	f!.data = myHashedPassword // GOOD (not sensitive)
