Swift: Core Data support.

geoffw0 · geoffw0 · commit 3126fb930d9c · 2022-08-25T22:15:18.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -11,7 +11,51 @@
  */
 
 import swift
+import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-select "TODO"
+abstract class Stored extends Expr { }
+
+class CoreDataStore extends Stored {
+  CoreDataStore() {
+    // `content` arg to `NWConnection.send` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "NSManagedObject" and
+      c.getAMember() = f and
+      f.getName() = ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"] and
+      call.getFunction().(ApplyExpr).getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(SensitiveExpr e |
+      node.asExpr() = e and
+      not e.isProbablySafe()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Stored }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+}
+
+from CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This operation stores '" + sinkNode.getNode().toString() +
+    "' in a database. It may contain unencrypted sensitive data from $@", sourceNode,
+  sourceNode.getNode().toString()
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -1,5 +1,68 @@
 edges
+| testCoreData.swift:37:14:37:22 | WriteDef :  | testCoreData.swift:37:49:37:49 | data :  |
+| testCoreData.swift:37:14:37:22 | data :  | testCoreData.swift:37:49:37:49 | data :  |
+| testCoreData.swift:38:11:38:23 | WriteDef :  | testCoreData.swift:38:1:38:33 | data[return] :  |
+| testCoreData.swift:38:11:38:23 | data :  | testCoreData.swift:38:1:38:33 | data[return] :  |
+| testCoreData.swift:77:24:77:24 | x :  | testCoreData.swift:78:15:78:15 | x |
+| testCoreData.swift:80:10:80:22 | call to getPassword() :  | testCoreData.swift:81:15:81:15 | y |
+| testCoreData.swift:91:10:91:10 | passwd :  | testCoreData.swift:95:15:95:15 | x |
+| testCoreData.swift:91:10:91:10 | passwd :  | testCoreData.swift:99:14:99:14 | x :  |
+| testCoreData.swift:92:10:92:10 | passwd :  | testCoreData.swift:96:15:96:15 | y |
+| testCoreData.swift:92:10:92:10 | passwd :  | testCoreData.swift:100:13:100:14 | &... :  |
+| testCoreData.swift:93:10:93:10 | passwd :  | testCoreData.swift:97:15:97:15 | z |
+| testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  | testCoreData.swift:103:15:103:15 | x |
+| testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | WriteDef :  |
+| testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | data :  |
+| testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  |
+| testCoreData.swift:100:7:100:14 | data: &... :  | testCoreData.swift:104:15:104:15 | y |
+| testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | WriteDef :  |
+| testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | data :  |
+| testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:100:7:100:14 | data: &... :  |
 nodes
+| testCoreData.swift:37:14:37:22 | WriteDef :  | semmle.label | WriteDef :  |
+| testCoreData.swift:37:14:37:22 | WriteDef :  | semmle.label | data :  |
+| testCoreData.swift:37:14:37:22 | data :  | semmle.label | WriteDef :  |
+| testCoreData.swift:37:14:37:22 | data :  | semmle.label | data :  |
+| testCoreData.swift:37:49:37:49 | data :  | semmle.label | data :  |
+| testCoreData.swift:38:1:38:33 | data[return] :  | semmle.label | data[return] :  |
+| testCoreData.swift:38:11:38:23 | WriteDef :  | semmle.label | WriteDef :  |
+| testCoreData.swift:38:11:38:23 | WriteDef :  | semmle.label | data :  |
+| testCoreData.swift:38:11:38:23 | data :  | semmle.label | WriteDef :  |
+| testCoreData.swift:38:11:38:23 | data :  | semmle.label | data :  |
+| testCoreData.swift:48:15:48:15 | password | semmle.label | password |
+| testCoreData.swift:51:24:51:24 | password | semmle.label | password |
+| testCoreData.swift:58:15:58:15 | password | semmle.label | password |
+| testCoreData.swift:77:24:77:24 | x :  | semmle.label | x :  |
+| testCoreData.swift:78:15:78:15 | x | semmle.label | x |
+| testCoreData.swift:80:10:80:22 | call to getPassword() :  | semmle.label | call to getPassword() :  |
+| testCoreData.swift:81:15:81:15 | y | semmle.label | y |
+| testCoreData.swift:85:15:85:17 | .password | semmle.label | .password |
+| testCoreData.swift:91:10:91:10 | passwd :  | semmle.label | passwd :  |
+| testCoreData.swift:92:10:92:10 | passwd :  | semmle.label | passwd :  |
+| testCoreData.swift:93:10:93:10 | passwd :  | semmle.label | passwd :  |
+| testCoreData.swift:95:15:95:15 | x | semmle.label | x |
+| testCoreData.swift:96:15:96:15 | y | semmle.label | y |
+| testCoreData.swift:97:15:97:15 | z | semmle.label | z |
+| testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  | semmle.label | call to encrypt(_:) :  |
+| testCoreData.swift:99:14:99:14 | x :  | semmle.label | x :  |
+| testCoreData.swift:100:7:100:14 | data: &... :  | semmle.label | data: &... :  |
+| testCoreData.swift:100:13:100:14 | &... :  | semmle.label | &... :  |
+| testCoreData.swift:103:15:103:15 | x | semmle.label | x |
+| testCoreData.swift:104:15:104:15 | y | semmle.label | y |
 subpaths
+| testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | WriteDef :  | testCoreData.swift:37:49:37:49 | data :  | testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  |
+| testCoreData.swift:99:14:99:14 | x :  | testCoreData.swift:37:14:37:22 | data :  | testCoreData.swift:37:49:37:49 | data :  | testCoreData.swift:99:6:99:15 | call to encrypt(_:) :  |
+| testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | WriteDef :  | testCoreData.swift:38:1:38:33 | data[return] :  | testCoreData.swift:100:7:100:14 | data: &... :  |
+| testCoreData.swift:100:13:100:14 | &... :  | testCoreData.swift:38:11:38:23 | data :  | testCoreData.swift:38:1:38:33 | data[return] :  | testCoreData.swift:100:7:100:14 | data: &... :  |
 #select
-| TODO |
+| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:48:15:48:15 | password | password |
+| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:51:24:51:24 | password | password |
+| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:58:15:58:15 | password | password |
+| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x :  | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:77:24:77:24 | x :  | x |
+| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() :  | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:80:10:80:22 | call to getPassword() :  | call to getPassword() |
+| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:85:15:85:17 | .password | .password |
+| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd :  | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:91:10:91:10 | passwd :  | passwd |
+| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd :  | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:92:10:92:10 | passwd :  | passwd |
+| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd :  | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:93:10:93:10 | passwd :  | passwd |
+| testCoreData.swift:103:15:103:15 | x | testCoreData.swift:91:10:91:10 | passwd :  | testCoreData.swift:103:15:103:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:91:10:91:10 | passwd :  | passwd |
+| testCoreData.swift:104:15:104:15 | y | testCoreData.swift:92:10:92:10 | passwd :  | testCoreData.swift:104:15:104:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:92:10:92:10 | passwd :  | passwd |
