Swift: Fix duplicate results.

geoffw0 · geoffw0 · commit 456ab980a5f5 · 2022-08-25T22:15:17.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql b/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
@@ -70,6 +70,11 @@ class CleartextTransmissionConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
 }
 
 from CleartextTransmissionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -1,6 +1,5 @@
 edges
 | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... call to +(_:_:) ... |
-| testURL.swift:13:54:13:54 | passwd :  | testURL.swift:20:22:20:22 | passwd |
 | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... call to +(_:_:) ... |
 nodes
 | testSend.swift:29:19:29:19 | passwordPlain | semmle.label | passwordPlain |
@@ -14,5 +13,4 @@ subpaths
 | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@ | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
 | testURL.swift:13:22:13:54 | ... call to +(_:_:) ... | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... call to +(_:_:) ... | This operation transmits '... call to +(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
 | testURL.swift:16:22:16:55 | ... call to +(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... call to +(_:_:) ... | This operation transmits '... call to +(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:16:55:16:55 | credit_card_no :  | credit_card_no |
-| testURL.swift:20:22:20:22 | passwd | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
 | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:20:22:20:22 | passwd | passwd |

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,11 @@ class CleartextTransmissionConfig extends TaintTracking::Configuration {`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }`
	`73`	`+`
	`74`	`+ override predicate isSanitizerIn(DataFlow::Node node) {`
	`75`	`+ // make sources barriers so that we only report the closest instance`
	`76`	`+ isSource(node)`
	`77`	`+ }`
`73`	`78`	`}`
`74`	`79`
`75`	`80`	`from CleartextTransmissionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode`