Swift: Fix locationless results.

geoffw0 · geoffw0 · commit dc47771937cb · 2022-09-14T20:43:24.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -46,10 +46,11 @@ class RealmStore extends Stored {
     // any write into a class derived from `RealmSwiftObject` is a sink. For
     // example in `realmObj.data = sensitive` the post-update node corresponding
     // with `realmObj.data` is a sink.
-    exists(ClassDecl cd |
+    exists(ClassDecl cd, Expr e |
       cd.getABaseTypeDecl*().getName() = "RealmSwiftObject" and
-      this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getFullyConverted().getType() =
-        cd.getType()
+      this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
+      e.getFullyConverted().getType() = cd.getType() and
+      not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
     )
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -1,6 +1,4 @@
 edges
-| file://:0:0:0:0 | [post] self [data] :  | file://:0:0:0:0 | [post] self |
-| file://:0:0:0:0 | [post] self [data] :  | file://:0:0:0:0 | [post] self :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [data] :  |
 | testCoreData.swift:18:19:18:26 | value :  | testCoreData.swift:19:12:19:12 | value |
 | testCoreData.swift:31:3:31:3 | newValue :  | testCoreData.swift:32:13:32:13 | newValue |
@@ -14,23 +12,17 @@ edges
 | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | value :  |
 | testRealm.swift:34:2:34:2 | [post] a [data] :  | testRealm.swift:34:2:34:2 | [post] a |
 | testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  |
-| testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:34:2:34:2 | [post] a |
 | testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:34:2:34:2 | [post] a [data] :  |
 | testRealm.swift:42:2:42:2 | [post] c [data] :  | testRealm.swift:42:2:42:2 | [post] c |
 | testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  |
-| testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:42:2:42:2 | [post] c |
 | testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:42:2:42:2 | [post] c [data] :  |
 | testRealm.swift:52:2:52:3 | [post] ...! [data] :  | testRealm.swift:52:2:52:3 | [post] ...! |
 | testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:16:6:16:6 | value :  |
-| testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:52:2:52:3 | [post] ...! |
 | testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:52:2:52:3 | [post] ...! [data] :  |
 | testRealm.swift:59:2:59:2 | [post] g [data] :  | testRealm.swift:59:2:59:2 | [post] g |
 | testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  |
-| testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:59:2:59:2 | [post] g |
 | testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:59:2:59:2 | [post] g [data] :  |
 nodes
-| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
-| file://:0:0:0:0 | [post] self :  | semmle.label | [post] self :  |
 | file://:0:0:0:0 | [post] self [data] :  | semmle.label | [post] self [data] :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
 | testCoreData.swift:18:19:18:26 | value :  | semmle.label | value :  |
@@ -67,19 +59,11 @@ nodes
 | testRealm.swift:59:2:59:2 | [post] g [data] :  | semmle.label | [post] g [data] :  |
 | testRealm.swift:59:11:59:11 | myPassword :  | semmle.label | myPassword :  |
 subpaths
-| testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self :  | testRealm.swift:34:2:34:2 | [post] a |
 | testRealm.swift:34:11:34:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:34:2:34:2 | [post] a [data] :  |
-| testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self :  | testRealm.swift:42:2:42:2 | [post] c |
 | testRealm.swift:42:11:42:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:42:2:42:2 | [post] c [data] :  |
-| testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self :  | testRealm.swift:52:2:52:3 | [post] ...! |
 | testRealm.swift:52:12:52:12 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:52:2:52:3 | [post] ...! [data] :  |
-| testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self :  | testRealm.swift:59:2:59:2 | [post] g |
 | testRealm.swift:59:11:59:11 | myPassword :  | testRealm.swift:16:6:16:6 | value :  | file://:0:0:0:0 | [post] self [data] :  | testRealm.swift:59:2:59:2 | [post] g [data] :  |
 #select
-| file://:0:0:0:0 | self | testRealm.swift:34:11:34:11 | myPassword :  | file://:0:0:0:0 | [post] self | This operation stores '[post] self' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:34:11:34:11 | myPassword :  | myPassword |
-| file://:0:0:0:0 | self | testRealm.swift:42:11:42:11 | myPassword :  | file://:0:0:0:0 | [post] self | This operation stores '[post] self' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:42:11:42:11 | myPassword :  | myPassword |
-| file://:0:0:0:0 | self | testRealm.swift:52:12:52:12 | myPassword :  | file://:0:0:0:0 | [post] self | This operation stores '[post] self' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:52:12:52:12 | myPassword :  | myPassword |
-| file://:0:0:0:0 | self | testRealm.swift:59:11:59:11 | myPassword :  | file://:0:0:0:0 | [post] self | This operation stores '[post] self' in a database. It may contain unencrypted sensitive data from $@ | testRealm.swift:59:11:59:11 | myPassword :  | myPassword |
 | testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password :  | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:61:25:61:25 | password :  | password |
 | testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password :  | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:64:16:64:16 | password :  | password |
 | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@ | testCoreData.swift:48:15:48:15 | password | password |

Original file line number	Diff line number	Diff line change
`@@ -46,10 +46,11 @@ class RealmStore extends Stored {`
`46`	`46`	// any write into a class derived from `RealmSwiftObject` is a sink. For
`47`	`47`	// example in `realmObj.data = sensitive` the post-update node corresponding
`48`	`48`	// with `realmObj.data` is a sink.
`49`		`- exists(ClassDecl cd \|`
	`49`	`+ exists(ClassDecl cd, Expr e \|`
`50`	`50`	`cd.getABaseTypeDecl*().getName() = "RealmSwiftObject" and`
`51`		`- this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getFullyConverted().getType() =`
`52`		`- cd.getType()`
	`51`	`+ this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and`
	`52`	`+ e.getFullyConverted().getType() = cd.getType() and`
	`53`	`+ not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl`
`53`	`54`	`)`
`54`	`55`	`}`
`55`	`56`	`}`