Merge pull request #11035 from geoffw0/simplify2

geoffw0 · web-flow · commit c161bb5e95d0 · 2022-10-31T09:50:55.000Z
Swift: Simplify some more QL
diff --git a/swift/ql/src/queries/Security/CWE-089/SqlInjection.ql b/swift/ql/src/queries/Security/CWE-089/SqlInjection.ql
@@ -27,15 +27,14 @@ abstract class SqlSink extends DataFlow::Node { }
 class CApiSqlSink extends SqlSink {
   CApiSqlSink() {
     // `sqlite3_exec` and variants of `sqlite3_prepare`.
-    exists(AbstractFunctionDecl f, CallExpr call |
-      f.getName() =
+    exists(CallExpr call |
+      call.getStaticTarget().getName() =
         [
           "sqlite3_exec(_:_:_:_:_:)", "sqlite3_prepare(_:_:_:_:_:)",
           "sqlite3_prepare_v2(_:_:_:_:_:)", "sqlite3_prepare_v3(_:_:_:_:_:_:)",
           "sqlite3_prepare16(_:_:_:_:_:)", "sqlite3_prepare16_v2(_:_:_:_:_:)",
           "sqlite3_prepare16_v3(_:_:_:_:_:_:)"
         ] and
-      call.getStaticTarget() = f and
       call.getArgument(1).getExpr() = this.asExpr()
     )
   }
@@ -47,16 +46,17 @@ class CApiSqlSink extends SqlSink {
 class SQLiteSwiftSqlSink extends SqlSink {
   SQLiteSwiftSqlSink() {
     // Variants of `Connection.execute`, `connection.prepare` and `connection.scalar`.
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("Connection", ["execute(_:)", "prepare(_:_:)", "run(_:_:)", "scalar(_:_:)"]) and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("Connection",
+            ["execute(_:)", "prepare(_:_:)", "run(_:_:)", "scalar(_:_:)"]) and
       call.getArgument(0).getExpr() = this.asExpr()
     )
     or
     // String argument to the `Statement` constructor.
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("Statement", "init(_:_:)") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("Statement", "init(_:_:)") and
       call.getArgument(1).getExpr() = this.asExpr()
     )
   }
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -27,10 +27,12 @@ abstract class Stored extends DataFlow::Node { }
  */
 class CoreDataStore extends Stored {
   CoreDataStore() {
-    // `content` arg to `NWConnection.send` is a sink
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("NSManagedObject", ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"]) and
-      call.getStaticTarget() = f and
+    // values written into Core Data objects are a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSManagedObject",
+            ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"]) and
       call.getArgument(0).getExpr() = this.asExpr()
     )
   }
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql b/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
@@ -28,9 +28,10 @@ abstract class Transmitted extends Expr { }
 class NWConnectionSend extends Transmitted {
   NWConnectionSend() {
     // `content` arg to `NWConnection.send` is a sink
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("NWConnection", "send(content:contentContext:isComplete:completion:)") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NWConnection", "send(content:contentContext:isComplete:completion:)") and
       call.getArgument(0).getExpr() = this
     )
   }
@@ -44,9 +45,10 @@ class Url extends Transmitted {
   Url() {
     // `string` arg in `URL.init` is a sink
     // (we assume here that the URL goes on to be used in a network operation)
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
       call.getArgument(0).getExpr() = this
     )
   }
diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql b/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
@@ -26,9 +26,8 @@ abstract class Stored extends DataFlow::Node {
 /** The `DataFlow::Node` of an expression that gets written to the user defaults database */
 class UserDefaultsStore extends Stored {
   UserDefaultsStore() {
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("UserDefaults", "set(_:forKey:)") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("UserDefaults", "set(_:forKey:)") and
       call.getArgument(0).getExpr() = this.asExpr()
     )
   }
@@ -39,9 +38,10 @@ class UserDefaultsStore extends Stored {
 /** The `DataFlow::Node` of an expression that gets written to the iCloud-backed NSUbiquitousKeyValueStore */
 class NSUbiquitousKeyValueStore extends Stored {
   NSUbiquitousKeyValueStore() {
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("NSUbiquitousKeyValueStore", "set(_:forKey:)") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("NSUbiquitousKeyValueStore", "set(_:forKey:)") and
       call.getArgument(0).getExpr() = this.asExpr()
     )
   }
diff --git a/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql b/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
@@ -37,12 +37,13 @@ class StringLiteralSource extends KeySource instanceof StringLiteralExpr { }
 class EncryptionKeySink extends Expr {
   EncryptionKeySink() {
     // `key` arg in `init` is a sink
-    exists(MethodDecl f, CallExpr call, string fName |
-      f.hasQualifiedName([
-          "AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"
-        ], fName) and
+    exists(CallExpr call, string fName |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName([
+              "AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"
+            ], fName) and
       fName.matches("init(key:%") and
-      call.getStaticTarget() = f and
       call.getArgument(0).getExpr() = this
     )
   }
diff --git a/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql b/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql
@@ -26,23 +26,18 @@ class InsecureTlsConfig extends TaintTracking::Configuration {
    * Holds for enum values that represent an insecure version of TLS
    */
   override predicate isSource(DataFlow::Node node) {
-    exists(MethodRefExpr expr, EnumElementDecl enum, string enumName |
-      node.asExpr() = expr and
-      expr.getMember() = enum and
-      enumName = enum.getName() and
-      enumName in ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
-    )
+    node.asExpr().(MethodRefExpr).getMember().(EnumElementDecl).getName() =
+      ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
   }
 
   /**
    * Holds for assignment of TLS-related properties of `NSURLSessionConfiguration`
    */
   override predicate isSink(DataFlow::Node node) {
-    exists(AssignExpr assign, MemberRefExpr member, string memberName |
+    exists(AssignExpr assign |
       assign.getSource() = node.asExpr() and
-      assign.getDest() = member and
-      memberName = member.getMember().(ConcreteVarDecl).getName() and
-      memberName in [
+      assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
+        [
           "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
           "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
         ]
diff --git a/swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.ql b/swift/ql/src/queries/Security/ECB-Encryption/ECBEncryption.ql
@@ -26,9 +26,10 @@ abstract class BlockMode extends Expr { }
 class AES extends BlockMode {
   AES() {
     // `blockMode` arg in `AES.init` is a sink
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
       call.getArgument(1).getExpr() = this
     )
   }
@@ -40,9 +41,10 @@ class AES extends BlockMode {
 class Blowfish extends BlockMode {
   Blowfish() {
     // `blockMode` arg in `Blowfish.init` is a sink
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
       call.getArgument(1).getExpr() = this
     )
   }
@@ -56,9 +58,8 @@ class EcbEncryptionConfig extends DataFlow::Configuration {
   EcbEncryptionConfig() { this = "EcbEncryptionConfig" }
 
   override predicate isSource(DataFlow::Node node) {
-    exists(MethodDecl f, CallExpr call |
-      f.hasQualifiedName("ECB", "init()") and
-      call.getStaticTarget() = f and
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("ECB", "init()") and
       node.asExpr() = call
     )
   }
