Merge pull request #20082 from d10c/d10c/diff-informed-phase-3-swift

d10c · web-flow · commit 766b0bf7734d · 2025-07-23T11:56:04.000+02:00
Swift: Diff-informed queries: phase 3 (non-trivial locations)
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -48,6 +48,17 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
     c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
+      cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      or
+      not sink instanceof DataFlow::PostUpdateNode and
+      cleanSink = sink
+    )
+  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -30,6 +30,17 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
+      cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      or
+      not sink instanceof DataFlow::PostUpdateNode and
+      cleanSink = sink
+    )
+  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
@@ -21,6 +21,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // query selects some Swift nodes (e.g. "[post] self") that have location file://:0:0:0:0, which always fall outside the diff range.
+  }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
@@ -28,6 +28,10 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // can't override location accurately because of secondary use in select.
+  }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {`
`21`	`21`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`22`	`22`	`any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`23`	`23`	`}`
	`24`	`+`
	`25`	`+ predicate observeDiffInformedIncrementalMode() {`
	`26`	`+ none() // query selects some Swift nodes (e.g. "[post] self") that have location file://:0:0:0:0, which always fall outside the diff range.`
	`27`	`+ }`
`24`	`28`	`}`
`25`	`29`
`26`	`30`	`module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,10 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {`
`28`	`28`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`29`	`29`	`any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`30`	`30`	`}`
	`31`	`+`
	`32`	`+ predicate observeDiffInformedIncrementalMode() {`
	`33`	`+ none() // can't override location accurately because of secondary use in select.`
	`34`	`+ }`
`31`	`35`	`}`
`32`	`36`
`33`	`37`	`/**`