Add cleartext storage database sinks

Author: atorralba

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql

@@ -56,6 +56,61 @@ class RealmStore extends Stored instanceof DataFlow::PostUpdateNode {
   }
 }
 
+/**
+ * A `DataFlow::Node` that is an expression stored with the GRDB library.
+ */
+class GrdbStore extends Stored {
+  GrdbStore() {
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgumentWithLabel("arguments").getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName("Database",
+            ["allStatements(sql:arguments:)", "execute(sql:arguments:)",])
+      or
+      method.hasQualifiedName("SQLRequest", "init(sql:arguments:adapter:cached:)")
+      or
+      method.hasQualifiedName("SQL", ["init(sql:arguments:)", "append(sql:arguments:)"])
+      or
+      method.hasQualifiedName("SQLStatementCursor", "init(database:sql:arguments:prepFlags:)")
+      or
+      method
+          .hasQualifiedName("TableRecord",
+            [
+              "select(sql:arguments:)", "select(sql:arguments:as:)", "filter(sql:arguments:)",
+              "order(sql:arguments:)"
+            ])
+      or
+      method
+          .hasQualifiedName(["Row", "DatabaseValueConvertible", "FetchableRecord"],
+            [
+              "fetchCursor(_:sql:arguments:adapter:)", "fetchAll(_:sql:arguments:adapter:)",
+              "fetchSet(_:sql:arguments:adapter:)", "fetchOne(_:sql:arguments:adapter:)"
+            ])
+      or
+      method
+          .hasQualifiedName("FetchableRecord",
+            [
+              "fetchCursor(_:arguments:adapter:)", "fetchAll(_:arguments:adapter:)",
+              "fetchSet(_:arguments:adapter:)", "fetchOne(_:arguments:adapter:)",
+            ])
+      or
+      method.hasQualifiedName("Statement", ["execute(arguments:)"])
+      or
+      method
+          .hasQualifiedName("CommonTableExpression", "init(recursive:named:columns:sql:arguments:)")
+    )
+    or
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(0).getExpr() = this.asExpr()
+    |
+      method.hasQualifiedName("Statement", "setArguments(_:)")
+    )
+  }
+}
+
 /**
  * A taint configuration from sensitive information to expressions that are
  * transmitted over a network.
@@ -77,6 +132,14 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     node.asExpr() instanceof EncryptedExpr
   }
 
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Needed until we have proper content flow through arrays
+    exists(ArrayExpr arr |
+      node1.asExpr() = arr.getAnElement() and
+      node2.asExpr() = arr
+    )
+  }
+
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
     // flow out from fields of a `RealmSwiftObject` at the sink, for example in
     // `realmObj.data = sensitive`.