github · MathiasVP · Nov 5, 2022 · Oct 28, 2022 · Nov 1, 2022 · Nov 1, 2022
@@ -27,34 +27,34 @@ class Sink extends DataFlow::Node {
 
   Sink() {
     exists(
-      MethodDecl funcDecl, CallExpr call, string className, string funcName, string paramName,
-      int arg, int baseUrlArg
+      MethodDecl funcDecl, CallExpr call, string className, string funcName, int arg, int baseArg
     |
       // arguments to method calls...
       (
         // `loadHTMLString`
         className = ["UIWebView", "WKWebView"] and
         funcName = "loadHTMLString(_:baseURL:)" and
-        paramName = "string"
+        arg = 0 and
+        baseArg = 1
         or
         // `UIWebView.load`
         className = "UIWebView" and
         funcName = "load(_:mimeType:textEncodingName:baseURL:)" and
-        paramName = "data"
+        arg = 0 and
+        baseArg = 3
         or
         // `WKWebView.load`
         className = "WKWebView" and
         funcName = "load(_:mimeType:characterEncodingName:baseURL:)" and
-        paramName = "data"
+        arg = 0 and
+        baseArg = 3
       ) and
       call.getStaticTarget() = funcDecl and
       // match up `funcName`, `paramName`, `arg`, `node`.
       funcDecl.hasQualifiedName(className, funcName) and
-      funcDecl.getParam(pragma[only_bind_into](arg)).getName() = paramName and
-      call.getArgument(pragma[only_bind_into](arg)).getExpr() = this.asExpr() and
+      call.getArgument(arg).getExpr() = this.asExpr() and
       // match up `baseURLArg`
-      funcDecl.getParam(pragma[only_bind_into](baseUrlArg)).getName() = "baseURL" and
-      call.getArgument(pragma[only_bind_into](baseUrlArg)).getExpr() = baseUrl
+      call.getArgument(baseArg).getExpr() = baseUrl
     )
   }
 

@@ -94,37 +94,35 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
    * that sink. We actually want to report incorrect flow states.
    */
   predicate isSinkImpl(DataFlow::Node node, string flowstate) {
-    exists(
-      AbstractFunctionDecl funcDecl, CallExpr call, string funcName, string paramName, int arg
-    |
+    exists(AbstractFunctionDecl funcDecl, CallExpr call, string funcName, int arg |
       (
         // arguments to method calls...
         exists(string className, ClassOrStructDecl c |
           (
             // `NSRange.init`
             className = "NSRange" and
             funcName = "init(location:length:)" and
-            paramName = ["location", "length"]
+            arg = [0, 1]
             or
             // `NSString.character`
             className = ["NSString", "NSMutableString"] and
             funcName = "character(at:)" and
-            paramName = "at"
+            arg = 0
             or
             // `NSString.character`
             className = ["NSString", "NSMutableString"] and
             funcName = "substring(from:)" and
-            paramName = "from"
+            arg = 0
             or
             // `NSString.character`
             className = ["NSString", "NSMutableString"] and
             funcName = "substring(to:)" and
-            paramName = "to"
+            arg = 0
             or
             // `NSMutableString.insert`
             className = "NSMutableString" and
             funcName = "insert(_:at:)" and
-            paramName = "at"
+            arg = 1
           ) and
           c.getName() = className and
           c.getABaseTypeDecl*().(ClassOrStructDecl).getAMember() = funcDecl and
@@ -135,39 +133,38 @@ class StringLengthConflationConfiguration extends DataFlow::Configuration {
         // arguments to function calls...
         // `NSMakeRange`
         funcName = "NSMakeRange(_:_:)" and
-        paramName = ["loc", "len"] and
+        arg = [0, 1] and
         call.getStaticTarget() = funcDecl and
         flowstate = "NSString"
         or
         // arguments to method calls...
         (
           // `String.dropFirst`, `String.dropLast`, `String.removeFirst`, `String.removeLast`
           funcName = ["dropFirst(_:)", "dropLast(_:)", "removeFirst(_:)", "removeLast(_:)"] and
-          paramName = "k"
+          arg = 0
           or
           // `String.prefix`, `String.suffix`
           funcName = ["prefix(_:)", "suffix(_:)"] and
-          paramName = "maxLength"
+          arg = 0
           or
           // `String.Index.init`
           funcName = "init(encodedOffset:)" and
-          paramName = "offset"
+          arg = 0
           or
           // `String.index`
           funcName = ["index(_:offsetBy:)", "index(_:offsetBy:limitBy:)"] and
-          paramName = ["n", "distance"]
+          arg = [0, 1]
           or
           // `String.formIndex`
           funcName = ["formIndex(_:offsetBy:)", "formIndex(_:offsetBy:limitBy:)"] and
-          paramName = "distance"
+          arg = [0, 1]
         ) and
         call.getStaticTarget() = funcDecl and
         flowstate = "String"
       ) and
       // match up `funcName`, `paramName`, `arg`, `node`.
       funcDecl.getName() = funcName and
-      funcDecl.getParam(pragma[only_bind_into](arg)).getName() = paramName and
-      call.getArgument(pragma[only_bind_into](arg)).getExpr() = node.asExpr()
+      call.getArgument(arg).getExpr() = node.asExpr()
     )
   }