Skip to content

Commit 2141408

Browse files
geoffw0geoffw0
committed
Swift: Test renaming and layout changes.
1 parent 15d5ad7 commit 2141408

File tree

3 files changed

+182
-141
lines changed

3 files changed

+182
-141
lines changed

swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift

Lines changed: 121 additions & 80 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
struct URL {
44
init?(string: String) {}
5+
56
}
67

78
class NSURL {
@@ -176,6 +177,31 @@ class SerializedDatabase {
176177
init(path: String, configuration: Configuration = Configuration(), defaultLabel: String, purpose: String? = nil) {}
177178
}
178179

180+
181+
182+
183+
184+
185+
186+
187+
188+
189+
190+
191+
192+
193+
194+
195+
196+
197+
198+
199+
200+
201+
202+
203+
204+
179205
// --- tests ---
180206

181207
func test() {
@@ -185,100 +211,115 @@ func test() {
185211
let safeUrl = URL(string: "")!
186212
let safeNsUrl = NSURL(string: "")!
187213

188-
Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=182
214+
Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=208
189215

190216
let nsData = NSData()
191-
let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=182
192-
nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=182
193-
let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=182
194-
nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=182
217+
let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=208
218+
nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=208
219+
let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=208
220+
nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=208
195221

196222
let fm = FileManager()
197-
let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=182
198-
let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=182
199-
let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=182
200-
let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=182
201-
let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=182
202-
let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=182
203-
fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=182
204-
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=182
205-
let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=182
206-
fm.removeItem(at: remoteUrl) // $ hasPathInjection=182
207-
fm.removeItem(atPath: remoteString) // $ hasPathInjection=182
208-
fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
209-
let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
210-
let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
211-
fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
212-
fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
213-
fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
214-
fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
215-
fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
216-
fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
217-
fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
218-
fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
219-
fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
220-
fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
221-
fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=182
222-
fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=182
223-
fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=182
224-
fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=182
225-
fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
226-
fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
227-
fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
228-
fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
229-
let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=182
230-
let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=182
231-
let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=182
232-
fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=182
233-
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=182
234-
let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=182
235-
let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=182
236-
let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=182
237-
let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=182
223+
let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=208
224+
let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=208
225+
let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=208
226+
let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=208
227+
let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=208
228+
let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=208
229+
fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=208
230+
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=208
231+
let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=208
232+
fm.removeItem(at: remoteUrl) // $ hasPathInjection=208
233+
fm.removeItem(atPath: remoteString) // $ hasPathInjection=208
234+
fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=208
235+
let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=208
236+
let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=208
237+
fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=208
238+
fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=208
239+
fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=208
240+
fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=208
241+
fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=208
242+
fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=208
243+
fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=208
244+
fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=208
245+
fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=208
246+
fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=208
247+
fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=208
248+
fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=208
249+
fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=208
250+
fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=208
251+
fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=208
252+
fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=208
253+
fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=208
254+
fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=208
255+
let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=208
256+
let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=208
257+
let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=208
258+
fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=208
259+
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=208
260+
let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=208
261+
let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=208
262+
let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=208
263+
let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=208
238264
// Deprecated methods
239-
let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=182
240-
let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=182
241-
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=182
242-
let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=182
243-
let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=182
244-
let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=182
245-
let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
246-
let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
265+
let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=208
266+
let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=208
267+
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=208
268+
let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=208
269+
let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=208
270+
let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=208
271+
let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=208
272+
let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=208
247273

248274
var encoding = String.Encoding.utf8
249-
let _ = try! String(contentsOfFile: remoteString) // $ hasPathInjection=182
250-
let _ = try! String(contentsOfFile: remoteString, encoding: String.Encoding.utf8) // $ hasPathInjection=182
251-
let _ = try! String(contentsOfFile: remoteString, usedEncoding: &encoding) // $ hasPathInjection=182
252-
253-
let _ = try! NSString(contentsOfFile: remoteString, encoding: 0) // $ hasPathInjection=182
254-
let _ = try! NSString(contentsOfFile: remoteString, usedEncoding: nil) // $ hasPathInjection=182
255-
NSString().write(to: remoteUrl, atomically: true, encoding: 0) // $ hasPathInjection=182
256-
NSString().write(toFile: remoteString, atomically: true, encoding: 0) // $ hasPathInjection=182
257-
258-
let _ = NSKeyedUnarchiver().unarchiveObject(withFile: remoteString) // $ hasPathInjection=182
259-
let _ = ArchiveByteStream.fileStream(fd: remoteString as! FileDescriptor, automaticClose: true) // $ hasPathInjection=182
260-
ArchiveByteStream.withFileStream(fd: remoteString as! FileDescriptor, automaticClose: true) { _ in } // $ hasPathInjection=182
261-
let _ = ArchiveByteStream.fileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) // $ hasPathInjection=182
262-
ArchiveByteStream.withFileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) { _ in } // $ hasPathInjection=182
263-
let _ = Bundle(url: remoteUrl) // $ hasPathInjection=182
264-
let _ = Bundle(path: remoteString) // $ hasPathInjection=182
265-
266-
let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=182
275+
let _ = try! String(contentsOfFile: remoteString) // $ hasPathInjection=208
276+
let _ = try! String(contentsOfFile: remoteString, encoding: String.Encoding.utf8) // $ hasPathInjection=208
277+
let _ = try! String(contentsOfFile: remoteString, usedEncoding: &encoding) // $ hasPathInjection=208
278+
279+
let _ = try! NSString(contentsOfFile: remoteString, encoding: 0) // $ hasPathInjection=208
280+
let _ = try! NSString(contentsOfFile: remoteString, usedEncoding: nil) // $ hasPathInjection=208
281+
NSString().write(to: remoteUrl, atomically: true, encoding: 0) // $ hasPathInjection=208
282+
NSString().write(toFile: remoteString, atomically: true, encoding: 0) // $ hasPathInjection=208
283+
284+
let _ = NSKeyedUnarchiver().unarchiveObject(withFile: remoteString) // $ hasPathInjection=208
285+
let _ = ArchiveByteStream.fileStream(fd: remoteString as! FileDescriptor, automaticClose: true) // $ hasPathInjection=208
286+
ArchiveByteStream.withFileStream(fd: remoteString as! FileDescriptor, automaticClose: true) { _ in } // $ hasPathInjection=208
287+
let _ = ArchiveByteStream.fileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) // $ hasPathInjection=208
288+
ArchiveByteStream.withFileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) { _ in } // $ hasPathInjection=208
289+
let _ = Bundle(url: remoteUrl) // $ hasPathInjection=208
290+
let _ = Bundle(path: remoteString) // $ hasPathInjection=208
291+
292+
// GRDB
293+
294+
let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=208
267295
let _ = Database(path: "", description: "", configuration: Configuration()) // Safe
268-
let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
296+
let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=208
269297
let _ = DatabasePool(path: "", configuration: Configuration()) // Safe
270-
let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
298+
let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=208
271299
let _ = DatabaseQueue(path: "", configuration: Configuration()) // Safe
272-
let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
300+
let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=208
273301
let _ = DatabaseSnapshotPool(path: "", configuration: Configuration()) // Safe
274-
let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=182
302+
let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=208
275303
let _ = SerializedDatabase(path: "", defaultLabel: "") // Safe
276-
let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=182
304+
let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=208
277305
let _ = SerializedDatabase(path: "", defaultLabel: "", purpose: nil) // Safe
278-
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=182
306+
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=208
279307
let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "") // Safe
280-
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=182
308+
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=208
281309
let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "", purpose: nil) // Safe
310+
311+
312+
313+
314+
315+
316+
317+
318+
319+
320+
321+
322+
282323
}
283324

284325
func testSanitizers() {
@@ -290,5 +331,5 @@ func testSanitizers() {
290331
if (filePath.lexicallyNormalized().starts(with: "/safe")) {
291332
let _ = fm.contents(atPath: remoteString) // Safe
292333
}
293-
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=285
334+
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=326
294335
}

0 commit comments

Comments
 (0)