Skip to content

Commit 28d801f

Browse files
geoffw0geoffw0
committed
Swift: CWE-135 query sources and sinks.
1 parent b609f1e commit 28d801f

File tree

2 files changed

+118
-2
lines changed

2 files changed

+118
-2
lines changed

swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql

Lines changed: 73 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,76 @@
1212

1313
import swift
1414

15-
select "TODO"
15+
predicate isSource(Expr e) {
16+
// result of a call to to `String.count`
17+
exists(MemberRefExpr member |
18+
member.getBaseExpr().getType().toString() = "String" and // TODO: use of toString
19+
member.getMember().toString() = "count" and // TODO: use of toString
20+
e = member
21+
)
22+
// TODO: other sources such as NSString.length, with different set of sinks
23+
}
24+
25+
predicate isSink(Expr e) {
26+
// arguments to method calls...
27+
exists(
28+
string className, string methodName, string argName, ClassDecl c, AbstractFunctionDecl f,
29+
CallExpr call, int arg
30+
|
31+
(
32+
// `NSRange.init`
33+
className = "NSRange" and
34+
methodName = "init" and
35+
argName = ["location", "length"]
36+
or
37+
// `NSString.character`
38+
className = ["NSString", "NSMutableString"] and
39+
methodName = "character" and
40+
argName = "at"
41+
or
42+
// `NSString.character`
43+
className = ["NSString", "NSMutableString"] and
44+
methodName = "substring" and
45+
argName = ["from", "to"]
46+
or
47+
// `NSMutableString.insert`
48+
className = "NSMutableString" and
49+
methodName = "insert" and
50+
argName = "at"
51+
) and
52+
c.toString() = className and // TODO: use of toString
53+
c.getAMember() = f and // TODO: will this even work if its defined in a parent class?
54+
call.getFunction().(ApplyExpr).getFunction().(DeclRefExpr).getDecl() = f and
55+
call.getFunction().(ApplyExpr).getFunction().toString() = methodName and // TODO: use of toString
56+
call.getFunction()
57+
.(ApplyExpr)
58+
.getFunction()
59+
.(DeclRefExpr)
60+
.getDecl()
61+
.(AbstractFunctionDecl)
62+
.getParam(arg)
63+
.getName() = argName and
64+
call.getArgument(arg).getExpr() = e
65+
)
66+
or
67+
// arguments to function calls...
68+
exists(string funcName, string argName, CallExpr call, int arg |
69+
// `NSMakeRange`
70+
funcName = "NSMakeRange" and
71+
argName = ["loc", "len"] and
72+
call.getStaticTarget().getName() = funcName and
73+
call.getStaticTarget().getParam(arg).getName() = argName and
74+
call.getArgument(arg).getExpr() = e
75+
)
76+
}
77+
78+
string describe(Element e) {
79+
isSource(e) and result = "isSource"
80+
or
81+
isSink(e) and result = "isSink"
82+
or
83+
isSource(e) and isSink(e) and result = "***RESULT***"
84+
}
85+
86+
from Locatable e
87+
select e.getLocation(), e, strictconcat(describe(e), ", ")

swift/ql/test/query-tests/Security/CWE-135/StringLengthConflation.expected

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,45 @@
1-
| TODO |
1+
| StringLengthConflation.swift:10:37:10:44 | Location | StringLengthConflation.swift:10:37:10:44 | .count | isSource |
2+
| StringLengthConflation.swift:21:37:21:44 | Location | StringLengthConflation.swift:21:37:21:44 | .count | isSource |
3+
| StringLengthConflation.swift:38:80:38:80 | Location | StringLengthConflation.swift:38:80:38:80 | loc | isSink |
4+
| StringLengthConflation.swift:38:93:38:93 | Location | StringLengthConflation.swift:38:93:38:93 | len | isSink |
5+
| StringLengthConflation.swift:47:20:47:22 | Location | StringLengthConflation.swift:47:20:47:22 | .count | isSource |
6+
| StringLengthConflation.swift:52:43:52:45 | Location | StringLengthConflation.swift:52:43:52:45 | .count | isSource |
7+
| StringLengthConflation.swift:59:47:59:49 | Location | StringLengthConflation.swift:59:47:59:49 | .count | isSource |
8+
| StringLengthConflation.swift:64:33:64:35 | Location | StringLengthConflation.swift:64:33:64:35 | .count | isSource |
9+
| StringLengthConflation.swift:71:30:71:30 | Location | StringLengthConflation.swift:71:30:71:30 | 0 | isSink |
10+
| StringLengthConflation.swift:71:33:71:36 | Location | StringLengthConflation.swift:71:33:71:36 | .length | isSink |
11+
| StringLengthConflation.swift:72:30:72:30 | Location | StringLengthConflation.swift:72:30:72:30 | 0 | isSink |
12+
| StringLengthConflation.swift:72:33:72:35 | Location | StringLengthConflation.swift:72:33:72:35 | .count | ***RESULT***, isSink, isSource |
13+
| StringLengthConflation.swift:73:30:73:30 | Location | StringLengthConflation.swift:73:30:73:30 | 0 | isSink |
14+
| StringLengthConflation.swift:73:33:73:46 | Location | StringLengthConflation.swift:73:33:73:46 | .count | isSink |
15+
| StringLengthConflation.swift:74:30:74:30 | Location | StringLengthConflation.swift:74:30:74:30 | 0 | isSink |
16+
| StringLengthConflation.swift:74:33:74:78 | Location | StringLengthConflation.swift:74:33:74:78 | call to ... | isSink |
17+
| StringLengthConflation.swift:77:36:77:36 | Location | StringLengthConflation.swift:77:36:77:36 | 0 | isSink |
18+
| StringLengthConflation.swift:77:47:77:50 | Location | StringLengthConflation.swift:77:47:77:50 | .length | isSink |
19+
| StringLengthConflation.swift:78:36:78:36 | Location | StringLengthConflation.swift:78:36:78:36 | 0 | isSink |
20+
| StringLengthConflation.swift:78:47:78:49 | Location | StringLengthConflation.swift:78:47:78:49 | .count | ***RESULT***, isSink, isSource |
21+
| StringLengthConflation.swift:83:28:83:30 | Location | StringLengthConflation.swift:83:28:83:30 | .count | isSource |
22+
| StringLengthConflation.swift:87:27:87:29 | Location | StringLengthConflation.swift:87:27:87:29 | .count | isSource |
23+
| StringLengthConflation.swift:91:25:91:27 | Location | StringLengthConflation.swift:91:25:91:27 | .count | isSource |
24+
| StringLengthConflation.swift:95:25:95:27 | Location | StringLengthConflation.swift:95:25:95:27 | .count | isSource |
25+
| StringLengthConflation.swift:99:34:99:46 | Location | StringLengthConflation.swift:99:34:99:46 | ... call to - ... | isSink |
26+
| StringLengthConflation.swift:100:36:100:49 | Location | StringLengthConflation.swift:100:36:100:49 | ... call to - ... | isSink |
27+
| StringLengthConflation.swift:101:34:101:36 | Location | StringLengthConflation.swift:101:34:101:36 | .count | isSource |
28+
| StringLengthConflation.swift:101:34:101:44 | Location | StringLengthConflation.swift:101:34:101:44 | ... call to - ... | isSink |
29+
| StringLengthConflation.swift:102:36:102:38 | Location | StringLengthConflation.swift:102:36:102:38 | .count | isSource |
30+
| StringLengthConflation.swift:102:36:102:46 | Location | StringLengthConflation.swift:102:36:102:46 | ... call to - ... | isSink |
31+
| StringLengthConflation.swift:105:36:105:48 | Location | StringLengthConflation.swift:105:36:105:48 | ... call to - ... | isSink |
32+
| StringLengthConflation.swift:106:38:106:51 | Location | StringLengthConflation.swift:106:38:106:51 | ... call to - ... | isSink |
33+
| StringLengthConflation.swift:107:36:107:38 | Location | StringLengthConflation.swift:107:36:107:38 | .count | isSource |
34+
| StringLengthConflation.swift:107:36:107:46 | Location | StringLengthConflation.swift:107:36:107:46 | ... call to - ... | isSink |
35+
| StringLengthConflation.swift:108:38:108:40 | Location | StringLengthConflation.swift:108:38:108:40 | .count | isSource |
36+
| StringLengthConflation.swift:108:38:108:48 | Location | StringLengthConflation.swift:108:38:108:48 | ... call to - ... | isSink |
37+
| StringLengthConflation.swift:111:34:111:46 | Location | StringLengthConflation.swift:111:34:111:46 | ... call to - ... | isSink |
38+
| StringLengthConflation.swift:112:36:112:49 | Location | StringLengthConflation.swift:112:36:112:49 | ... call to - ... | isSink |
39+
| StringLengthConflation.swift:113:34:113:36 | Location | StringLengthConflation.swift:113:34:113:36 | .count | isSource |
40+
| StringLengthConflation.swift:113:34:113:44 | Location | StringLengthConflation.swift:113:34:113:44 | ... call to - ... | isSink |
41+
| StringLengthConflation.swift:114:36:114:38 | Location | StringLengthConflation.swift:114:36:114:38 | .count | isSource |
42+
| StringLengthConflation.swift:114:36:114:46 | Location | StringLengthConflation.swift:114:36:114:46 | ... call to - ... | isSink |
43+
| StringLengthConflation.swift:118:28:118:41 | Location | StringLengthConflation.swift:118:28:118:41 | ... call to - ... | isSink |
44+
| StringLengthConflation.swift:120:28:120:30 | Location | StringLengthConflation.swift:120:28:120:30 | .count | isSource |
45+
| StringLengthConflation.swift:120:28:120:38 | Location | StringLengthConflation.swift:120:28:120:38 | ... call to - ... | isSink |

0 commit comments

Comments
 (0)