Swift: Tests for CWE-95.

Author: geoffw0

swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.expected

@@ -0,0 +1 @@
+| TODO |

swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.qlref

@@ -0,0 +1 @@
+queries/Security/CWE-095/UnsafeWebviewFetch.ql

swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.swift

@@ -0,0 +1,206 @@
+
+// --- stubs ---
+
+class NSObject
+{
+}
+
+class URL
+{
+	init?(string: String) {}
+	init?(string: String, relativeTo: URL?) {}
+}
+
+extension String {
+	init(contentsOf: URL) throws {
+        var data = ""
+        
+        // ...
+        
+        self.init(data)
+    }
+}
+
+class NSURLRequest : NSObject
+{
+	enum CachePolicy : UInt
+	{
+		case useProtocolCachePolicy
+	}
+}
+
+typealias TimeInterval = Double
+
+class URLRequest
+{
+	typealias CachePolicy = NSURLRequest.CachePolicy
+
+	init(url: URL, cachePolicy: URLRequest.CachePolicy = .useProtocolCachePolicy, timeoutInterval: TimeInterval = 60.0) {}
+}
+
+class Data
+{
+    init<S>(_ elements: S) {}
+}
+
+class WKNavigation : NSObject
+{
+}
+
+class UIResponder : NSObject
+{
+}
+
+class UIView : UIResponder
+{
+}
+
+class UIWebView : UIView
+{
+	func loadRequest(_ request: URLRequest) {} // deprecated
+
+	func load(_ data: Data, mimeType MIMEType: String, textEncodingName: String, baseURL: URL) {} // deprecated
+
+	func loadHTMLString(_ string: String, baseURL: URL?) {} // deprecated
+}
+
+class WKWebView : UIView
+{
+	func load(_ request: URLRequest) -> WKNavigation? {
+		// ...
+
+		return WKNavigation()
+	}
+
+	func load(_ data: Data, mimeType MIMEType: String, characterEncodingName: String, baseURL: URL) -> WKNavigation? {
+		// ...
+
+		return WKNavigation()
+	}
+
+	func loadHTMLString(_ string: String, baseURL: URL?) -> WKNavigation? {
+		// ...
+
+		return WKNavigation()
+	}
+}
+
+// --- tests ---
+
+func getRemoteData() -> String {
+	let url = URL(string: "http://example.com/")
+	do
+	{
+		return try String(contentsOf: url!)
+	} catch {
+		return ""
+	}
+}
+
+func testSimpleFlows() {
+	let webview = UIWebView()
+
+	webview.loadHTMLString(try! String(contentsOf: URL(string: "http://example.com/")!), baseURL: nil) // BAD [NOT DETECTED]
+
+	let data = try! String(contentsOf: URL(string: "http://example.com/")!)
+	webview.loadHTMLString(data, baseURL: nil) // BAD [NOT DETECTED]
+
+	let url = URL(string: "http://example.com/")
+	webview.loadHTMLString(try! String(contentsOf: url!), baseURL: nil) // BAD [NOT DETECTED]
+}
+
+func testUIWebView() {
+	let webview = UIWebView()
+
+	let localString = "<html><body><p>Local HTML</p></body></html>"
+	let localStringFragment = "<body><p>Local HTML</p></body>"
+	let remoteString = getRemoteData()
+
+	webview.loadHTMLString(localString, baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD: HTML contains remote input, may access local secrets [NOT DETECTED]
+	webview.loadHTMLString(remoteString, baseURL: nil) // BAD [NOT DETECTED]
+
+	webview.loadHTMLString("<html>" + localStringFragment + "</html>", baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString("<html>" + remoteString + "</html>", baseURL: nil) // BAD [NOT DETECTED]
+
+	webview.loadHTMLString("<html>\(localStringFragment)</html>", baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString("<html>\(remoteString)</html>", baseURL: nil) // BAD [NOT DETECTED]
+
+	let localSafeURL = URL(string: "about:blank")
+	let localURL = URL(string: "http://example.com/")
+	let remoteURL = URL(string: remoteString)
+	let remoteURL2 = URL(string: "/path", relativeTo: remoteURL)
+
+	webview.loadHTMLString(localString, baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.loadHTMLString(remoteString, baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.loadHTMLString(localString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified
+	webview.loadHTMLString(remoteString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified
+	webview.loadHTMLString(localString, baseURL: remoteURL!) // GOOD: the HTML data is local
+	webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD [NOT DETECTED]
+	webview.loadHTMLString(localString, baseURL: remoteURL2!) // GOOD: the HTML data is local
+	webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD [NOT DETECTED]
+
+	let localRequest = URLRequest(url: localURL!)
+	let remoteRequest = URLRequest(url: remoteURL!)
+
+	webview.loadRequest(localRequest) // GOOD: loadRequest is out of scope as it has no baseURL
+	webview.loadRequest(remoteRequest) // GOOD: loadRequest is out of scope as it has no baseURL
+
+	let localData = Data(localString.utf8)
+	let remoteData = Data(remoteString.utf8)
+	webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local
+	webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local
+	webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // BAD [NOT DETECTED]
+}
+
+func testWKWebView() {
+	let webview = WKWebView()
+	// note: `WKWebView` is safer than `UIWebView` as it has better security configuration options
+	//       and is more locked down by default.
+
+	let localString = "<html><body><p>Local HTML</p></body></html>"
+	let localStringFragment = "<body><p>Local HTML</p></body>"
+	let remoteString = getRemoteData()
+
+	webview.loadHTMLString(localString, baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString(getRemoteData(), baseURL: nil) // BAD [NOT DETECTED]
+	webview.loadHTMLString(remoteString, baseURL: nil) // BAD [NOT DETECTED]
+
+	webview.loadHTMLString("<html>" + localStringFragment + "</html>", baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString("<html>" + remoteString + "</html>", baseURL: nil) // BAD [NOT DETECTED]
+
+	webview.loadHTMLString("<html>\(localStringFragment)</html>", baseURL: nil) // GOOD: the HTML data is local
+	webview.loadHTMLString("<html>\(remoteString)</html>", baseURL: nil) // BAD [NOT DETECTED]
+
+	let localSafeURL = URL(string: "about:blank")
+	let localURL = URL(string: "http://example.com/")
+	let remoteURL = URL(string: remoteString)
+	let remoteURL2 = URL(string: "/path", relativeTo: remoteURL)
+
+	webview.loadHTMLString(localString, baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.loadHTMLString(remoteString, baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.loadHTMLString(localString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified
+	webview.loadHTMLString(remoteString, baseURL: localURL!) // GOOD: a presumed safe baseURL is specified
+	webview.loadHTMLString(localString, baseURL: remoteURL!) // GOOD: the HTML data is local
+	webview.loadHTMLString(remoteString, baseURL: remoteURL!) // BAD [NOT DETECTED]
+	webview.loadHTMLString(localString, baseURL: remoteURL2!) // GOOD: the HTML data is local
+	webview.loadHTMLString(remoteString, baseURL: remoteURL2!) // BAD [NOT DETECTED]
+
+	let localRequest = URLRequest(url: localURL!)
+	let remoteRequest = URLRequest(url: remoteURL!)
+
+	webview.load(localRequest) // GOOD: loadRequest is out of scope as it has no baseURL
+	webview.load(remoteRequest) // GOOD: loadRequest is out of scope as it has no baseURL
+
+	let localData = Data(localString.utf8)
+	let remoteData = Data(remoteString.utf8)
+	webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local
+	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
+	webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local
+	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD [NOT DETECTED]
+}
+
+testSimpleFlows()
+testUIWebView()
+testWKWebView()