Swift: Add realm path-injection sinks.

geoffw0 · geoffw0 · commit 46da73cc1171 · 2023-04-14T14:50:50.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -127,7 +127,13 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
         ";DatabaseQueue;true;init(path:configuration:);;;Argument[0];path-injection",
         ";DatabaseSnapshotPool;true;init(path:configuration:);;;Argument[0];path-injection",
-        ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection"
+        ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection",
+        // Realm
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[0];path-injection",
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[0];path-injection",
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[10];path-injection",
+        ";Realm.Configuration;true;fileURL;;;;path-injection",
+        ";Realm.Configuration;true;seedFilePath;;;;path-injection",
       ]
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.expected b/swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.expected
@@ -0,0 +1,2 @@
+| testPathInjection.swift:314:35:314:35 | remoteUrl | Unexpected result: hasPathInjection=208 |
+| testPathInjection.swift:316:40:316:40 | remoteUrl | Unexpected result: hasPathInjection=208 |
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -311,9 +311,9 @@ func test() {
     // Realm
 
 	_ = Realm.Configuration(fileURL: safeUrl) // GOOD
-	_ = Realm.Configuration(fileURL: remoteUrl) // BAD [NOT DETECTED]
+	_ = Realm.Configuration(fileURL: remoteUrl) // BAD
 	_ = Realm.Configuration(seedFilePath: safeUrl) // GOOD
-	_ = Realm.Configuration(seedFilePath: remoteUrl) // BAD [NOT DETECTED]
+	_ = Realm.Configuration(seedFilePath: remoteUrl) // BAD
 
 	var config = Realm.Configuration() // GOOD
 	config.fileURL = safeUrl // GOOD

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,13 @@ private class PathInjectionSinks extends SinkModelCsv {`
`127`	`127`	`";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",`
`128`	`128`	`";DatabaseQueue;true;init(path:configuration:);;;Argument[0];path-injection",`
`129`	`129`	`";DatabaseSnapshotPool;true;init(path:configuration:);;;Argument[0];path-injection",`
`130`		`- ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection"`
	`130`	`+ ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection",`
	`131`	`+ // Realm`
	`132`	`+ ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[0];path-injection",`
	`133`	`+ ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[0];path-injection",`
	`134`	`+ ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[10];path-injection",`
	`135`	`+ ";Realm.Configuration;true;fileURL;;;;path-injection",`
	`136`	`+ ";Realm.Configuration;true;seedFilePath;;;;path-injection",`
`131`	`137`	`]`
`132`	`138`	`}`
`133`	`139`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| testPathInjection.swift:314:35:314:35 \| remoteUrl \| Unexpected result: hasPathInjection=208 \|`
	`2`	`+\| testPathInjection.swift:316:40:316:40 \| remoteUrl \| Unexpected result: hasPathInjection=208 \|`