Skip to content

Commit 62aa5de

Browse files
geoffw0geoffw0
committed
Swift: URL is a struct not a class.
1 parent 9f1bbf2 commit 62aa5de

File tree

4 files changed

+4
-42
lines changed

4 files changed

+4
-42
lines changed

swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected

Lines changed: 0 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -13,27 +13,15 @@ edges
1313
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:127:25:127:25 | "..." |
1414
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:135:25:135:25 | remoteString |
1515
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:137:25:137:25 | remoteString |
16-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:138:47:138:56 | ...! |
1716
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString |
18-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:139:48:139:57 | ...! |
19-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:140:47:140:57 | ...! |
2017
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString |
21-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:141:48:141:58 | ...! |
22-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:153:85:153:94 | ...! |
23-
| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:154:86:154:95 | ...! |
2418
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString |
2519
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... |
2620
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:174:25:174:25 | "..." |
2721
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:182:25:182:25 | remoteString |
2822
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:184:25:184:25 | remoteString |
29-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:185:47:185:56 | ...! |
3023
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString |
31-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:186:48:186:57 | ...! |
32-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:187:47:187:57 | ...! |
3324
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString |
34-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:188:48:188:58 | ...! |
35-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:200:90:200:99 | ...! |
36-
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | UnsafeWebViewFetch.swift:201:91:201:100 | ...! |
3725
| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() : | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData |
3826
| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() : | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData |
3927
nodes
@@ -52,29 +40,17 @@ nodes
5240
| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | semmle.label | "..." |
5341
| UnsafeWebViewFetch.swift:135:25:135:25 | remoteString | semmle.label | remoteString |
5442
| UnsafeWebViewFetch.swift:137:25:137:25 | remoteString | semmle.label | remoteString |
55-
| UnsafeWebViewFetch.swift:138:47:138:56 | ...! | semmle.label | ...! |
5643
| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | semmle.label | remoteString |
57-
| UnsafeWebViewFetch.swift:139:48:139:57 | ...! | semmle.label | ...! |
58-
| UnsafeWebViewFetch.swift:140:47:140:57 | ...! | semmle.label | ...! |
5944
| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | semmle.label | remoteString |
60-
| UnsafeWebViewFetch.swift:141:48:141:58 | ...! | semmle.label | ...! |
61-
| UnsafeWebViewFetch.swift:153:85:153:94 | ...! | semmle.label | ...! |
62-
| UnsafeWebViewFetch.swift:154:86:154:95 | ...! | semmle.label | ...! |
6345
| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() : | semmle.label | call to getRemoteData() : |
6446
| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | semmle.label | call to getRemoteData() |
6547
| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | semmle.label | remoteString |
6648
| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
6749
| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | semmle.label | "..." |
6850
| UnsafeWebViewFetch.swift:182:25:182:25 | remoteString | semmle.label | remoteString |
6951
| UnsafeWebViewFetch.swift:184:25:184:25 | remoteString | semmle.label | remoteString |
70-
| UnsafeWebViewFetch.swift:185:47:185:56 | ...! | semmle.label | ...! |
7152
| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | semmle.label | remoteString |
72-
| UnsafeWebViewFetch.swift:186:48:186:57 | ...! | semmle.label | ...! |
73-
| UnsafeWebViewFetch.swift:187:47:187:57 | ...! | semmle.label | ...! |
7453
| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | semmle.label | remoteString |
75-
| UnsafeWebViewFetch.swift:188:48:188:58 | ...! | semmle.label | ...! |
76-
| UnsafeWebViewFetch.swift:200:90:200:99 | ...! | semmle.label | ...! |
77-
| UnsafeWebViewFetch.swift:201:91:201:100 | ...! | semmle.label | ...! |
7854
| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() : | semmle.label | call to getRemoteData() : |
7955
| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData |
8056
| UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData |
@@ -87,12 +63,8 @@ subpaths
8763
| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. |
8864
| UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:124:25:124:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
8965
| UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. |
90-
| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
91-
| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
9266
| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. |
9367
| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. |
9468
| UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
9569
| UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. |
96-
| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
97-
| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
9870
| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) : | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. |

swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ class NSObject
55
{
66
}
77

8-
class URL
8+
struct URL
99
{
1010
init?(string: String) {}
1111
init?(string: String, relativeTo: URL?) {}
@@ -14,9 +14,9 @@ class URL
1414
extension String {
1515
init(contentsOf: URL) throws {
1616
var data = ""
17-
17+
1818
// ...
19-
19+
2020
self.init(data)
2121
}
2222
}

swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,6 @@ edges
55
| testSend.swift:47:13:47:25 | call to pad(_:) : | testSend.swift:54:27:54:27 | str3 |
66
| testSend.swift:47:17:47:17 | password : | testSend.swift:41:10:41:18 | data : |
77
| testSend.swift:47:17:47:17 | password : | testSend.swift:47:13:47:25 | call to pad(_:) : |
8-
| testURL.swift:13:54:13:54 | passwd : | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
9-
| testURL.swift:16:55:16:55 | credit_card_no : | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
108
nodes
119
| testSend.swift:29:19:29:19 | passwordPlain | semmle.label | passwordPlain |
1210
| testSend.swift:41:10:41:18 | data : | semmle.label | data : |
@@ -18,18 +16,10 @@ nodes
1816
| testSend.swift:52:27:52:27 | str1 | semmle.label | str1 |
1917
| testSend.swift:53:27:53:27 | str2 | semmle.label | str2 |
2018
| testSend.swift:54:27:54:27 | str3 | semmle.label | str3 |
21-
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
22-
| testURL.swift:13:54:13:54 | passwd : | semmle.label | passwd : |
23-
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
24-
| testURL.swift:16:55:16:55 | credit_card_no : | semmle.label | credit_card_no : |
25-
| testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
2619
subpaths
2720
| testSend.swift:47:17:47:17 | password : | testSend.swift:41:10:41:18 | data : | testSend.swift:41:45:41:45 | data : | testSend.swift:47:13:47:25 | call to pad(_:) : |
2821
#select
2922
| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
3023
| testSend.swift:52:27:52:27 | str1 | testSend.swift:45:13:45:13 | password : | testSend.swift:52:27:52:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:45:13:45:13 | password : | password |
3124
| testSend.swift:53:27:53:27 | str2 | testSend.swift:46:13:46:13 | password : | testSend.swift:53:27:53:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:46:13:46:13 | password : | password |
3225
| testSend.swift:54:27:54:27 | str3 | testSend.swift:47:17:47:17 | password : | testSend.swift:54:27:54:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:47:17:47:17 | password : | password |
33-
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd : | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:13:54:13:54 | passwd : | passwd |
34-
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no : | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:16:55:16:55 | credit_card_no : | credit_card_no |
35-
| testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:20:22:20:22 | passwd | passwd |

swift/ql/test/query-tests/Security/CWE-311/testURL.swift

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11

22
// --- stubs ---
33

4-
class URL
4+
struct URL
55
{
66
init?(string: String) {}
77
init?(string: String, relativeTo: URL?) {}

0 commit comments

Comments
 (0)