Swift: Extend sink models.

geoffw0 · geoffw0 · commit 09974b5176bc · 2023-10-12T09:17:04.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll
@@ -105,10 +105,14 @@ private class LoggingSinks extends SinkModelCsv {
         ";;false;dump(_:name:indent:maxDepth:maxItems:);;;Argument[0..1];log-injection",
         ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[0];log-injection",
         ";;false;dump(_:to:name:indent:maxDepth:maxItems:);;;Argument[2];log-injection",
+        ";;false;assert(_:_:file:line:);;;Argument[1];log-injection",
+        ";;false;assertionFailure(_:file:line:);;;Argument[0];log-injection",
+        ";;false;precondition(_:_:file:line:);;;Argument[1];log-injection",
+        ";;false;preconditionFailure(_:file:line:);;;Argument[0];log-injection",
         ";;false;fatalError(_:file:line:);;;Argument[0];log-injection",
         ";;false;NSLog(_:_:);;;Argument[0..1];log-injection",
         ";;false;NSLogv(_:_:);;;Argument[0..1];log-injection",
-        ";;false;vfprintf(_:_:_:);;;Agument[1..2];log-injection",
+        ";;false;vfprintf(_:_:_:);;;Argument[1..2];log-injection",
         ";Logger;true;log(_:);;;Argument[0];log-injection",
         ";Logger;true;log(level:_:);;;Argument[1];log-injection",
         ";Logger;true;trace(_:);;;Argument[1];log-injection",
@@ -119,6 +123,10 @@ private class LoggingSinks extends SinkModelCsv {
         ";Logger;true;error(_:);;;Argument[1];log-injection",
         ";Logger;true;critical(_:);;;Argument[1];log-injection",
         ";Logger;true;fault(_:);;;Argument[1];log-injection",
+        ";;false;os_log(_:);;;Argument[0];log-injection",
+        ";;false;os_log(_:log:_:);;;Argument[2];log-injection",
+        ";;false;os_log(_:dso:log:_:_:);;;Argument[0,4];log-injection",
+        ";;false;os_log(_:dso:log:type:_:);;;Argument[0,4];log-injection",
       ]
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift b/swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift
@@ -159,8 +159,8 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
     NSLog(pass_phrase) // $ hasCleartextLogging=159
 
     os_log("%@", log: .default, type: .default, "") // safe
-    os_log("%@", log: .default, type: .default, password) // $ MISSING: hasCleartextLogging=161
-    os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ MISSING: hasCleartextLogging=162
+    os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=162
+    os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=163
 
 }
 

Original file line number	Diff line number	Diff line change
`@@ -159,8 +159,8 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr`
`159`	`159`	`NSLog(pass_phrase) // $ hasCleartextLogging=159`
`160`	`160`
`161`	`161`	`os_log("%@", log: .default, type: .default, "") // safe`
`162`		`- os_log("%@", log: .default, type: .default, password) // $ MISSING: hasCleartextLogging=161`
`163`		`- os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ MISSING: hasCleartextLogging=162`
	`162`	`+ os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=162`
	`163`	`+ os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=163`
`164`	`164`
`165`	`165`	`}`
`166`	`166`