Swift: Add sqlite3 models.

geoffw0 · geoffw0 · commit 16ae6372388c · 2023-09-25T20:30:48.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
@@ -108,7 +108,25 @@ private class CleartextStorageDatabaseSinks extends SinkModelCsv {
         ";FetchableRecord;true;fetchOne(_:arguments:adapter:);;;Argument[1];database-store",
         ";Statement;true;execute(arguments:);;;Argument[0];database-store",
         ";CommonTableExpression;true;init(recursive:named:columns:sql:arguments:);;;Argument[4];database-store",
-        ";Statement;true;setArguments(_:);;;Argument[0];database-store"
+        ";Statement;true;setArguments(_:);;;Argument[0];database-store",
+        // sqlite3 sinks
+        ";;false;sqlite3_exec(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare_v2(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare_v3(_:_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16_v2(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16_v3(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_bind_blob(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_blob64(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_double(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_int(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_int64(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text16(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text64(_:_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_value(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_pointer(_:_:_:_:);;;Argument[2];database-store",
       ]
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -6,6 +6,10 @@ edges
 | file://:0:0:0:0 | value | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] |
 | file://:0:0:0:0 | value | file://:0:0:0:0 | [post] self [password] |
 | file://:0:0:0:0 | value | file://:0:0:0:0 | [post] self [value] |
+| sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery |
+| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery |
+| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:48:27:48:27 | deleteQuery |
+| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:57:34:57:34 | id |
 | testCoreData2.swift:23:13:23:13 | value | file://:0:0:0:0 | value |
 | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] | testCoreData2.swift:37:2:37:2 | [post] obj |
 | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] |
@@ -197,6 +201,13 @@ nodes
 | file://:0:0:0:0 | value | semmle.label | value |
 | file://:0:0:0:0 | value | semmle.label | value |
 | file://:0:0:0:0 | value | semmle.label | value |
+| sqlite3_c_api.swift:42:69:42:69 | medicalNotes | semmle.label | medicalNotes |
+| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | semmle.label | medicalNotes |
+| sqlite3_c_api.swift:46:27:46:27 | insertQuery | semmle.label | insertQuery |
+| sqlite3_c_api.swift:47:27:47:27 | updateQuery | semmle.label | updateQuery |
+| sqlite3_c_api.swift:48:27:48:27 | deleteQuery | semmle.label | deleteQuery |
+| sqlite3_c_api.swift:57:34:57:34 | id | semmle.label | id |
+| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | semmle.label | medicalNotes |
 | testCoreData2.swift:23:13:23:13 | value | semmle.label | value |
 | testCoreData2.swift:37:2:37:2 | [post] obj | semmle.label | [post] obj |
 | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] | semmle.label | [post] obj [myValue] |
@@ -465,6 +476,11 @@ subpaths
 | testRealm.swift:66:11:66:11 | myPassword | testRealm.swift:27:6:27:6 | value | file://:0:0:0:0 | [post] self [data] | testRealm.swift:66:2:66:2 | [post] g [data] |
 | testRealm.swift:73:15:73:15 | myPassword | testRealm.swift:34:6:34:6 | value | file://:0:0:0:0 | [post] self [password] | testRealm.swift:73:2:73:2 | [post] h [password] |
 #select
+| sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes |
+| sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
+| sqlite3_c_api.swift:48:27:48:27 | deleteQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:48:27:48:27 | deleteQuery | This operation stores 'deleteQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
+| sqlite3_c_api.swift:57:34:57:34 | id | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:57:34:57:34 | id | This operation stores 'id' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
+| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes |
 | testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo |
 | testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo |
 | testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo | bankAccountNo |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
@@ -43,9 +43,9 @@ func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
 	let updateQuery = "UPDATE PATIENTS SET NOTES=\(medicalNotes) WHERE ID=\(id);"
 	let deleteQuery = "DELETE FROM PATIENTS WHERE ID=\(id);"
 
-	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // BAD (sensitive data) [NOT DETECTED]
-	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // BAD (sensitive data) [NOT DETECTED]
-	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD
+	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // BAD (sensitive data)
+	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // BAD (sensitive data)
+	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD [FALSE POSITIVE]
 
 	// --- sensitive data in bindings ---
 
@@ -54,8 +54,8 @@ func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
 	var stmt1: OpaquePointer?
 
 	if (sqlite3_prepare(db, varQuery, -1, &stmt1, nil) == SQLITE_OK) { // GOOD
-		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD
-			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // BAD (sensitive data) [NOT DETECTED]
+		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD [FALSE POSITIVE]
+			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // BAD (sensitive data)
 				// ...
 			}
 		}
