Swift: Add some path injection sink models.

geoffw0 · geoffw0 · commit 2d313ef4c7fc · 2023-11-09T18:21:12.000Z
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -87,7 +87,14 @@ private class PathInjectionSinks extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
+        ";Data;true;init(contentsOf:options:);;;Argument[0];path-injection",
         ";Data;true;write(to:options:);;;Argument[0];path-injection",
+        ";NSData;true;init(contentsOfFile:);;;Argument[0];path-injection",
+        ";NSData;true;init(contentsOfFile:options:);;;Argument[0];path-injection",
+        ";NSData;true;init(contentsOf:);;;Argument[0];path-injection",
+        ";NSData;true;init(contentsOf:options:);;;Argument[0];path-injection",
+        ";NSData;true;init(contentsOfMappedFile:);;;Argument[0];path-injection",
+        ";NSData;true;dataWithContentsOfMappedFile(_:);;;Argument[0];path-injection",
         ";NSData;true;write(to:atomically:);;;Argument[0];path-injection",
         ";NSData;true;write(to:options:);;;Argument[0];path-injection",
         ";NSData;true;write(toFile:atomically:);;;Argument[0];path-injection",
@@ -118,12 +125,14 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";FileManager;true;fileExists(atPath:);;;Argument[0];path-injection",
         ";FileManager;true;fileExists(atPath:isDirectory:);;;Argument[0];path-injection",
         ";FileManager;true;setAttributes(_:ofItemAtPath:);;;Argument[1];path-injection",
+        ";FileManager;true;attributesOfItem(atPath:);;;Argument[0];path-injection",
         ";FileManager;true;contents(atPath:);;;Argument[0];path-injection",
         ";FileManager;true;contentsEqual(atPath:andPath:);;;Argument[0..1];path-injection",
         ";FileManager;true;changeCurrentDirectoryPath(_:);;;Argument[0];path-injection",
         ";FileManager;true;unmountVolume(at:options:completionHandler:);;;Argument[0];path-injection",
         // Deprecated FileManager methods:
         ";FileManager;true;changeFileAttributes(_:atPath:);;;Argument[1];path-injection",
+        ";FileManager;true;fileAttributes(atPath:traverseLink:);;;Argument[0];path-injection",
         ";FileManager;true;directoryContents(atPath:);;;Argument[0];path-injection",
         ";FileManager;true;createDirectory(atPath:attributes:);;;Argument[0];path-injection",
         ";FileManager;true;createSymbolicLink(atPath:pathContent:);;;Argument[0..1];path-injection",
@@ -146,6 +155,7 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";ArchiveByteStream;true;withFileStream(path:mode:options:permissions:_:);;;Argument[0];path-injection",
         ";Bundle;true;init(url:);;;Argument[0];path-injection",
         ";Bundle;true;init(path:);;;Argument[0];path-injection",
+        ";NSURL;writeBookmarkData(_:to:options:);;;Argument[1];path-injection",
         // GRDB
         ";Database;true;init(path:description:configuration:);;;Argument[0];path-injection",
         ";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -447,13 +447,13 @@ func testPathInjection2(s1: UnsafeMutablePointer<String>, s2: UnsafeMutablePoint
     var u1 = URL(filePath: "")
     _ = NSData(contentsOf: u1)
     _ = NSData(contentsOf: u1.appendingPathComponent(""))
-    _ = NSData(contentsOf: u1.appendingPathComponent(remoteString)) // $ MISSING: hasPathInjection=445
-    _ = NSData(contentsOf: u1.appendingPathComponent(remoteString).appendingPathComponent("")) // $ MISSING: hasPathInjection=445
+    _ = NSData(contentsOf: u1.appendingPathComponent(remoteString)) // $ hasPathInjection=445
+    _ = NSData(contentsOf: u1.appendingPathComponent(remoteString).appendingPathComponent("")) // $ hasPathInjection=445
     u1.appendPathComponent(remoteString)
-    _ = NSData(contentsOf: u1) // $ MISSING: hasPathInjection=445
+    _ = NSData(contentsOf: u1) // $ hasPathInjection=445
 
     let u2 = URL(filePath: remoteString)
-    _ = NSData(contentsOf: u2) // $ MISSING: hasPathInjection=445
+    _ = NSData(contentsOf: u2) // $ hasPathInjection=445
 
     let u3 = NSURL(string: "")!
     Data("").write(to: u3.filePathURL!, options: [])
@@ -464,9 +464,9 @@ func testPathInjection2(s1: UnsafeMutablePointer<String>, s2: UnsafeMutablePoint
     Data("").write(to: u4.filePathURL!, options: []) // $ hasPathInjection=445
     Data("").write(to: u4.appendingPathComponent("")!, options: []) // $ hasPathInjection=445
 
-    _ = NSData(contentsOfFile: remoteString)! // $ MISSING: hasPathInjection=445
-    _ = NSData(contentsOfMappedFile: remoteString)! // $ MISSING: hasPathInjection=445
-    _ = NSData.dataWithContentsOfMappedFile(remoteString)! // $ MISSING: hasPathInjection=445
+    _ = NSData(contentsOfFile: remoteString)! // $ hasPathInjection=445
+    _ = NSData(contentsOfMappedFile: remoteString)! // $ hasPathInjection=445
+    _ = NSData.dataWithContentsOfMappedFile(remoteString)! // $ hasPathInjection=445
 
     _ = NSData().write(toFile: s1.pointee, atomically: true)
     s1.pointee = remoteString
@@ -478,8 +478,8 @@ func testPathInjection2(s1: UnsafeMutablePointer<String>, s2: UnsafeMutablePoint
     _ = remoteString.completePath(into: s3, caseSensitive: false, matchesInto: nil, filterTypes: nil)
     _ = NSData().write(toFile: s3.pointee, atomically: true) // $ MISSING: hasPathInjection=445
 
-    _ = fm.fileAttributes(atPath: remoteString, traverseLink: true) // $ MISSING: hasPathInjection=445
-    _ = try fm.attributesOfItem(atPath: remoteString) // $ MISSING: hasPathInjection=445
+    _ = fm.fileAttributes(atPath: remoteString, traverseLink: true) // $ hasPathInjection=445
+    _ = try fm.attributesOfItem(atPath: remoteString) // $ hasPathInjection=445
 }
 
 // ---
