Skip to content

Commit 32c4728

Browse files
geoffw0geoffw0
committed
Swift: Add tests.
1 parent a221095 commit 32c4728

File tree

3 files changed

+131
-0
lines changed

3 files changed

+131
-0
lines changed

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
edges
2+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:68:28:68:28 | tainted |
3+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:71:28:71:28 | tainted |
4+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:72:28:72:28 | tainted |
5+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:74:28:74:28 | tainted |
6+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:75:28:75:28 | tainted |
7+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:76:28:76:28 | tainted |
8+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:77:46:77:46 | tainted |
9+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:86:11:86:11 | tainted |
10+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:89:61:89:61 | tainted |
11+
nodes
12+
| UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | semmle.label | call to init(contentsOf:) : |
13+
| UncontrolledFormatString.swift:68:28:68:28 | tainted | semmle.label | tainted |
14+
| UncontrolledFormatString.swift:71:28:71:28 | tainted | semmle.label | tainted |
15+
| UncontrolledFormatString.swift:72:28:72:28 | tainted | semmle.label | tainted |
16+
| UncontrolledFormatString.swift:74:28:74:28 | tainted | semmle.label | tainted |
17+
| UncontrolledFormatString.swift:75:28:75:28 | tainted | semmle.label | tainted |
18+
| UncontrolledFormatString.swift:76:28:76:28 | tainted | semmle.label | tainted |
19+
| UncontrolledFormatString.swift:77:46:77:46 | tainted | semmle.label | tainted |
20+
| UncontrolledFormatString.swift:86:11:86:11 | tainted | semmle.label | tainted |
21+
| UncontrolledFormatString.swift:89:61:89:61 | tainted | semmle.label | tainted |
22+
subpaths
23+
#select
24+
| UncontrolledFormatString.swift:68:28:68:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:68:28:68:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
25+
| UncontrolledFormatString.swift:71:28:71:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:71:28:71:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
26+
| UncontrolledFormatString.swift:72:28:72:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:72:28:72:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
27+
| UncontrolledFormatString.swift:74:28:74:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:74:28:74:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
28+
| UncontrolledFormatString.swift:75:28:75:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:75:28:75:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
29+
| UncontrolledFormatString.swift:76:28:76:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:76:28:76:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
30+
| UncontrolledFormatString.swift:77:46:77:46 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:77:46:77:46 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
31+
| UncontrolledFormatString.swift:86:11:86:11 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:86:11:86:11 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
32+
| UncontrolledFormatString.swift:89:61:89:61 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:89:61:89:61 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/Security/CWE-134/UncontrolledFormatString.ql

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
2+
// --- stubs ---
3+
4+
struct URL
5+
{
6+
init?(string: String) {}
7+
}
8+
9+
struct Locale {
10+
}
11+
12+
extension String : CVarArg {
13+
public var _cVarArgEncoding: [Int] { get { return [] } }
14+
15+
init(contentsOf: URL) throws { self.init() }
16+
init(format: String, _ arguments: CVarArg...) { self.init() }
17+
init(format: String, arguments: [CVarArg]) { self.init() }
18+
init(format: String, locale: Locale?, _ args: CVarArg...) { self.init() }
19+
init(format: String, locale: Locale?, arguments: [CVarArg]) { self.init() }
20+
21+
static func localizedStringWithFormat(_ format: String, _ arguments: CVarArg...) -> String { return "" }
22+
}
23+
24+
class NSObject
25+
{
26+
}
27+
28+
class NSString : NSObject
29+
{
30+
init(string aString: String) {}
31+
init(format: NSString, _ args: CVarArg...) {}
32+
33+
class func localizedStringWithFormat(_ format: NSString, _ args: CVarArg...) {}
34+
}
35+
36+
class NSMutableString : NSString
37+
{
38+
}
39+
40+
struct NSExceptionName {
41+
init(_ rawValue: String) {}
42+
}
43+
44+
class NSException: NSObject
45+
{
46+
class func raise(_ name: NSExceptionName, format: String, arguments argList: CVaListPointer) {}
47+
}
48+
49+
func NSLog(_ format: String, _ args: CVarArg...) {}
50+
51+
func NSLogv(_ format: String, _ args: CVaListPointer) {}
52+
53+
// --- tests ---
54+
55+
func MyLog(_ format: String, _ args: CVarArg...) {
56+
withVaList(args) { arglist in
57+
NSLogv(format, arglist) // BAD [NOT DETECTED]
58+
}
59+
}
60+
61+
func tests() {
62+
let tainted = try! String(contentsOf: URL(string: "http://example.com")!)
63+
64+
let a = String("abc") // GOOD: not a format string
65+
let b = String(tainted) // GOOD: not a format string
66+
67+
let c = String(format: "abc") // GOOD: not tainted
68+
let d = String(format: tainted) // BAD
69+
let e = String(format: "%s", "abc") // GOOD: not tainted
70+
let f = String(format: "%s", tainted) // GOOD: format string itself is not tainted
71+
let g = String(format: tainted, "abc") // BAD
72+
let h = String(format: tainted, tainted) // BAD
73+
74+
let i = String(format: tainted, arguments: []) // BAD
75+
let j = String(format: tainted, locale: nil) // BAD
76+
let k = String(format: tainted, locale: nil, arguments: []) // BAD
77+
let l = String.localizedStringWithFormat(tainted) // BAD
78+
79+
let m = NSString(format: NSString(string: tainted), "abc") // BAD [NOT DETECTED]
80+
let n = NSString.localizedStringWithFormat(NSString(string: tainted)) // BAD [NOT DETECTED]
81+
82+
var o = NSMutableString(format: NSString(string: tainted), "abc") // BAD [NOT DETECTED]
83+
var p = NSMutableString.localizedStringWithFormat(NSString(string: tainted)) // BAD [NOT DETECTED]
84+
85+
NSLog("abc") // GOOD: not tainted
86+
NSLog(tainted) // BAD
87+
MyLog(tainted) // BAD [NOT DETECTED]
88+
89+
NSException.raise(NSExceptionName("exception"), format: tainted, arguments: getVaList([])) // BAD
90+
91+
let taintedVal = Int(tainted)!
92+
let taintedSan = "\(taintedVal)"
93+
let q = String(format: taintedSan) // GOOD: sufficiently sanitized
94+
95+
let taintedVal2 = Int(tainted) ?? 0
96+
let taintedSan2 = String(taintedVal2)
97+
let r = String(format: taintedSan2) // GOOD: sufficiently sanitized
98+
}

0 commit comments

Comments
 (0)