Swift: Add more test variants.

geoffw0 · geoffw0 · commit 398b2a392f3e · 2022-10-13T15:13:29.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift
@@ -1,40 +1,58 @@
 
 // --- stubs ---
 
+struct URL
+{
+	init?(string: String) {}
+	init?(string: String, relativeTo: URL?) {}
+}
+
+extension String {
+	init(contentsOf: URL) throws {
+		var data = ""
+
+		// ...
+
+		self.init(data)
+	}
+}
+
 public protocol Binding {}
 
 extension String: Binding {}
 
 class Statement {
-	init(_ connection: Connection, _ SQL: String) throws {}
+	fileprivate let connection: Connection
 
-	public func bind(_ values: Binding?...) -> Statement { return Statement() }
-	public func bind(_ values: [Binding?]) -> Statement { return Statement() }
-	public func bind(_ values: [String: Binding?]) -> Statement { return Statement() }
+	init(_ connection: Connection, _ SQL: String) throws { self.connection = connection}
 
-	@discardableResult public func run(_ bindings: Binding?...) throws -> Statement { return Statement() }
-	@discardableResult public func run(_ bindings: [Binding?]) throws -> Statement { return Statement() }
-	@discardableResult public func run(_ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+	public func bind(_ values: Binding?...) -> Statement { return Statement(connection, "") }
+	public func bind(_ values: [Binding?]) -> Statement { return Statement(connection, "") }
+	public func bind(_ values: [String: Binding?]) -> Statement { return Statement(connection, "") }
 
-	public func scalar(_ bindings: Binding?...) throws -> Binding? { return Binding() }
-	public func scalar(_ bindings: [Binding?]) throws -> Binding? { return Binding() }
-	public func scalar(_ bindings: [String: Binding?]) throws -> Binding? { return Binding() }
+	@discardableResult public func run(_ bindings: Binding?...) throws -> Statement { return Statement(connection, "") }
+	@discardableResult public func run(_ bindings: [Binding?]) throws -> Statement { return Statement(connection, "") }
+	@discardableResult public func run(_ bindings: [String: Binding?]) throws -> Statement { return Statement(connection, "") }
+
+	public func scalar(_ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [String: Binding?]) throws -> Binding? { return nil }
 }
 
 class Connection {
 	public func execute(_ SQL: String) throws { }
 
-	public func prepare(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement() }
-	public func prepare(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement() }
-	public func prepare(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+	public func prepare(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement(self, "") }
 
-	@discardableResult public func run(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement() }
-	@discardableResult public func run(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement() }
-	@discardableResult public func run(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+	@discardableResult public func run(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement(self, "") }
 
-	public func scalar(_ statement: String, _ bindings: Binding?...) throws -> Binding? { return Binding() }
-	public func scalar(_ statement: String, _ bindings: [Binding?]) throws -> Binding? { return Binding() }
-	public func scalar(_ statement: String, _ bindings: [String: Binding?]) throws -> Binding? { return Binding() }
+	public func scalar(_ statement: String, _ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [String: Binding?]) throws -> Binding? { return nil }
 }
 
 // --- tests ---
@@ -49,7 +67,6 @@ func test_sqlite_swift_api(db: Connection) {
 	let unsafeQuery3 = "SELECT * FROM users WHERE username='\(remoteString)'"
 	let safeQuery1 = "SELECT * FROM users WHERE username='\(localString)'"
 	let safeQuery2 = "SELECT * FROM users WHERE username='\(remoteNumber)'"
-	let varQuery = "SELECT * FROM users WHERE username=?"
 
 	// --- execute ---
 
@@ -61,6 +78,8 @@ func test_sqlite_swift_api(db: Connection) {
 
 	// --- prepared statements ---
 
+	let varQuery = "SELECT * FROM users WHERE username=?"
+
 	let stmt1 = try db.prepare(unsafeQuery3) // BAD
 	try stmt1.run()
 
@@ -70,5 +89,45 @@ func test_sqlite_swift_api(db: Connection) {
 	let stmt3 = try db.prepare(varQuery, remoteString) // GOOD
 	try stmt3.run()
 
-	// TODO: test all versions of prepare, run, scalar on Connection and Statement
+	let stmt4 = Statement(db, localString) // GOOD
+	stmt4.run()
+
+	let stmt5 = Statement(db, remoteString) // BAD
+	stmt5.run()
+
+	// --- more variants ---
+
+	let stmt6 = try db.prepare(unsafeQuery1, "") // BAD
+	try stmt6.run()
+
+	let stmt7 = try db.prepare(unsafeQuery1, [""]) // BAD
+	try stmt7.run()
+
+	let stmt8 = try db.prepare(unsafeQuery1, ["username": ""]) // BAD
+	try stmt8.run()
+
+	db.run(unsafeQuery1, "") // BAD
+
+	db.run(unsafeQuery1, [""]) // BAD
+
+	db.run(unsafeQuery1, ["username": ""]) // BAD
+
+	db.scalar(unsafeQuery1, "") // BAD
+
+	db.scalar(unsafeQuery1, [""]) // BAD
+
+	db.scalar(unsafeQuery1, ["username": ""]) // BAD
+
+	let stmt9 = try db.prepare(varQuery) // GOOD
+	stmt9.bind(remoteString)
+	stmt9.bind([remoteString])
+	stmt9.bind(["username": remoteString])
+	try stmt9.run(remoteString)
+	try stmt9.run([remoteString])
+	try stmt9.run(["username": remoteString])
+	try stmt9.scalar(remoteString)
+	try stmt9.scalar([remoteString])
+	try stmt9.scalar(["username": remoteString])
+
+	Statement(db, remoteString).run() // BAD
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift
@@ -7,14 +7,34 @@ struct URL
 	init?(string: String, relativeTo: URL?) {}
 }
 
+struct Data {
+	init<S>(_ elements: S) { count = 0 }
+
+	var count: Int
+
+	func copyBytes(to pointer: UnsafeMutablePointer<UInt8>, count: Int) {}
+}
+
 extension String {
 	init(contentsOf: URL) throws {
-        var data = ""
+		var data = ""
+
+		// ...
+
+		self.init(data)
+	}
+
+	struct Encoding {
+		var rawValue: UInt
 
-        // ...
+		init(rawValue: UInt) {
+			self.rawValue = rawValue
+		}
+
+		static let utf16 = Encoding(rawValue: 1)
+	}
 
-        self.init(data)
-    }
+	func data(using encoding: String.Encoding, allowLossyConversion: Bool = false) -> Data? { return nil }
 }
 
 var SQLITE_OK : Int32 = 0
@@ -97,7 +117,7 @@ func sqlite3_finalize(
 
 // --- tests ---
 
-func test_sqlite3_c_api(db: OpaquePointer?) {
+func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer<UInt8>) {
 	let localString = "user"
 	let remoteString = try! String(contentsOf: URL(string: "http://example.com/")!)
 	let remoteNumber = Int(remoteString) ?? 0
@@ -107,7 +127,6 @@ func test_sqlite3_c_api(db: OpaquePointer?) {
 	let unsafeQuery3 = "SELECT * FROM users WHERE username='\(remoteString)'"
 	let safeQuery1 = "SELECT * FROM users WHERE username='\(localString)'"
 	let safeQuery2 = "SELECT * FROM users WHERE username='\(remoteNumber)'"
-	let varQuery = "SELECT * FROM users WHERE username=?"
 
 	// --- exec ---
 
@@ -119,6 +138,8 @@ func test_sqlite3_c_api(db: OpaquePointer?) {
 
 	// --- prepared statements ---
 
+	let varQuery = "SELECT * FROM users WHERE username=?"
+
 	var stmt1: OpaquePointer?
 
 	if (sqlite3_prepare(db, unsafeQuery3, -1, &stmt1, nil) == SQLITE_OK) { // BAD
@@ -147,5 +168,48 @@ func test_sqlite3_c_api(db: OpaquePointer?) {
 	}
 	sqlite3_finalize(stmt3)
 
-	// TODO: use all versions v3, 16 etc.
+	// --- variant 'prepare' functions ---
+
+	var stmt4: OpaquePointer?
+
+	if (sqlite3_prepare_v2(db, unsafeQuery3, -1, &stmt4, nil) == SQLITE_OK) { // BAD
+		let result = sqlite3_step(stmt4)
+		// ...
+	}
+	sqlite3_finalize(stmt4)
+
+	var stmt5: OpaquePointer?
+
+	if (sqlite3_prepare_v3(db, unsafeQuery3, -1, 0, &stmt5, nil) == SQLITE_OK) { // BAD
+		let result = sqlite3_step(stmt5)
+		// ...
+	}
+	sqlite3_finalize(stmt5)
+
+	let data = unsafeQuery3.data(using:String.Encoding.utf16)!
+	data.copyBytes(to: buffer, count: data.count)
+
+	var stmt6: OpaquePointer?
+
+	if (sqlite3_prepare16(db, buffer, Int32(data.count), &stmt6, nil) == SQLITE_OK) { // BAD
+		let result = sqlite3_step(stmt6)
+		// ...
+	}
+	sqlite3_finalize(stmt6)
+
+	var stmt7: OpaquePointer?
+
+	if (sqlite3_prepare16_v2(db, buffer, Int32(data.count), &stmt7, nil) == SQLITE_OK) { // BAD
+		let result = sqlite3_step(stmt7)
+		// ...
+	}
+	sqlite3_finalize(stmt7)
+
+	var stmt8: OpaquePointer?
+
+	if (sqlite3_prepare16_v3(db, buffer, Int32(data.count), 0, &stmt8, nil) == SQLITE_OK) { // BAD
+		let result = sqlite3_step(stmt8)
+		// ...
+	}
+	sqlite3_finalize(stmt8)
 }
