Swift: Test SQL injection via the SQLite.swift library.

geoffw0 · geoffw0 · commit 4258147edfbc · 2022-10-10T17:40:22.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-089/SQLite.swift
@@ -1,4 +1,79 @@
 
 // --- stubs ---
 
+public protocol Binding {}
+
+extension String: Binding {}
+
+class Statement {
+	init(_ connection: Connection, _ SQL: String) throws {}
+
+	public func bind(_ values: Binding?...) -> Statement { return Statement() }
+	public func bind(_ values: [Binding?]) -> Statement { return Statement() }
+	public func bind(_ values: [String: Binding?]) -> Statement { return Statement() }
+
+	@discardableResult public func run(_ bindings: Binding?...) throws -> Statement { return Statement() }
+	@discardableResult public func run(_ bindings: [Binding?]) throws -> Statement { return Statement() }
+	@discardableResult public func run(_ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+
+	public func scalar(_ bindings: Binding?...) throws -> Binding? { return Binding() }
+	public func scalar(_ bindings: [Binding?]) throws -> Binding? { return Binding() }
+	public func scalar(_ bindings: [String: Binding?]) throws -> Binding? { return Binding() }
+}
+
+class Connection {
+	public func execute(_ SQL: String) throws { }
+
+	public func prepare(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement() }
+	public func prepare(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement() }
+	public func prepare(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+
+	@discardableResult public func run(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement() }
+	@discardableResult public func run(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement() }
+	@discardableResult public func run(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement() }
+
+	public func scalar(_ statement: String, _ bindings: Binding?...) throws -> Binding? { return Binding() }
+	public func scalar(_ statement: String, _ bindings: [Binding?]) throws -> Binding? { return Binding() }
+	public func scalar(_ statement: String, _ bindings: [String: Binding?]) throws -> Binding? { return Binding() }
+}
+
+func sanitize(_ string: String) -> String { return string }
+
 // --- tests ---
+
+func test_sqlite_swift_api(db: Connection) {
+	let localString = "user"
+	let remoteString = try! String(contentsOf: URL(string: "http://example.com/")!)
+	let sanitizedString = sanitize(remoteString)
+
+	let unsafeQuery1 = remoteString
+	let unsafeQuery2 = "SELECT * FROM users WHERE username='" + remoteString + "'"
+	let unsafeQuery3 = "SELECT * FROM users WHERE username='\(remoteString)'"
+	let safeQuery1 = "SELECT * FROM users WHERE username='\(localString)'"
+	let safeQuery2 = "SELECT * FROM users WHERE username='\(sanitizedString)'"
+	let varQuery = "SELECT * FROM users WHERE username=?"
+
+	// --- execute ---
+
+	try db.execute(unsafeQuery1) // BAD
+	try db.execute(unsafeQuery2) // BAD
+	try db.execute(unsafeQuery3) // BAD
+	try db.execute(safeQuery1) // GOOD
+	try db.execute(safeQuery2) // GOOD (sanitized)
+
+	// --- prepared statements ---
+
+	let stmt1 = try db.prepare(unsafeQuery3) // BAD
+	try stmt1.run()
+
+	let stmt2 = try db.prepare(varQuery, localString) // GOOD
+	try stmt2.run()
+
+	let stmt3 = try db.prepare(varQuery, sanitizedString) // GOOD
+	try stmt3.run()
+
+	let stmt4 = try db.prepare(varQuery, remoteString) // GOOD???
+	try stmt4.run()
+
+	// TODO: test all versions of prepare, run, scalar on Connection and Statement
+}
