Swift: Add heuristic path injection sinks.

geoffw0 · geoffw0 · commit 5a09a325f232 · 2023-11-10T15:13:51.000Z
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -61,6 +61,41 @@ private class EnumConstructorPathInjectionSink extends PathInjectionSink {
   }
 }
 
+/**
+ * A string that might be a label for a path argument.
+ */
+pragma[inline]
+private predicate pathLikeHeuristic(string label) {
+  label =
+    [
+      "atFile", "atPath", "atDirectory", "toFile", "toPath", "toDirectory", "inFile", "inPath",
+      "inDirectory", "contentsOfFile", "contentsOfPath", "contentsOfDirectory", "filePath",
+      "directory", "directoryPath"
+    ]
+}
+
+/**
+ * A path injection sink that is determined by imprecise methods.
+ */
+private class HeuristicPathInjectionSink extends PathInjectionSink {
+  HeuristicPathInjectionSink() {
+    // by parameter name
+    exists(CallExpr ce, int ix, ParamDecl pd |
+      pathLikeHeuristic(pragma[only_bind_into](pd.getName())) and
+      pd.getType().getUnderlyingType().getName() = ["String", "NSString"] and
+      pd = ce.getStaticTarget().getParam(ix) and
+      this.asExpr() = ce.getArgument(ix).getExpr()
+    )
+    or
+    // by argument name
+    exists(Argument a |
+      pathLikeHeuristic(pragma[only_bind_into](a.getLabel())) and
+      a.getExpr().getType().getUnderlyingType().getName() = ["String", "NSString"] and
+      this.asExpr() = a.getExpr()
+    )
+  }
+}
+
 private class DefaultPathInjectionBarrier extends PathInjectionBarrier {
   DefaultPathInjectionBarrier() {
     // This is a simplified implementation.
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -452,7 +452,7 @@ func testPathInjection2(s1: UnsafeMutablePointer<String>, s2: UnsafeMutablePoint
     u1.appendPathComponent(remoteString)
     _ = NSData(contentsOf: u1) // $ hasPathInjection=445
 
-    let u2 = URL(filePath: remoteString)
+    let u2 = URL(filePath: remoteString) // $ hasPathInjection=445
     _ = NSData(contentsOf: u2) // $ hasPathInjection=445
 
     let u3 = NSURL(string: "")!
@@ -504,13 +504,13 @@ class MyFile {
 func testPathInjectionHeuristics() {
     let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
 
-    myOpenFile1(atPath: remoteString) // $ MISSING: hasPathInjection=
-    myOpenFile2(remoteString) // $ MISSING: hasPathInjection=
-    myFindFiles(ofType: 0, inDirectory: remoteString) // $ MISSING: hasPathInjection=
+    myOpenFile1(atPath: remoteString) // $ hasPathInjection=505
+    myOpenFile2(remoteString) // $ hasPathInjection=505
+    myFindFiles(ofType: 0, inDirectory: remoteString) // $ hasPathInjection=505
 
-    let mc = MyClass(contentsOfFile: remoteString) // $ MISSING: hasPathInjection=
+    let mc = MyClass(contentsOfFile: remoteString) // $ hasPathInjection=505
     mc.doSomething(keyPath: remoteString) // good - not a path
-    mc.write(toFile: remoteString) // $ MISSING: hasPathInjection=
+    mc.write(toFile: remoteString) // $ hasPathInjection=505
 
     let mf1 = MyFile(path: "")
     let mf2 = MyFile(path: remoteString) // $ MISSING: hasPathInjection=
