Merge pull request #14807 from geoffw0/formatsinks

Swift: More sinks for swift/uncontrolled-format-string

Author: MathiasVP

swift/ql/lib/codeql/swift/StringFormat.qll

@@ -55,6 +55,19 @@ class LocalizedStringWithFormat extends FormattingFunction, Method {
   override int getFormatParameterIndex() { result = 0 }
 }
 
+/**
+ * A method that appends a formatted string.
+ */
+class StringMethodWithFormat extends FormattingFunction, Method {
+  StringMethodWithFormat() {
+    this.hasQualifiedName("NSMutableString", "appendFormat(_:_:)")
+    or
+    this.hasQualifiedName("StringProtocol", "appendingFormat(_:_:)")
+  }
+
+  override int getFormatParameterIndex() { result = 0 }
+}
+
 /**
  * The functions `NSLog` and `NSLogv`.
  */
@@ -72,3 +85,16 @@ class NsExceptionRaise extends FormattingFunction, Method {
 
   override int getFormatParameterIndex() { result = 1 }
 }
+
+/**
+ * A function that appears to be an imported C `printf` variant.
+ */
+class PrintfFormat extends FormattingFunction, FreeFunction {
+  int formatParamIndex;
+
+  PrintfFormat() {
+    this.getShortName().matches("%printf%") and this.getParam(formatParamIndex).getName() = "format"
+  }
+
+  override int getFormatParameterIndex() { result = formatParamIndex }
+}

swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll

@@ -8,6 +8,8 @@ private import codeql.swift.StringFormat
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.TaintTracking
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.frameworks.StandardLibrary.PointerTypes
+private import codeql.swift.security.PredicateInjectionExtensions
 
 /**
  * A dataflow sink for uncontrolled format string vulnerabilities.
@@ -43,6 +45,49 @@ private class DefaultUncontrolledFormatStringSink extends UncontrolledFormatStri
   }
 }
 
+/**
+ * Holds if `f`, `ix` describe `pd` and `pd` is a parameter that might be a format
+ * string.
+ */
+pragma[noinline]
+predicate formatLikeHeuristic(Callable f, int ix, ParamDecl pd) {
+  pd.getName() = ["format", "formatString", "fmt"] and
+  pd = f.getParam(ix)
+}
+
+/**
+ * An uncontrolled format string sink that is determined by imprecise methods.
+ */
+class HeuristicUncontrolledFormatStringSink extends UncontrolledFormatStringSink {
+  HeuristicUncontrolledFormatStringSink() {
+    exists(Callable f, Type argsType |
+      (
+        // by parameter name
+        exists(CallExpr ce, int ix |
+          formatLikeHeuristic(f, ix, _) and
+          f = ce.getStaticTarget() and
+          this.asExpr() = ce.getArgument(ix).getExpr()
+        )
+        or
+        // by argument name
+        exists(Argument a |
+          a.getLabel() = ["format", "formatString", "fmt"] and
+          a.getApplyExpr().getStaticTarget() = f and
+          this.asExpr() = a.getExpr()
+        )
+      ) and
+      // last parameter is vararg
+      argsType = f.getParam(f.getNumberOfParams() - 1).getType().getUnderlyingType() and
+      (
+        argsType instanceof CVaListPointerType or
+        argsType instanceof VariadicSequenceType
+      )
+    ) and
+    // prevent overlap with `swift/predicate-injection`
+    not this instanceof PredicateInjectionSink
+  }
+}
+
 /**
  * A barrier for uncontrolled format string vulnerabilities.
  */

swift/ql/src/change-notes/2023-11-16-format-string.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+* Added additional sinks for the "Uncontrolled format string" (`swift/uncontrolled-format-string`) query. Some of these sinks are heuristic (imprecise) in nature.