Swift: Bring it all together into a query.

geoffw0 · geoffw0 · commit 76ff593cc549 · 2022-10-13T16:06:44.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-089/SqlInjection.ql b/swift/ql/src/queries/Security/CWE-089/SqlInjection.ql
@@ -13,6 +13,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
 import DataFlow::PathGraph
 
 /**
@@ -65,5 +66,18 @@ class SQLiteSwiftSqlSink extends SqlSink {
   }
 }
 
-from SqlSink s
-select s
+/**
+ * A taint configuration for tainted data that reaches an SQL sink.
+ */
+class SqlInjectionConfig extends TaintTracking::Configuration {
+  SqlInjectionConfig() { this = "SqlInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof SqlSink }
+}
+
+from SqlInjectionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This SQL query depends on a $@.",
+  sourceNode.getNode(), "user-provided value"
diff --git a/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected b/swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -1,48 +1,50 @@
 edges
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:73:17:73:17 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:74:17:74:17 | unsafeQuery2 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:75:17:75:17 | unsafeQuery3 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:83:29:83:29 | unsafeQuery3 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:95:28:95:28 | remoteString |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:100:29:100:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:103:29:103:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:106:29:106:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:109:9:109:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:111:9:111:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:113:9:113:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:115:12:115:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:117:12:117:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:119:12:119:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:132:16:132:16 | remoteString |
 nodes
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | semmle.label | call to init(contentsOf:) :  |
+| SQLite.swift:73:17:73:17 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:74:17:74:17 | unsafeQuery2 | semmle.label | unsafeQuery2 |
+| SQLite.swift:75:17:75:17 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| SQLite.swift:83:29:83:29 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| SQLite.swift:95:28:95:28 | remoteString | semmle.label | remoteString |
+| SQLite.swift:100:29:100:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:103:29:103:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:106:29:106:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:109:9:109:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:111:9:111:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:113:9:113:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:115:12:115:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:117:12:117:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:119:12:119:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:132:16:132:16 | remoteString | semmle.label | remoteString |
 subpaths
 #select
-| SQLite.swift:29:86:29:86 |  |
-| SQLite.swift:30:85:30:85 |  |
-| SQLite.swift:31:93:31:93 |  |
-| SQLite.swift:33:113:33:113 |  |
-| SQLite.swift:34:112:34:112 |  |
-| SQLite.swift:35:120:35:120 |  |
-| SQLite.swift:45:113:45:113 |  |
-| SQLite.swift:46:112:46:112 |  |
-| SQLite.swift:47:120:47:120 |  |
-| SQLite.swift:49:128:49:128 |  |
-| SQLite.swift:50:127:50:127 |  |
-| SQLite.swift:51:135:51:135 |  |
-| SQLite.swift:73:17:73:17 | unsafeQuery1 |
-| SQLite.swift:74:17:74:17 | unsafeQuery2 |
-| SQLite.swift:75:17:75:17 | unsafeQuery3 |
-| SQLite.swift:76:17:76:17 | safeQuery1 |
-| SQLite.swift:77:17:77:17 | safeQuery2 |
-| SQLite.swift:83:29:83:29 | unsafeQuery3 |
-| SQLite.swift:86:29:86:29 | varQuery |
-| SQLite.swift:89:29:89:29 | varQuery |
-| SQLite.swift:92:28:92:28 | localString |
-| SQLite.swift:95:28:95:28 | remoteString |
-| SQLite.swift:100:29:100:29 | unsafeQuery1 |
-| SQLite.swift:103:29:103:29 | unsafeQuery1 |
-| SQLite.swift:106:29:106:29 | unsafeQuery1 |
-| SQLite.swift:109:9:109:9 | unsafeQuery1 |
-| SQLite.swift:111:9:111:9 | unsafeQuery1 |
-| SQLite.swift:113:9:113:9 | unsafeQuery1 |
-| SQLite.swift:115:12:115:12 | unsafeQuery1 |
-| SQLite.swift:117:12:117:12 | unsafeQuery1 |
-| SQLite.swift:119:12:119:12 | unsafeQuery1 |
-| SQLite.swift:121:29:121:29 | varQuery |
-| SQLite.swift:132:16:132:16 | remoteString |
-| sqlite3_c_api.swift:133:33:133:33 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:134:33:134:33 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:135:33:135:33 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:136:33:136:33 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:137:33:137:33 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:145:26:145:26 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:153:26:153:26 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:163:26:163:26 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:175:29:175:29 | (UnsafePointer<CChar>) ... |
-| sqlite3_c_api.swift:194:28:194:28 | buffer |
-| sqlite3_c_api.swift:202:31:202:31 | buffer |
+| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:73:17:73:17 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:74:17:74:17 | unsafeQuery2 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:75:17:75:17 | unsafeQuery3 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:83:29:83:29 | unsafeQuery3 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:95:28:95:28 | remoteString | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:95:28:95:28 | remoteString | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:100:29:100:29 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:103:29:103:29 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:106:29:106:29 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:109:9:109:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:109:9:109:9 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:111:9:111:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:111:9:111:9 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:113:9:113:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:113:9:113:9 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:115:12:115:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:115:12:115:12 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:117:12:117:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:117:12:117:12 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:119:12:119:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:119:12:119:12 | unsafeQuery1 | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:132:16:132:16 | remoteString | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:132:16:132:16 | remoteString | This SQL query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
diff --git a/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-089/sqlite3_c_api.swift
@@ -130,9 +130,9 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer<UInt8>)
 
 	// --- exec ---
 
-	let result1 = sqlite3_exec(db, unsafeQuery1, nil, nil, nil) // BAD
-	let result2 = sqlite3_exec(db, unsafeQuery2, nil, nil, nil) // BAD
-	let result3 = sqlite3_exec(db, unsafeQuery3, nil, nil, nil) // BAD
+	let result1 = sqlite3_exec(db, unsafeQuery1, nil, nil, nil) // BAD [NOT DETECTED]
+	let result2 = sqlite3_exec(db, unsafeQuery2, nil, nil, nil) // BAD [NOT DETECTED]
+	let result3 = sqlite3_exec(db, unsafeQuery3, nil, nil, nil) // BAD [NOT DETECTED]
 	let result4 = sqlite3_exec(db, safeQuery1, nil, nil, nil) // GOOD
 	let result5 = sqlite3_exec(db, safeQuery2, nil, nil, nil) // GOOD
 
@@ -142,7 +142,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer<UInt8>)
 
 	var stmt1: OpaquePointer?
 
-	if (sqlite3_prepare(db, unsafeQuery3, -1, &stmt1, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare(db, unsafeQuery3, -1, &stmt1, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt1)
 		// ...
 	}
@@ -172,15 +172,15 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer<UInt8>)
 
 	var stmt4: OpaquePointer?
 
-	if (sqlite3_prepare_v2(db, unsafeQuery3, -1, &stmt4, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare_v2(db, unsafeQuery3, -1, &stmt4, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt4)
 		// ...
 	}
 	sqlite3_finalize(stmt4)
 
 	var stmt5: OpaquePointer?
 
-	if (sqlite3_prepare_v3(db, unsafeQuery3, -1, 0, &stmt5, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare_v3(db, unsafeQuery3, -1, 0, &stmt5, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt5)
 		// ...
 	}
@@ -191,23 +191,23 @@ func test_sqlite3_c_api(db: OpaquePointer?, buffer: UnsafeMutablePointer<UInt8>)
 
 	var stmt6: OpaquePointer?
 
-	if (sqlite3_prepare16(db, buffer, Int32(data.count), &stmt6, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare16(db, buffer, Int32(data.count), &stmt6, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt6)
 		// ...
 	}
 	sqlite3_finalize(stmt6)
 
 	var stmt7: OpaquePointer?
 
-	if (sqlite3_prepare16_v2(db, buffer, Int32(data.count), &stmt7, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare16_v2(db, buffer, Int32(data.count), &stmt7, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt7)
 		// ...
 	}
 	sqlite3_finalize(stmt7)
 
 	var stmt8: OpaquePointer?
 
-	if (sqlite3_prepare16_v3(db, buffer, Int32(data.count), 0, &stmt8, nil) == SQLITE_OK) { // BAD
+	if (sqlite3_prepare16_v3(db, buffer, Int32(data.count), 0, &stmt8, nil) == SQLITE_OK) { // BAD [NOT DETECTED]
 		let result = sqlite3_step(stmt8)
 		// ...
 	}
