Swift: Address the sprintf case.

Author: geoffw0

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

@@ -94,19 +94,38 @@ private class CleartextLoggingFieldAdditionalFlowStep extends CleartextLoggingAd
 }
 
 /**
- * A sink that appears to be an imported C `printf` variant.
+ * A function that appears to be an imported C `printf` variant.
  * TODO: merge code with similar cases from the cleartext logging PR.
  */
+class PrintfFormat extends FreeFunction {
+  int formatParamIndex;
+  string modeChars;
+
+  PrintfFormat() {
+    modeChars = this.getShortName().regexpCapture("(.*)printf.*", 1) and
+    this.getParam(formatParamIndex).getName() = "format"
+  }
+
+  int getFormatParamIndex() { result = formatParamIndex }
+
+  /**
+   * Holds if this `printf` is a variant of `sprintf`.
+   */
+  predicate isSprintf() { modeChars.charAt(_) = "s" }
+}
+
+/**
+ * A sink that appears to be an imported C `printf` variant.
+ */
 private class PrintfCleartextLoggingSink extends CleartextLoggingSink {
   PrintfCleartextLoggingSink() {
-    exists(CallExpr ce, FreeFunction f, int formatParamIndex |
-      f.getShortName().matches("%printf%") and
-      f.getParam(formatParamIndex).getName() = "format" and
+    exists(CallExpr ce, PrintfFormat f |
       ce.getStaticTarget() = f and
       (
-        this.asExpr() = ce.getArgument(formatParamIndex).getExpr() or
+        this.asExpr() = ce.getArgument(f.getFormatParamIndex()).getExpr() or
         this.asExpr() = ce.getArgument(f.getNumberOfParams() - 1).getExpr()
-      )
+      ) and
+      not f.isSprintf()
     )
   }
 }

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

@@ -350,8 +350,8 @@ func test6(passwordString: String) {
     _ = vprintf("%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=350
     _ = vfprintf(nil, "\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=351
     _ = vfprintf(nil, "%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=352
-    _ = vasprintf_l(nil, nil, "\(passwordString) is incorrect!", getVaList([])) // $ SPURIOUS hasCleartextLogging=353 good (`sprintf` is not logging)
-    _ = vasprintf_l(nil, nil, "%s is incorrect!", getVaList([passwordString])) // $ SPURIOUS hasCleartextLogging=354 good (`sprintf` is not logging)
+    _ = vasprintf_l(nil, nil, "\(passwordString) is incorrect!", getVaList([])) // good (`sprintf` is not logging)
+    _ = vasprintf_l(nil, nil, "%s is incorrect!", getVaList([passwordString])) // good (`sprintf` is not logging)
 }
 
 func test7(authKey: String, authKey2: Int, authKey3: Float) {