Swift: Add heuristic sinks.

Author: geoffw0

swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll

@@ -8,6 +8,7 @@ private import codeql.swift.StringFormat
 private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.TaintTracking
 private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.frameworks.StandardLibrary.PointerTypes
 
 /**
  * A dataflow sink for uncontrolled format string vulnerabilities.
@@ -43,6 +44,47 @@ private class DefaultUncontrolledFormatStringSink extends UncontrolledFormatStri
   }
 }
 
+/**
+ * Holds if `f`, `ix` describe `pd` and `pd` is a parameter that might be a format
+ * string.
+ */
+pragma[noinline]
+predicate formatLikeHeuristic(Callable f, int ix, ParamDecl pd) {
+  pd.getName() = ["format", "formatString", "fmt"] and
+  pd = f.getParam(ix)
+}
+
+/**
+ * An uncontrolled format string sink that is determined by imprecise methods.
+ */
+class HeuristicUncontrolledFormatStringSink extends UncontrolledFormatStringSink {
+  HeuristicUncontrolledFormatStringSink() {
+    exists(Callable f, Type argsType |
+      (
+        // by parameter name
+        exists(CallExpr ce, int ix |
+          formatLikeHeuristic(f, ix, _) and
+          f = ce.getStaticTarget() and
+          this.asExpr() = ce.getArgument(ix).getExpr()
+        )
+        or
+        // by argument name
+        exists(Argument a |
+          a.getLabel() = ["format", "formatString", "fmt"] and
+          a.getApplyExpr().getStaticTarget() = f and
+          this.asExpr() = a.getExpr()
+        )
+      ) and
+      // last parameter is vararg
+      argsType = f.getParam(f.getNumberOfParams() - 1).getType().getUnderlyingType() and
+      (
+        argsType instanceof CVaListPointerType or
+        argsType instanceof VariadicSequenceType
+      )
+    )
+  }
+}
+
 /**
  * A barrier for uncontrolled format string vulnerabilities.
  */

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected

@@ -16,10 +16,14 @@ edges
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:64:112:64 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted |
+| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:37:135:37 | tainted |
+| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:137:29:137:29 | tainted |
 | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:139:5:139:5 | tainted |
+| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted |
+| UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted |
 | UncontrolledFormatString.swift:108:43:108:43 | tainted | UncontrolledFormatString.swift:108:26:108:50 | call to NSString.init(string:) |
 | UncontrolledFormatString.swift:109:57:109:57 | tainted | UncontrolledFormatString.swift:109:40:109:64 | call to NSString.init(string:) |
 | UncontrolledFormatString.swift:111:50:111:50 | tainted | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) |
@@ -55,16 +59,20 @@ nodes
 | UncontrolledFormatString.swift:112:64:112:64 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:115:11:115:11 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted |
+| UncontrolledFormatString.swift:116:11:116:11 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:118:61:118:61 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:130:39:130:39 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | semmle.label | call to NSString.init(string:) |
 | UncontrolledFormatString.swift:135:37:135:37 | tainted | semmle.label | tainted |
+| UncontrolledFormatString.swift:137:29:137:29 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:139:5:139:5 | tainted | semmle.label | tainted |
 | UncontrolledFormatString.swift:140:9:140:9 | cstr [Collection element] | semmle.label | cstr [Collection element] |
 | UncontrolledFormatString.swift:141:24:141:24 | cstr | semmle.label | cstr |
 | UncontrolledFormatString.swift:143:21:143:21 | cstr | semmle.label | cstr |
 | UncontrolledFormatString.swift:145:27:145:27 | cstr | semmle.label | cstr |
 | UncontrolledFormatString.swift:147:35:147:35 | cstr | semmle.label | cstr |
+| UncontrolledFormatString.swift:154:26:154:26 | tainted | semmle.label | tainted |
+| UncontrolledFormatString.swift:156:32:156:32 | tainted | semmle.label | tainted |
 subpaths
 #select
 | UncontrolledFormatString.swift:79:16:79:16 | format | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:79:16:79:16 | format | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
@@ -80,10 +88,14 @@ subpaths
 | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:111:33:111:57 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:112:47:112:71 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:115:11:115:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:115:11:115:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
+| UncontrolledFormatString.swift:116:11:116:11 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:116:11:116:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:118:61:118:61 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:118:61:118:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:130:39:130:39 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:130:39:130:39 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:135:20:135:44 | call to NSString.init(string:) | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
+| UncontrolledFormatString.swift:137:29:137:29 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:137:29:137:29 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:141:24:141:24 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:141:24:141:24 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:143:21:143:21 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:143:21:143:21 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:145:27:145:27 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:145:27:145:27 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
 | UncontrolledFormatString.swift:147:35:147:35 | cstr | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:147:35:147:35 | cstr | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
+| UncontrolledFormatString.swift:154:26:154:26 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:154:26:154:26 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |
+| UncontrolledFormatString.swift:156:32:156:32 | tainted | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | UncontrolledFormatString.swift:156:32:156:32 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:91:24:91:77 | call to String.init(contentsOf:) | this user-provided value |

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift

@@ -113,7 +113,7 @@ func tests() throws {
 
     NSLog("abc") // GOOD: not tainted
     NSLog(tainted) // BAD
-    MyLog(tainted) // BAD [NOT DETECTED]
+    MyLog(tainted) // BAD
 
     NSException.raise(NSExceptionName("exception"), format: tainted, arguments: getVaList([])) // BAD
 
@@ -134,7 +134,7 @@ func tests() throws {
     s.appendFormat(NSString(string: "%s"), "abc") // GOOD: not tainted
     s.appendFormat(NSString(string: tainted), "abc") // BAD
 
-    _ = NSPredicate(format: tainted) // GOOD: this should be flagged by `swift/predicate-injection`, not `swift/uncontrolled-format-string`
+    _ = NSPredicate(format: tainted) // GOOD: this should be flagged by `swift/predicate-injection`, not `swift/uncontrolled-format-string` [FALSE POSITIVE]
 
     tainted.withCString({
         cstr in
@@ -151,8 +151,8 @@ func tests() throws {
     myFormatMessage(string: tainted, "abc") // BAD [NOT DETECTED]
     myFormatMessage(string: "%s", tainted) // GOOD: format not tainted
 
-    _ = MyString(format: tainted, "abc") // BAD [NOT DETECTED]
+    _ = MyString(format: tainted, "abc") // BAD
     _ = MyString(format: "%s", tainted) // GOOD: format not tainted
-    _ = MyString(formatString: tainted, "abc") // BAD [NOT DETECTED]
+    _ = MyString(formatString: tainted, "abc") // BAD
     _ = MyString(formatString: "%s", tainted) // GOOD: format not tainted
 }