Skip to content

Commit b4595d8

Browse files
geoffw0geoffw0
committed
Swift: Model getVaList, correct NSLogv sink for swift/cleartext-logging.
1 parent f5d7765 commit b4595d8

File tree

4 files changed

+16
-3
lines changed

4 files changed

+16
-3
lines changed

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/CInterop.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
/**
2+
* Provides models for Swift "C Interoperability" functions.
3+
*/
4+
5+
import swift
6+
private import codeql.swift.dataflow.ExternalFlow
7+
8+
private class CInteropSummaries extends SummaryModelCsv {
9+
override predicate row(string row) {
10+
row = ";;false;getVaList(_:);;;Argument[0].ArrayElement;ReturnValue;value"
11+
}
12+
}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
*/
44

55
private import Array
6+
private import CInterop
67
private import Collection
78
private import CustomUrlSchemes
89
private import Data

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ private class LoggingSinks extends SinkModelCsv {
9494
";;false;NSLog(_:_:);;;Argument[0];log-injection",
9595
";;false;NSLog(_:_:);;;Argument[1].ArrayElement;log-injection",
9696
";;false;NSLogv(_:_:);;;Argument[0];log-injection",
97-
";;false;NSLogv(_:_:);;;Argument[1].ArrayElement;log-injection",
97+
";;false;NSLogv(_:_:);;;Argument[1];log-injection",
9898
";;false;vfprintf(_:_:_:);;;Agument[1..2];log-injection",
9999
";Logger;true;log(_:);;;Argument[0];log-injection",
100100
";Logger;true;log(level:_:);;;Argument[1];log-injection",

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -96,8 +96,8 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
9696
NSLog("%@", password as! CVarArg) // $ MISSING: hasCleartextLogging=96
9797
NSLog("%@ %@", "" as! CVarArg, password as! CVarArg) // $ MISSING: hasCleartextLogging=97
9898
NSLog("\(password)") // $ hasCleartextLogging=98
99-
NSLogv("%@", getVaList([password as! CVarArg])) // $ MISSING: hasCleartextLogging=99
100-
NSLogv("%@ %@", getVaList(["" as! CVarArg, password as! CVarArg])) // $ MISSING: hasCleartextLogging=100
99+
NSLogv("%@", getVaList([password as! CVarArg])) // $ hasCleartextLogging=99
100+
NSLogv("%@ %@", getVaList(["" as! CVarArg, password as! CVarArg])) // $ hasCleartextLogging=100
101101
NSLog(passwordHash) // SAfe
102102
NSLogv("%@", getVaList([passwordHash as! CVarArg])) // Safe
103103

0 commit comments

Comments
 (0)