Merge pull request #14312 from geoffw0/sqlpathinject2

Swift: Add sinks for sqlite3 and SQLite.swift to swift/cleartext-storage-database

Author: rdmarsh2

swift/ql/lib/codeql/swift/frameworks/Frameworks.qll

@@ -4,6 +4,7 @@
 
 private import Alamofire.Alamofire
 private import JavaScriptCore.JavaScriptCore
+private import SQL.SQL
 private import StandardLibrary.StandardLibrary
 private import UIKit.UIKit
 private import Xml.Xml

swift/ql/lib/codeql/swift/frameworks/SQL/SQL.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides models for SQL libraries.
+ */
+
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A model for SQL library functions that permit taint flow.
+ */
+private class FilePathSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // SQLite.Swift
+        ";;false;<-(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";Expression;true;init(_:_:);;;Argument[0];ReturnValue;taint",
+        ";Expression;true;init(_:_:);;;Argument[1].CollectionElement;ReturnValue;taint",
+        ";ExpressionType;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";ExpressionType;true;replace(_:with:);;;Argument[1];ReturnValue;taint",
+      ]
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll

@@ -108,7 +108,48 @@ private class CleartextStorageDatabaseSinks extends SinkModelCsv {
         ";FetchableRecord;true;fetchOne(_:arguments:adapter:);;;Argument[1];database-store",
         ";Statement;true;execute(arguments:);;;Argument[0];database-store",
         ";CommonTableExpression;true;init(recursive:named:columns:sql:arguments:);;;Argument[4];database-store",
-        ";Statement;true;setArguments(_:);;;Argument[0];database-store"
+        ";Statement;true;setArguments(_:);;;Argument[0];database-store",
+        // sqlite3 sinks
+        ";;false;sqlite3_exec(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare_v2(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare_v3(_:_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16_v2(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_prepare16_v3(_:_:_:_:_:);;;Argument[1];database-store",
+        ";;false;sqlite3_bind_blob(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_blob64(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_double(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_int(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_int64(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text16(_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_text64(_:_:_:_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_value(_:_:_:);;;Argument[2];database-store",
+        ";;false;sqlite3_bind_pointer(_:_:_:_:);;;Argument[2];database-store",
+        // SQLite.swift
+        ";Connection;true;execute(_:);;;Argument[0];database-store",
+        ";Connection;true;prepare(_:_:);;;Argument[0];database-store",
+        ";Connection;true;prepare(_:_:);;;Argument[1];database-store",
+        ";Connection;true;run(_:_:);;;Argument[0];database-store",
+        ";Connection;true;run(_:_:);;;Argument[1];database-store",
+        ";Connection;true;scalar(_:_:);;;Argument[0];database-store",
+        ";Connection;true;scalar(_:_:);;;Argument[1];database-store",
+        ";Statement;true;init(_:_:);;;Argument[1];database-store",
+        ";Statement;true;bind(_:);;;Argument[0];database-store",
+        ";Statement;true;run(_:);;;Argument[0];database-store",
+        ";Statement;true;scalar(_:);;;Argument[0];database-store",
+        ";QueryType;true;insert(_:);;;Argument[0];database-store",
+        ";QueryType;true;insert(_:_:);;;Argument[0..1];database-store",
+        ";QueryType;true;insert(or:_:);;;Argument[1];database-store",
+        ";QueryType;true;insertMany(_:);;;Argument[0];database-store",
+        ";QueryType;true;insertMany(or:_:);;;Argument[1];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:);;;Argument[0];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[0];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[2];database-store",
+        ";QueryType;true;update(_:);;;Argument[0];database-store",
+        ";QueryType;true;update(_:_:);;;Argument[0..1];database-store",
+        ";QueryType;true;update(or:_:);;;Argument[1];database-store",
       ]
   }
 }

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -40,7 +40,13 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
       c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
     )
     or
-    // flow out from array elements of at the sink,
+    // flow out from dictionary tuple values at the sink (this is essential
+    // for some of the SQLite.swift models).
+    isSink(node) and
+    node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
+    c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
+    or
+    // flow out from array elements (and other collection content) at the sink,
     // for example in `database.allStatements(sql: "", arguments: [sensitive])`.
     isSink(node) and
     c.getAReadContent() instanceof DataFlow::Content::CollectionContent

swift/ql/src/change-notes/2023-09-22-cleartext-storage-database-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added sqlite3 and SQLite.swift sinks and flow summaries for the `swift/cleartext-storage-database` query.