Swift: basic Data-related taint flow in query

d10c · d10c · commit d37ed02e7962 · 2022-11-08T11:24:53.000+01:00
Still TODO: a more comprehensive taint flow model for Data in the libs.
diff --git a/swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql b/swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
@@ -108,6 +108,15 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
                 ])
         ).getArgument(0)
       or
+      arg =
+        any(CallExpr ce | ce.getStaticTarget().(MethodDecl).hasQualifiedName("Data", "init(_:)"))
+            .getArgument(0)
+      or
+      arg =
+        any(CallExpr ce |
+          ce.getStaticTarget().(MethodDecl).hasQualifiedName("String", "init(decoding:as:)")
+        ).getArgument(0)
+      or
       arg =
         any(CallExpr ce |
           ce.getStaticTarget()
@@ -135,10 +144,10 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
     or
     exists(MemberRefExpr e, Expr self, VarDecl member |
       self.getType().getName() = "String" and
-      member.getName() = ["utf16", "utf8CString"]
+      member.getName() = ["utf8", "utf16", "utf8CString"]
       or
       self.getType().getName().matches(["Unsafe%Buffer%", "Unsafe%Pointer%"]) and
-      member.getName() = ["baseAddress"]
+      member.getName() = "baseAddress"
     |
       e.getBase() = self and
       e.getMember() = member and
diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected
@@ -5,6 +5,7 @@ edges
 | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:164:10:164:37 | try ... :  |
 | UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | UnsafeJsEval.swift:204:7:204:7 | remoteString :  |
 | UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  |
+| UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  |
 | UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:264:13:264:13 | string :  |
 | UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:267:13:267:13 | string :  |
 | UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:275:13:275:13 | string :  |
@@ -23,6 +24,12 @@ edges
 | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:278:13:278:13 | string :  |
 | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:284:13:284:13 | string :  |
 | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:298:13:298:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:264:13:264:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:267:13:267:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:275:13:275:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:278:13:278:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:284:13:284:13 | string :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | UnsafeJsEval.swift:298:13:298:13 | string :  |
 | UnsafeJsEval.swift:264:13:264:13 | string :  | UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) |
 | UnsafeJsEval.swift:267:13:267:13 | string :  | UnsafeJsEval.swift:268:22:268:124 | call to init(source:injectionTime:forMainFrameOnly:in:) |
 | UnsafeJsEval.swift:275:13:275:13 | string :  | UnsafeJsEval.swift:276:26:276:26 | string |
@@ -52,6 +59,7 @@ nodes
 | UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
 | UnsafeJsEval.swift:204:7:204:7 | remoteString :  | semmle.label | remoteString :  |
 | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | semmle.label | ... .+(_:_:) ... :  |
+| UnsafeJsEval.swift:213:7:213:49 | call to init(decoding:as:) :  | semmle.label | call to init(decoding:as:) :  |
 | UnsafeJsEval.swift:264:13:264:13 | string :  | semmle.label | string :  |
 | UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) | semmle.label | call to init(source:injectionTime:forMainFrameOnly:) |
 | UnsafeJsEval.swift:267:13:267:13 | string :  | semmle.label | string :  |
diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift
@@ -184,7 +184,7 @@ func testAsync(_ sink: @escaping (String) async throws -> ()) {
 		let remoteData = Data(remoteString.utf8)
 
 		try! await sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local
-		try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)
+		try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD: the data is remote
 
 		try! await sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion
 		try! await sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion
@@ -210,7 +210,7 @@ func testSync(_ sink: @escaping (String) -> ()) {
 	let remoteData = Data(remoteString.utf8)
 
 	sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local
-	sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)
+	sink(String(decoding: remoteData, as: UTF8.self)) // BAD: the data is remote
 
 	sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion
 	sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion
