Skip to content

Commit d91c5c0

Browse files
geoffw0geoffw0
committed
Swift: Model NSException sinks.
1 parent 7e02c05 commit d91c5c0

File tree

3 files changed

+10
-5
lines changed

3 files changed

+10
-5
lines changed

swift/ql/lib/codeql/swift/StringFormat.qll

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,10 +65,13 @@ class NsLog extends FormattingFunction, FreeFunction {
6565
}
6666

6767
/**
68-
* The `NSException.raise` method.
68+
* The `NSException.init` and `NSException.raise` methods.
6969
*/
7070
class NsExceptionRaise extends FormattingFunction, Method {
71-
NsExceptionRaise() { this.hasQualifiedName("NSException", "raise(_:format:arguments:)") }
71+
NsExceptionRaise() {
72+
this.hasQualifiedName("NSException", "init(name:reason:userInfo:)") or
73+
this.hasQualifiedName("NSException", "raise(_:format:arguments:)")
74+
}
7275

7376
override int getFormatParameterIndex() { result = 1 }
7477
}

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,8 @@ private class LoggingSinks extends SinkModelCsv {
160160
";;false;os_log(_:log:_:);;;Argument[2];log-injection",
161161
";;false;os_log(_:dso:log:_:_:);;;Argument[0,4];log-injection",
162162
";;false;os_log(_:dso:log:type:_:);;;Argument[0,4];log-injection",
163+
";NSException;true;init(name:reason:userInfo:);;;Argument[1];log-injection",
164+
";NSException;true;raise(_:format:arguments:);;;Argument[1..2];log-injection",
163165
]
164166
}
165167
}

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -337,11 +337,11 @@ func test5(password: String, caseNum: Int) {
337337
}
338338

339339
func test6(passwordString: String) {
340-
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ MISSING: hasCleartextLogging=
340+
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ hasCleartextLogging=340
341341
e.raise()
342342

343-
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ MISSING: hasCleartextLogging=
344-
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ MISSING: hasCleartextLogging=
343+
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ hasCleartextLogging=343
344+
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ hasCleartextLogging=344
345345

346346
_ = dprintf(0, "\(passwordString) is incorrect!") // $ hasCleartextLogging=346
347347
_ = dprintf(0, "%s is incorrect!", passwordString) // $ hasCleartextLogging=347

0 commit comments

Comments
 (0)