Swift: Add UncontrolledFormatStringExtensions.qll.

geoffw0 · geoffw0 · commit dba344451f9c · 2022-12-08T11:32:50.000Z
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringExtensions.qll
@@ -0,0 +1,36 @@
+/**
+ * Provides classes and predicates for reasoning about uncontrolled
+ * format string vulnerabilities.
+ */
+
+import swift
+import codeql.swift.StringFormat
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+
+/**
+ * A dataflow sink for uncontrolled format string vulnerabilities.
+ */
+abstract class UncontrolledFormatStringSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for uncontrolled format string vulnerabilities.
+ */
+abstract class UncontrolledFormatStringSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class UncontrolledFormatStringAdditionalTaintStep extends Unit {
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A default uncontrolled format string sink, that is, the format argument to
+ * a `FormattingFunctionCall`.
+ */
+private class DefaultUncontrolledFormatStringSink extends UncontrolledFormatStringSink {
+  DefaultUncontrolledFormatStringSink() {
+    this.asExpr() = any(FormattingFunctionCall fc).getFormat()
+  }
+}
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
@@ -8,6 +8,7 @@ import codeql.swift.StringFormat
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.FlowSources
+import codeql.swift.security.UncontrolledFormatStringExtensions
 
 /**
  * A taint configuration for tainted data that reaches a format string.
@@ -17,7 +18,13 @@ class TaintedFormatConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
 
-  override predicate isSink(DataFlow::Node node) {
-    node.asExpr() = any(FormattingFunctionCall fc).getFormat()
+  override predicate isSink(DataFlow::Node node) { node instanceof UncontrolledFormatStringSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof UncontrolledFormatStringSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }
 }
