Add path injection query

Author: atorralba

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -82,10 +82,12 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.Data
   private import codeql.swift.frameworks.StandardLibrary.InputStream
   private import codeql.swift.frameworks.StandardLibrary.NSData
+  private import codeql.swift.frameworks.StandardLibrary.NsUrl
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
   private import codeql.swift.frameworks.StandardLibrary.WebView
+  private import codeql.swift.security.PathInjection
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsUrl.qll

@@ -0,0 +1,17 @@
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSteps
+
+/**
+ * A model for `NSURL` members that permit taint flow.
+ */
+private class NsUrlSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";NSURL;true;init(string:);(String);;Argument[0];ReturnValue;taint",
+        // TODO
+      ]
+  }
+}

swift/ql/lib/codeql/swift/security/PathInjection.qll

@@ -0,0 +1,99 @@
+/** Provides classes and predicates to reason about path injection vulnerabilities. */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+
+/** A data flow sink for path injection vulnerabilities. */
+abstract class PathInjectionSink extends DataFlow::Node { }
+
+/** A sanitizer for path injection vulnerabilities. */
+abstract class PathInjectionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to paths related to
+ * path injection vulnerabilities.
+ */
+class PathInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to path injection vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+private class DefaultPathInjectionSink extends PathInjectionSink {
+  DefaultPathInjectionSink() { sinkNode(this, "path-injection") }
+}
+
+private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
+  DefaultPathInjectionSanitizer() { none() } // TODO: Implement a proper path sanitizer
+}
+
+private class PathInjectionSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";Data;true;write(to:options:);;;Argument[0];path-injection",
+        ";NSData;true;write(to:atomically:);;;Argument[0];path-injection",
+        ";NSData;true;write(to:options:);;;Argument[0];path-injection",
+        ";NSData;true;write(toFile:atomically:);;;Argument[0];path-injection",
+        ";NSData;true;write(toFile:options:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsOfDirectory(at:includingPropertiesForKeys:options:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsOfDirectory(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;enumerator(at:includingPropertiesForKeys:options:errorHandler:);;;Argument[0];path-injection",
+        ";FileManager;true;enumerator(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;subpathsOfDirectory(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;subpaths(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(at:withIntermediateDirectories:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(atPath:withIntermediateDirectories:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createFile(atPath:contents:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;removeItem(at:);;;Argument[0];path-injection",
+        ";FileManager;true;removeItem(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;trashItem(at:resultingItemURL:);;;Argument[0];path-injection",
+        ";FileManager;true;replaceItem(at:withItemAt:backupItemName:options:resultingItemURL:);;;Argument[0..1];path-injection",
+        ";FileManager;true;replaceItemAt(_:withItemAt:backupItemName:options:);;;Argument[0..1];path-injection",
+        ";FileManager;true;replaceItemAt(_:withItemAt:backupItemName:options:resultingItemURL:);;;Argument[0..1];path-injection",
+        ";FileManager;true;copyItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;copyItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;moveItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;moveItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;createSymbolicLink(at:withDestinationURL:);;;Argument[0..1];path-injection",
+        ";FileManager;true;createSymbolicLink(atPath:withDestinationPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;linkItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;linkItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;destinationOfSymbolicLink(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;fileExists(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;fileExists(atPath:isDirectory:);;;Argument[0];path-injection",
+        ";FileManager;true;isReadableFile(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;isWritableFile(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;isDeletableFile(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;componentsToDisplay(forPath:);;;Argument[0];path-injection",
+        ";FileManager;true;displayName(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;attributesOfItem(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;attributesOfFileSystem(forPath:);;;Argument[0];path-injection",
+        ";FileManager;true;setAttributes(_:ofItemAtPath:);;;Argument[1];path-injection",
+        ";FileManager;true;contents(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsEqual(atPath:andPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;getRelationship(_:ofDirectoryAt:toItemAt:);;;Argument[1..2];path-injection",
+        ";FileManager;true;getRelationship(_:of:in:toItemAt:);;;Argument[3];path-injection",
+        ";FileManager;true;changeCurrentDirectoryPath(_:);;;Argument[0];path-injection",
+        ";FileManager;true;unmountVolume(at:options:completionHandler:);;;Argument[0];path-injection",
+        ";FileManager;true;NSHFSTypeOfFile(_:);;;Argument[0];path-injection",
+        // Deprecated FileManager methods:
+        ";FileManager;true;changeFileAttributes(_:atPath:);;;Argument[1];path-injection",
+        ";FileManager;true;fileAttributes(atPath:traverseLink:);;;Argument[0];path-injection",
+        ";FileManager;true;fileSystemAttributes(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;directoryContents(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(atPath:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createSymbolicLink(atPath:pathContent:);;;Argument[0..1];path-injection",
+        ";FileManager;true;pathContentOfSymbolicLink(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;replaceItemAtURL(originalItemURL:withItemAtURL:backupItemName:options:);;;Argument[0..1];path-injection",
+        ";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
+        ";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
+        ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection"
+      ]
+  }
+}

swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll

@@ -0,0 +1,30 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about path injection
+ * vulnerabilities.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.TaintTracking
+private import codeql.swift.security.PathInjection
+
+/**
+ * A taint-tracking configuration for path injection vulnerabilities.
+ */
+class PathInjectionConfiguration extends TaintTracking::Configuration {
+  PathInjectionConfiguration() { this = "PathInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PathInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof PathInjectionSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
+  }
+}

swift/ql/src/queries/Security/CWE-022/PathInjection.qhelp

@@ -0,0 +1,58 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Accessing paths controlled by users can allow an attacker to access unexpected resources. This 
+can result in sensitive information being revealed or deleted, or an attacker being able to influence
+behavior by modifying unexpected files.</p>
+
+<p>Paths that are naively constructed from data controlled by a user may contain unexpected special characters,
+such as "..". Such a path may potentially point to any directory on the file system.</p>
+</overview>
+
+<recommendation>
+
+<p>Validate user input before using it to construct a file path. Ideally, follow these rules:</p>
+
+<ul>
+<li>Do not allow more than a single "." character.</li>
+<li>Do not allow directory separators such as "/" or "\" (depending on the file system).</li>
+<li>Do not rely on simply replacing problematic sequences such as "../". For example, after applying this filter to
+".../...//" the resulting string would still be "../".</li>
+<li>Ideally use a whitelist of known good patterns.</li>
+</ul>
+
+</recommendation>
+
+<example>
+<p>
+In the first example, a file name is read from an HTTP request and then used to access a file.
+However, a malicious response could include a file name that is an absolute path, such as
+<code>"/Applications/(current_application)/Documents/sensitive.data"</code>.
+</p>
+
+<p>
+In the second example, it appears that the user is restricted to opening a file within the
+<code>"/Library/Caches"</code> home directory. However, a malicious response could contain a file name containing
+special characters. For example, the string <code>"../../Documents/sensitive.data"</code> will result in the code
+reading the file located at <code>"/Applications/(current_application)/Library/Caches/../../Documents/sensitive.data"</code>, 
+which contains users' sensitive data. This file may then be made accesible to an attacker, giving them access to all this data.
+</p>
+
+<sample src="PathInjectionBad.swift" />
+
+<p>
+In the third example, the path used to access the file system is normalized <em>before</em> being checked against a
+known prefix. This ensures that regardless of the user input, the resulting path is safe.
+</p>
+
+<sample src="PathInjectionGood.swift" />
+
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-022/PathInjection.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Uncontrolled data used in path expression
+ * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/path-injection
+ * @tags security
+ *       external/cwe/cwe-022
+ *       external/cwe/cwe-023
+ *       external/cwe/cwe-036
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-099
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.PathInjectionQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(PathInjectionConfiguration c).hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"

swift/ql/src/queries/Security/CWE-022/PathInjectionBad.swift

@@ -0,0 +1,10 @@
+let fm = FileManager.default
+let path = try String(contentsOf: URL(string: "http://example.com/")!)
+
+// BAD
+return fm.contents(atPath: path)
+
+// BAD
+if (path.hasPrefix(NSHomeDirectory() + "/Library/Caches")) {
+    return fm.contents(atPath: path)
+}

swift/ql/src/queries/Security/CWE-022/PathInjectionGood.swift

@@ -0,0 +1,8 @@
+let fm = FileManager.default
+let path = try String(contentsOf: URL(string: "http://example.com/")!)
+
+// GOOD
+let filePath = FilePath(stringLiteral: path)
+if (filePath.lexicallyNormalized().starts(with: FilePath(stringLiteral: NSHomeDirectory() + "/Library/Caches"))) {
+    return fm.contents(atPath: path)
+}

swift/ql/test/query-tests/Security/CWE-022/PathInjectionTest.expected

@@ -0,0 +1,24 @@
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.FlowSources
+import codeql.swift.security.PathInjectionQuery
+import TestUtilities.InlineExpectationsTest
+
+class PathInjectionTest extends InlineExpectationsTest {
+  PathInjectionTest() { this = "PathInjectionTest" }
+
+  override string getARelevantTag() { result = "hasPathInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(
+      PathInjectionConfiguration config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr
+    |
+      config.hasFlow(source, sink) and
+      sinkExpr = sink.asExpr() and
+      location = sinkExpr.getLocation() and
+      element = sinkExpr.toString() and
+      tag = "hasPathInjection" and
+      value = source.asExpr().getLocation().getStartLine().toString()
+    )
+  }
+}