update the expected output for CWE-079

karimhamdanali · karimhamdanali · commit f6bc88471a96 · 2022-11-30T16:34:24.000+02:00
Now that we have support for taint through fields of String, we can now detect certain flows that we previously marked as [NOT DETECTED]. This commit updates the expected output of CWE-079 (and the in-code annotation of the accompanying test case) to reflect that update.
diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected
@@ -1,6 +1,7 @@
 edges
 | UnsafeWebViewFetch.swift:10:2:10:25 | [summary param] 0 in init(string:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:) :  |
 | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(_:) :  |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  |
@@ -18,6 +19,7 @@ edges
 | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:137:25:137:25 | remoteString |
 | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString |
 | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:150:24:150:37 | .utf8 :  |
 | UnsafeWebViewFetch.swift:131:18:131:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:132:52:132:52 | remoteURL :  |
 | UnsafeWebViewFetch.swift:131:18:131:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:138:47:138:56 | ...! |
 | UnsafeWebViewFetch.swift:131:18:131:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:139:48:139:57 | ...! |
@@ -29,6 +31,10 @@ edges
 | UnsafeWebViewFetch.swift:132:19:132:61 | call to init(string:relativeTo:) :  | UnsafeWebViewFetch.swift:141:48:141:58 | ...! |
 | UnsafeWebViewFetch.swift:132:52:132:52 | remoteURL :  | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  |
 | UnsafeWebViewFetch.swift:132:52:132:52 | remoteURL :  | UnsafeWebViewFetch.swift:132:19:132:61 | call to init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:150:19:150:41 | call to init(_:) :  | UnsafeWebViewFetch.swift:152:15:152:15 | remoteData |
+| UnsafeWebViewFetch.swift:150:19:150:41 | call to init(_:) :  | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData |
+| UnsafeWebViewFetch.swift:150:24:150:37 | .utf8 :  | UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  |
+| UnsafeWebViewFetch.swift:150:24:150:37 | .utf8 :  | UnsafeWebViewFetch.swift:150:19:150:41 | call to init(_:) :  |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:174:25:174:25 | "..." |
@@ -37,6 +43,7 @@ edges
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:184:25:184:25 | remoteString |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:197:24:197:37 | .utf8 :  |
 | UnsafeWebViewFetch.swift:178:18:178:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:179:52:179:52 | remoteURL :  |
 | UnsafeWebViewFetch.swift:178:18:178:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:185:47:185:56 | ...! |
 | UnsafeWebViewFetch.swift:178:18:178:42 | call to init(string:) :  | UnsafeWebViewFetch.swift:186:48:186:57 | ...! |
@@ -48,11 +55,16 @@ edges
 | UnsafeWebViewFetch.swift:179:19:179:61 | call to init(string:relativeTo:) :  | UnsafeWebViewFetch.swift:188:48:188:58 | ...! |
 | UnsafeWebViewFetch.swift:179:52:179:52 | remoteURL :  | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  |
 | UnsafeWebViewFetch.swift:179:52:179:52 | remoteURL :  | UnsafeWebViewFetch.swift:179:19:179:61 | call to init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:197:19:197:41 | call to init(_:) :  | UnsafeWebViewFetch.swift:199:15:199:15 | remoteData |
+| UnsafeWebViewFetch.swift:197:19:197:41 | call to init(_:) :  | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData |
+| UnsafeWebViewFetch.swift:197:24:197:37 | .utf8 :  | UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  |
+| UnsafeWebViewFetch.swift:197:24:197:37 | .utf8 :  | UnsafeWebViewFetch.swift:197:19:197:41 | call to init(_:) :  |
 | UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData |
 | UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData |
 nodes
 | UnsafeWebViewFetch.swift:10:2:10:25 | [summary param] 0 in init(string:) :  | semmle.label | [summary param] 0 in init(string:) :  |
 | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  | semmle.label | [summary param] 1 in init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  | semmle.label | [summary param] 0 in init(_:) :  |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | semmle.label | try ... :  |
 | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | semmle.label | call to init(contentsOf:) :  |
 | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | semmle.label | try! ... |
@@ -78,7 +90,11 @@ nodes
 | UnsafeWebViewFetch.swift:140:47:140:57 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | semmle.label | remoteString |
 | UnsafeWebViewFetch.swift:141:48:141:58 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:150:19:150:41 | call to init(_:) :  | semmle.label | call to init(_:) :  |
+| UnsafeWebViewFetch.swift:150:24:150:37 | .utf8 :  | semmle.label | .utf8 :  |
+| UnsafeWebViewFetch.swift:152:15:152:15 | remoteData | semmle.label | remoteData |
 | UnsafeWebViewFetch.swift:153:85:153:94 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | semmle.label | remoteData |
 | UnsafeWebViewFetch.swift:154:86:154:95 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
 | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | semmle.label | call to getRemoteData() |
@@ -97,18 +113,25 @@ nodes
 | UnsafeWebViewFetch.swift:187:47:187:57 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | semmle.label | remoteString |
 | UnsafeWebViewFetch.swift:188:48:188:58 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:197:19:197:41 | call to init(_:) :  | semmle.label | call to init(_:) :  |
+| UnsafeWebViewFetch.swift:197:24:197:37 | .utf8 :  | semmle.label | .utf8 :  |
+| UnsafeWebViewFetch.swift:199:15:199:15 | remoteData | semmle.label | remoteData |
 | UnsafeWebViewFetch.swift:200:90:200:99 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | semmle.label | remoteData |
 | UnsafeWebViewFetch.swift:201:91:201:100 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
 | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData |
 | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData |
+| file://:0:0:0:0 | [summary] to write: return (return) in init(_:) :  | semmle.label | [summary] to write: return (return) in init(_:) :  |
 | file://:0:0:0:0 | [summary] to write: return (return) in init(string:) :  | semmle.label | [summary] to write: return (return) in init(string:) :  |
 | file://:0:0:0:0 | [summary] to write: return (return) in init(string:relativeTo:) :  | semmle.label | [summary] to write: return (return) in init(string:relativeTo:) :  |
 subpaths
 | UnsafeWebViewFetch.swift:131:30:131:30 | remoteString :  | UnsafeWebViewFetch.swift:10:2:10:25 | [summary param] 0 in init(string:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:) :  | UnsafeWebViewFetch.swift:131:18:131:42 | call to init(string:) :  |
 | UnsafeWebViewFetch.swift:132:52:132:52 | remoteURL :  | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:relativeTo:) :  | UnsafeWebViewFetch.swift:132:19:132:61 | call to init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:150:24:150:37 | .utf8 :  | UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(_:) :  | UnsafeWebViewFetch.swift:150:19:150:41 | call to init(_:) :  |
 | UnsafeWebViewFetch.swift:178:30:178:30 | remoteString :  | UnsafeWebViewFetch.swift:10:2:10:25 | [summary param] 0 in init(string:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:) :  | UnsafeWebViewFetch.swift:178:18:178:42 | call to init(string:) :  |
 | UnsafeWebViewFetch.swift:179:52:179:52 | remoteURL :  | UnsafeWebViewFetch.swift:11:2:11:43 | [summary param] 1 in init(string:relativeTo:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(string:relativeTo:) :  | UnsafeWebViewFetch.swift:179:19:179:61 | call to init(string:relativeTo:) :  |
+| UnsafeWebViewFetch.swift:197:24:197:37 | .utf8 :  | UnsafeWebViewFetch.swift:43:5:43:29 | [summary param] 0 in init(_:) :  | file://:0:0:0:0 | [summary] to write: return (return) in init(_:) :  | UnsafeWebViewFetch.swift:197:19:197:41 | call to init(_:) :  |
 #select
 | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | UnsafeWebViewFetch.swift:103:30:103:84 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:103:25:103:84 | try! ... | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:106:25:106:25 | data | UnsafeWebViewFetch.swift:105:18:105:72 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:106:25:106:25 | data | Tainted data is used in a WebView fetch without restricting the base URL. |
@@ -119,10 +142,12 @@ subpaths
 | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:127:25:127:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
 | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:154:15:154:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. |
 | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:171:25:171:51 | ... .+(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:174:25:174:25 | "..." | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
 | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:201:15:201:15 | remoteData | Tainted data is used in a WebView fetch with a tainted base URL. |
 | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to init(contentsOf:) :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. |
diff --git a/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift b/swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.swift
@@ -151,7 +151,7 @@ func testUIWebView() {
 	webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local
 	webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
 	webview.load(localData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local
-	webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // BAD [NOT DETECTED]
+	webview.load(remoteData, mimeType: "text/html", textEncodingName: "utf-8", baseURL: remoteURL!) // BAD
 }
 
 func testWKWebView() {
@@ -198,7 +198,7 @@ func testWKWebView() {
 	webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: the data is local
 	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: localSafeURL!) // GOOD: a safe baseURL is specified
 	webview.load(localData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // GOOD: the HTML data is local
-	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD [NOT DETECTED]
+	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD
 }
 
 func testQHelpExamples() {
