Merge pull request github#10757 from geoffw0/sqlinject

Swift: Query for SQL injection

Author: geoffw0

swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>
+If a database query (such as a SQL query) is built from user-provided data without sufficient sanitization, a user may be able to run malicious database queries. An attacker can craft the part of the query they control to change the overall meaning of the query.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Most database connector libraries offer a way to safely embed untrusted data into a query using query parameters or prepared statements. You should use these features to build queries, rather than string concatenation or similar methods without sufficient sanitization.
+</p>
+
+</recommendation>
+<example>
+
+<p>In the following example, a SQL query is prepared using string interpolation to directly include a user-controlled value <code>userControlledString</code> in the query. An attacker could craft <code>userControlledString</code> to change the overall meaning of the SQL query.
+</p>
+
+<sample src="SqlInjectionBad.swift" />
+
+<p>A better way to do this is with a prepared statement, binding <code>userControlledString</code> to a parameter of that statement. An attacker who controls <code>userControlledString</code> now cannot change the overall meaning of the query.
+</p>
+
+<sample src="SqlInjectionGood.swift" />
+
+</example>
+<references>
+
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-089/SqlInjection.ql

@@ -0,0 +1,83 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id swift/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/**
+ * A `DataFlow::Node` that is a sink for a SQL string to be executed.
+ */
+abstract class SqlSink extends DataFlow::Node { }
+
+/**
+ * A sink for the sqlite3 C API.
+ */
+class CApiSqlSink extends SqlSink {
+  CApiSqlSink() {
+    // `sqlite3_exec` and variants of `sqlite3_prepare`.
+    exists(AbstractFunctionDecl f, CallExpr call |
+      f.getName() =
+        [
+          "sqlite3_exec(_:_:_:_:_:)", "sqlite3_prepare(_:_:_:_:_:)",
+          "sqlite3_prepare_v2(_:_:_:_:_:)", "sqlite3_prepare_v3(_:_:_:_:_:_:)",
+          "sqlite3_prepare16(_:_:_:_:_:)", "sqlite3_prepare16_v2(_:_:_:_:_:)",
+          "sqlite3_prepare16_v3(_:_:_:_:_:_:)"
+        ] and
+      call.getStaticTarget() = f and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A sink for the SQLite.swift library.
+ */
+class SQLiteSwiftSqlSink extends SqlSink {
+  SQLiteSwiftSqlSink() {
+    // Variants of `Connection.execute`, `connection.prepare` and `connection.scalar`.
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "Connection" and
+      c.getAMember() = f and
+      f.getName() = ["execute(_:)", "prepare(_:_:)", "run(_:_:)", "scalar(_:_:)"] and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+    or
+    // String argument to the `Statement` constructor.
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "Statement" and
+      c.getAMember() = f and
+      f.getName() = "init(_:_:)" and
+      call.getStaticTarget() = f and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A taint configuration for tainted data that reaches a SQL sink.
+ */
+class SqlInjectionConfig extends TaintTracking::Configuration {
+  SqlInjectionConfig() { this = "SqlInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof SqlSink }
+}
+
+from SqlInjectionConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This query depends on a $@.",
+  sourceNode.getNode(), "user-provided value"

swift/ql/src/queries/Security/CWE-089/SqlInjectionBad.swift

@@ -0,0 +1,3 @@
+let unsafeQuery = "SELECT * FROM users WHERE username='\(userControlledString)'" // BAD
+
+try db.execute(unsafeQuery)

swift/ql/src/queries/Security/CWE-089/SqlInjectionGood.swift

@@ -0,0 +1,4 @@
+let safeQuery = "SELECT * FROM users WHERE username=?"
+
+let stmt = try db.prepare(safeQuery, userControlledString) // GOOD
+try stmt2.run()

swift/ql/test/query-tests/Security/CWE-089/SQLite.swift

@@ -0,0 +1,133 @@
+
+// --- stubs ---
+
+struct URL
+{
+	init?(string: String) {}
+	init?(string: String, relativeTo: URL?) {}
+}
+
+extension String {
+	init(contentsOf: URL) throws {
+		var data = ""
+
+		// ...
+
+		self.init(data)
+	}
+}
+
+public protocol Binding {}
+
+extension String: Binding {}
+
+class Statement {
+	fileprivate let connection: Connection
+
+	init(_ connection: Connection, _ SQL: String) throws { self.connection = connection}
+
+	public func bind(_ values: Binding?...) -> Statement { return Statement(connection, "") }
+	public func bind(_ values: [Binding?]) -> Statement { return Statement(connection, "") }
+	public func bind(_ values: [String: Binding?]) -> Statement { return Statement(connection, "") }
+
+	@discardableResult public func run(_ bindings: Binding?...) throws -> Statement { return Statement(connection, "") }
+	@discardableResult public func run(_ bindings: [Binding?]) throws -> Statement { return Statement(connection, "") }
+	@discardableResult public func run(_ bindings: [String: Binding?]) throws -> Statement { return Statement(connection, "") }
+
+	public func scalar(_ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [String: Binding?]) throws -> Binding? { return nil }
+}
+
+class Connection {
+	public func execute(_ SQL: String) throws { }
+
+	public func prepare(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement(self, "") }
+
+	@discardableResult public func run(_ statement: String, _ bindings: Binding?...) throws -> Statement { return Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return Statement(self, "") }
+
+	public func scalar(_ statement: String, _ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [String: Binding?]) throws -> Binding? { return nil }
+}
+
+// --- tests ---
+
+func test_sqlite_swift_api(db: Connection) {
+	let localString = "user"
+	let remoteString = try! String(contentsOf: URL(string: "http://example.com/")!)
+	let remoteNumber = Int(remoteString) ?? 0
+
+	let unsafeQuery1 = remoteString
+	let unsafeQuery2 = "SELECT * FROM users WHERE username='" + remoteString + "'"
+	let unsafeQuery3 = "SELECT * FROM users WHERE username='\(remoteString)'"
+	let safeQuery1 = "SELECT * FROM users WHERE username='\(localString)'"
+	let safeQuery2 = "SELECT * FROM users WHERE username='\(remoteNumber)'"
+
+	// --- execute ---
+
+	try db.execute(unsafeQuery1) // BAD
+	try db.execute(unsafeQuery2) // BAD
+	try db.execute(unsafeQuery3) // BAD
+	try db.execute(safeQuery1) // GOOD
+	try db.execute(safeQuery2) // GOOD
+
+	// --- prepared statements ---
+
+	let varQuery = "SELECT * FROM users WHERE username=?"
+
+	let stmt1 = try db.prepare(unsafeQuery3) // BAD
+	try stmt1.run()
+
+	let stmt2 = try db.prepare(varQuery, localString) // GOOD
+	try stmt2.run()
+
+	let stmt3 = try db.prepare(varQuery, remoteString) // GOOD
+	try stmt3.run()
+
+	let stmt4 = Statement(db, localString) // GOOD
+	stmt4.run()
+
+	let stmt5 = Statement(db, remoteString) // BAD
+	stmt5.run()
+
+	// --- more variants ---
+
+	let stmt6 = try db.prepare(unsafeQuery1, "") // BAD
+	try stmt6.run()
+
+	let stmt7 = try db.prepare(unsafeQuery1, [""]) // BAD
+	try stmt7.run()
+
+	let stmt8 = try db.prepare(unsafeQuery1, ["username": ""]) // BAD
+	try stmt8.run()
+
+	db.run(unsafeQuery1, "") // BAD
+
+	db.run(unsafeQuery1, [""]) // BAD
+
+	db.run(unsafeQuery1, ["username": ""]) // BAD
+
+	db.scalar(unsafeQuery1, "") // BAD
+
+	db.scalar(unsafeQuery1, [""]) // BAD
+
+	db.scalar(unsafeQuery1, ["username": ""]) // BAD
+
+	let stmt9 = try db.prepare(varQuery) // GOOD
+	stmt9.bind(remoteString) // GOOD
+	stmt9.bind([remoteString]) // GOOD
+	stmt9.bind(["username": remoteString]) // GOOD
+	try stmt9.run(remoteString) // GOOD
+	try stmt9.run([remoteString]) // GOOD
+	try stmt9.run(["username": remoteString]) // GOOD
+	try stmt9.scalar(remoteString) // GOOD
+	try stmt9.scalar([remoteString]) // GOOD
+	try stmt9.scalar(["username": remoteString]) // GOOD
+
+	Statement(db, remoteString).run() // BAD
+}

swift/ql/test/query-tests/Security/CWE-089/SqlInjection.expected

@@ -0,0 +1,69 @@
+edges
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:73:17:73:17 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:74:17:74:17 | unsafeQuery2 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:75:17:75:17 | unsafeQuery3 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:83:29:83:29 | unsafeQuery3 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:95:28:95:28 | remoteString |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:100:29:100:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:103:29:103:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:106:29:106:29 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:109:9:109:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:111:9:111:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:113:9:113:9 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:115:12:115:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:117:12:117:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:119:12:119:12 | unsafeQuery1 |
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:132:16:132:16 | remoteString |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 |
+nodes
+| SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | semmle.label | call to init(contentsOf:) :  |
+| SQLite.swift:73:17:73:17 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:74:17:74:17 | unsafeQuery2 | semmle.label | unsafeQuery2 |
+| SQLite.swift:75:17:75:17 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| SQLite.swift:83:29:83:29 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| SQLite.swift:95:28:95:28 | remoteString | semmle.label | remoteString |
+| SQLite.swift:100:29:100:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:103:29:103:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:106:29:106:29 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:109:9:109:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:111:9:111:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:113:9:113:9 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:115:12:115:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:117:12:117:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:119:12:119:12 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| SQLite.swift:132:16:132:16 | remoteString | semmle.label | remoteString |
+| sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | semmle.label | call to init(contentsOf:) :  |
+| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | semmle.label | unsafeQuery1 |
+| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | semmle.label | unsafeQuery2 |
+| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | semmle.label | unsafeQuery3 |
+subpaths
+#select
+| SQLite.swift:73:17:73:17 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:73:17:73:17 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:74:17:74:17 | unsafeQuery2 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:74:17:74:17 | unsafeQuery2 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:75:17:75:17 | unsafeQuery3 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:75:17:75:17 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:83:29:83:29 | unsafeQuery3 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:83:29:83:29 | unsafeQuery3 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:95:28:95:28 | remoteString | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:95:28:95:28 | remoteString | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:100:29:100:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:100:29:100:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:103:29:103:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:103:29:103:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:106:29:106:29 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:106:29:106:29 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:109:9:109:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:109:9:109:9 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:111:9:111:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:111:9:111:9 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:113:9:113:9 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:113:9:113:9 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:115:12:115:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:115:12:115:12 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:117:12:117:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:117:12:117:12 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:119:12:119:12 | unsafeQuery1 | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:119:12:119:12 | unsafeQuery1 | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| SQLite.swift:132:16:132:16 | remoteString | SQLite.swift:62:26:62:80 | call to init(contentsOf:) :  | SQLite.swift:132:16:132:16 | remoteString | This query depends on a $@. | SQLite.swift:62:26:62:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:133:33:133:33 | unsafeQuery1 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:134:33:134:33 | unsafeQuery2 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:135:33:135:33 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:145:26:145:26 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:175:29:175:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |
+| sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) :  | sqlite3_c_api.swift:183:29:183:29 | unsafeQuery3 | This query depends on a $@. | sqlite3_c_api.swift:122:26:122:80 | call to init(contentsOf:) | user-provided value |

swift/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref

@@ -0,0 +1 @@
+queries/Security/CWE-089/SqlInjection.ql