Merge pull request github#11446 from atorralba/atorralba/swift/path-injection

Swift: Add path injection query

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -80,13 +80,16 @@ private import internal.FlowSummaryImplSpecific
 private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.CustomUrlSchemes
   private import codeql.swift.frameworks.StandardLibrary.Data
+  private import codeql.swift.frameworks.StandardLibrary.FilePath
   private import codeql.swift.frameworks.StandardLibrary.InputStream
   private import codeql.swift.frameworks.StandardLibrary.NSData
+  private import codeql.swift.frameworks.StandardLibrary.NsUrl
   private import codeql.swift.frameworks.StandardLibrary.String
   private import codeql.swift.frameworks.StandardLibrary.Url
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
   private import codeql.swift.frameworks.StandardLibrary.WebView
   private import codeql.swift.frameworks.Alamofire.Alamofire
+  private import codeql.swift.security.PathInjection
 }
 
 /**

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/FilePath.qll

@@ -0,0 +1,17 @@
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/** The struct `FilePath`. */
+class FilePath extends StructDecl {
+  FilePath() { this.getFullName() = "FilePath" }
+}
+
+/**
+ * A model for `FilePath` members that permit taint flow.
+ */
+private class FilePathSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    // TODO: Properly model this class
+    row = ";FilePath;true;init(stringLiteral:);(String);;Argument[0];ReturnValue;taint"
+  }
+}

swift/ql/lib/codeql/swift/frameworks/StandardLibrary/NsUrl.qll

@@ -0,0 +1,12 @@
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A model for `NSURL` members that permit taint flow.
+ */
+private class NsUrlSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    // TODO: Properly model this class
+    row = ";NSURL;true;init(string:);(String);;Argument[0];ReturnValue;taint"
+  }
+}

swift/ql/lib/codeql/swift/security/PathInjection.qll

@@ -0,0 +1,110 @@
+/** Provides classes and predicates to reason about path injection vulnerabilities. */
+
+import swift
+private import codeql.swift.controlflow.BasicBlocks
+private import codeql.swift.controlflow.ControlFlowGraph
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.TaintTracking
+private import codeql.swift.generated.ParentChild
+private import codeql.swift.frameworks.StandardLibrary.FilePath
+
+/** A data flow sink for path injection vulnerabilities. */
+abstract class PathInjectionSink extends DataFlow::Node { }
+
+/** A sanitizer for path injection vulnerabilities. */
+abstract class PathInjectionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to paths related to
+ * path injection vulnerabilities.
+ */
+class PathInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to path injection vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+private class DefaultPathInjectionSink extends PathInjectionSink {
+  DefaultPathInjectionSink() { sinkNode(this, "path-injection") }
+}
+
+private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
+  DefaultPathInjectionSanitizer() {
+    // This is a simplified implementation.
+    // TODO: Implement a complete path sanitizer when Guards are available.
+    exists(CallExpr starts, CallExpr normalize, DataFlow::Node validated |
+      starts.getStaticTarget().getName() = "starts(with:)" and
+      starts.getStaticTarget().getEnclosingDecl() instanceof FilePath and
+      normalize.getStaticTarget().getName() = "lexicallyNormalized()" and
+      normalize.getStaticTarget().getEnclosingDecl() instanceof FilePath
+    |
+      TaintTracking::localTaint(validated, DataFlow::exprNode(normalize.getQualifier())) and
+      DataFlow::localExprFlow(normalize, starts.getQualifier()) and
+      DataFlow::localFlow(validated, this) and
+      exists(ConditionBlock bb, SuccessorTypes::BooleanSuccessor b |
+        bb.getANode().getNode().asAstNode().(IfStmt).getACondition() = getImmediateParent*(starts) and
+        b.getValue() = true
+      |
+        bb.controls(this.getCfgNode().getBasicBlock(), b)
+      )
+    )
+  }
+}
+
+private class PathInjectionSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";Data;true;write(to:options:);;;Argument[0];path-injection",
+        ";NSData;true;write(to:atomically:);;;Argument[0];path-injection",
+        ";NSData;true;write(to:options:);;;Argument[0];path-injection",
+        ";NSData;true;write(toFile:atomically:);;;Argument[0];path-injection",
+        ";NSData;true;write(toFile:options:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsOfDirectory(at:includingPropertiesForKeys:options:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsOfDirectory(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;enumerator(at:includingPropertiesForKeys:options:errorHandler:);;;Argument[0];path-injection",
+        ";FileManager;true;enumerator(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;subpathsOfDirectory(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;subpaths(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(at:withIntermediateDirectories:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(atPath:withIntermediateDirectories:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createFile(atPath:contents:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;removeItem(at:);;;Argument[0];path-injection",
+        ";FileManager;true;removeItem(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;trashItem(at:resultingItemURL:);;;Argument[0];path-injection",
+        ";FileManager;true;replaceItem(at:withItemAt:backupItemName:options:resultingItemURL:);;;Argument[0..1];path-injection",
+        ";FileManager;true;replaceItemAt(_:withItemAt:backupItemName:options:);;;Argument[0..1];path-injection",
+        ";FileManager;true;copyItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;copyItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;moveItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;moveItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;createSymbolicLink(at:withDestinationURL:);;;Argument[0..1];path-injection",
+        ";FileManager;true;createSymbolicLink(atPath:withDestinationPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;linkItem(at:to:);;;Argument[0..1];path-injection",
+        ";FileManager;true;linkItem(atPath:toPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;destinationOfSymbolicLink(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;fileExists(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;fileExists(atPath:isDirectory:);;;Argument[0];path-injection",
+        ";FileManager;true;setAttributes(_:ofItemAtPath:);;;Argument[1];path-injection",
+        ";FileManager;true;contents(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;contentsEqual(atPath:andPath:);;;Argument[0..1];path-injection",
+        ";FileManager;true;changeCurrentDirectoryPath(_:);;;Argument[0];path-injection",
+        ";FileManager;true;unmountVolume(at:options:completionHandler:);;;Argument[0];path-injection",
+        // Deprecated FileManager methods:
+        ";FileManager;true;changeFileAttributes(_:atPath:);;;Argument[1];path-injection",
+        ";FileManager;true;directoryContents(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;createDirectory(atPath:attributes:);;;Argument[0];path-injection",
+        ";FileManager;true;createSymbolicLink(atPath:pathContent:);;;Argument[0..1];path-injection",
+        ";FileManager;true;pathContentOfSymbolicLink(atPath:);;;Argument[0];path-injection",
+        ";FileManager;true;replaceItemAtURL(originalItemURL:withItemAtURL:backupItemName:options:);;;Argument[0..1];path-injection",
+        ";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
+        ";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
+        ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection"
+      ]
+  }
+}

swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll

@@ -0,0 +1,30 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about path injection
+ * vulnerabilities.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.TaintTracking
+private import codeql.swift.security.PathInjection
+
+/**
+ * A taint-tracking configuration for path injection vulnerabilities.
+ */
+class PathInjectionConfiguration extends TaintTracking::Configuration {
+  PathInjectionConfiguration() { this = "PathInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PathInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof PathInjectionSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(PathInjectionAdditionalTaintStep s).step(node1, node2)
+  }
+}

swift/ql/src/queries/Security/CWE-022/PathInjection.qhelp

@@ -0,0 +1,58 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Accessing paths controlled by users can expose resources to attackers.</p>
+
+<p>Paths that are naively constructed from data controlled by a user may contain unexpected special characters,
+such as <code>..</code>. Such a path could point to any directory on the file system.</p>
+</overview>
+
+<recommendation>
+
+<p>Validate user input before using it to construct a file path. Ideally, follow these rules:</p>
+
+<ul>
+<li>Do not allow more than a single <code>.</code> character.</li>
+<li>Do not allow directory separators such as <code>/</code> or <code>\</code> (depending on the file system).</li>
+<li>Do not rely on simply replacing problematic sequences such as <code>../</code>. For example, after applying this filter to
+<code>.../...//</code> the resulting string would still be <code>../</code>.</li>
+<li>Use a whitelist of known good patterns.</li>
+</ul>
+
+</recommendation>
+
+<example>
+<p>
+The following code shows two bad examples. 
+</p>
+
+<sample src="PathInjectionBad.swift" />
+
+<p>
+In the first, a file name is read from an HTTP request and then used to access a file. In this case, a malicious response could include a file name that is an absolute path, such as
+<code>"/Applications/(current_application)/Documents/sensitive.data"</code>.
+</p>
+
+<p>
+In the second bad example, it appears that the user is restricted to opening a file within the
+<code>"/Library/Caches"</code> home directory. In this case, a malicious response could contain a file name containing
+special characters. For example, the string <code>"../../Documents/sensitive.data"</code> will result in the code
+reading the file located at <code>"/Applications/(current_application)/Library/Caches/../../Documents/sensitive.data"</code>, 
+which contains users' sensitive data. This file may then be made accessible to an attacker, giving them access to all this data.
+</p>
+
+<p>
+In the following (good) example, the path used to access the file system is normalized <em>before</em> being checked against a
+known prefix. This ensures that regardless of the user input, the resulting path is safe.
+</p>
+
+<sample src="PathInjectionGood.swift" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-022/PathInjection.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Uncontrolled data used in path expression
+ * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/path-injection
+ * @tags security
+ *       external/cwe/cwe-022
+ *       external/cwe/cwe-023
+ *       external/cwe/cwe-036
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-099
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.PathInjectionQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(PathInjectionConfiguration c).hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"

swift/ql/src/queries/Security/CWE-022/PathInjectionBad.swift

@@ -0,0 +1,10 @@
+let fm = FileManager.default
+let path = try String(contentsOf: URL(string: "http://example.com/")!)
+
+// BAD
+return fm.contents(atPath: path)
+
+// BAD
+if (path.hasPrefix(NSHomeDirectory() + "/Library/Caches")) {
+    return fm.contents(atPath: path)
+}

swift/ql/src/queries/Security/CWE-022/PathInjectionGood.swift

@@ -0,0 +1,8 @@
+let fm = FileManager.default
+let path = try String(contentsOf: URL(string: "http://example.com/")!)
+
+// GOOD
+let filePath = FilePath(stringLiteral: path)
+if (filePath.lexicallyNormalized().starts(with: FilePath(stringLiteral: NSHomeDirectory() + "/Library/Caches"))) {
+    return fm.contents(atPath: path)
+}