Swift: Add CSV extension points.

geoffw0 · geoffw0 · commit 439d9199be1e · 2023-01-24T19:28:05.000Z
diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionExtensions.qll
@@ -6,6 +6,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for SQL injection vulnerabilities.
@@ -141,3 +142,10 @@ class GrdbDefaultSqlInjectionSink extends SqlInjectionSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultSqlInjectionSink extends SqlInjectionSink {
+  DefaultSqlInjectionSink() { sinkNode(this, "sql") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll
@@ -6,6 +6,7 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.FlowSources
+private import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for javascript evaluation vulnerabilities.
@@ -141,3 +142,10 @@ class DefaultUnsafeJsEvalAdditionalTaintStep extends UnsafeJsEvalAdditionalTaint
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
+  DefaultUnsafeJsEvalSink() { sinkNode(this, "js-eval") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchExtensions.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for unsafe webview fetch vulnerabilities.
@@ -33,10 +34,10 @@ class UnsafeWebViewFetchAdditionalTaintStep extends Unit {
  * A default uncontrolled format string sink, such as certain arguments
  * to `UIWebView.loadHTMLString`.
  */
-class DefaultUnsafeWebViewFetchSink extends UnsafeWebViewFetchSink {
+class UIKitWebKitWebViewFetchSink extends UnsafeWebViewFetchSink {
   Expr baseUrl;
 
-  DefaultUnsafeWebViewFetchSink() {
+  UIKitWebKitWebViewFetchSink() {
     exists(
       MethodDecl funcDecl, CallExpr call, string className, string funcName, int arg, int baseArg
     |
@@ -71,3 +72,13 @@ class DefaultUnsafeWebViewFetchSink extends UnsafeWebViewFetchSink {
 
   override Expr getBaseUrl() { result = baseUrl }
 }
+
+/**
+ * A sink defined in a CSV model.
+ *
+ * Note that sinks defined in this way never have a recognized `baseURL`
+ * argument, which may limit the accuracy of results.
+ */
+private class DefaultUnsafeWebViewFetchSink extends UnsafeWebViewFetchSink {
+  DefaultUnsafeWebViewFetchSink() { sinkNode(this, "webview-fetch") }
+}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`
`7`	`7`	`import swift`
`8`	`8`	`import codeql.swift.dataflow.DataFlow`
	`9`	`+private import codeql.swift.dataflow.ExternalFlow`
`9`	`10`
`10`	`11`	`/**`
`11`	`12`	`* A dataflow sink for SQL injection vulnerabilities.`
`@@ -141,3 +142,10 @@ class GrdbDefaultSqlInjectionSink extends SqlInjectionSink {`
`141`	`142`	`)`
`142`	`143`	`}`
`143`	`144`	`}`
	`145`	`+`
	`146`	`+/**`
	`147`	`+ * A sink defined in a CSV model.`
	`148`	`+ */`
	`149`	`+private class DefaultSqlInjectionSink extends SqlInjectionSink {`
	`150`	`+ DefaultSqlInjectionSink() { sinkNode(this, "sql") }`
	`151`	`+}`