Merge pull request github#12154 from geoffw0/pathinjectionext

geoffw0 · web-flow · commit cb11524dde50 · 2023-02-16T16:00:31.000Z
Swift: More path injection sinks
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -108,6 +108,11 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
         ";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
         ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection",
+        ";String;true;init(contentsOfFile:);;;Argument[0];path-injection",
+        ";String;true;init(contentsOfFile:encoding:);;;Argument[0];path-injection",
+        ";String;true;init(contentsOfFile:usedEncoding:);;;Argument[0];path-injection",
+        ";NSString;true;init(contentsOfFile:encoding:);;;Argument[0];path-injection",
+        ";NSString;true;init(contentsOfFile:usedEncoding:);;;Argument[0];path-injection",
         ";NSString;true;write(to:atomically:encoding:);;;Argument[0];path-injection",
         ";NSString;true;write(toFile:atomically:encoding:);;;Argument[0];path-injection",
         ";NSKeyedUnarchiver;true;unarchiveObject(withFile:);;;Argument[0];path-injection",
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -9,13 +9,32 @@ class NSURL {
 }
 
 extension String {
-	init(contentsOf: URL) {
+    struct Encoding {
+        static let utf8 = Encoding()
+    }
+
+    init(contentsOf: URL) {
         let data = ""
         self.init(data)
     }
+
+    init(contentsOfFile path: String) throws {
+        self.init("")
+    }
+
+    init(contentsOfFile path: String, encoding enc: String.Encoding) throws {
+        self.init("")
+    }
+
+    init(contentsOfFile path: String, usedEncoding: inout String.Encoding) throws {
+        self.init("")
+    }
 }
 
 class NSString {
+    convenience init(contentsOfFile path: String, encoding enc: UInt) throws { self.init() }
+    convenience init(contentsOfFile path: String, usedEncoding enc: UnsafeMutablePointer<UInt>?) throws { self.init() }
+
     func write(toFile: String, atomically: Bool, encoding: UInt) {}
     func write(to: URL, atomically: Bool, encoding: UInt) {}
 }
@@ -166,91 +185,99 @@ func test() {
     let safeUrl =  URL(string: "")!
     let safeNsUrl = NSURL(string: "")!
 
-    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=163
+    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=182
 
     let nsData = NSData()
-    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=163
-    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=163
-    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=163
-    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=163
+    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=182
+    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=182
+    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=182
+    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=182
 
     let fm = FileManager()
-    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=163
-    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=163
-    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=163
-    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=163
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=163
-    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=163
-    fm.removeItem(at: remoteUrl) // $ hasPathInjection=163
-    fm.removeItem(atPath: remoteString) // $ hasPathInjection=163
-    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
-    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
-    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
-    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
-    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
-    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
-    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
-    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
-    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
-    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
-    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
-    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
-    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
-    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=163
-    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=163
-    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=163
-    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=163
-    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
-    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
-    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
-    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=163
-    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=163
-    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=163
-    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=163
+    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=182
+    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=182
+    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=182
+    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=182
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=182
+    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=182
+    fm.removeItem(at: remoteUrl) // $ hasPathInjection=182
+    fm.removeItem(atPath: remoteString) // $ hasPathInjection=182
+    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
+    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
+    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
+    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
+    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=182
+    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
+    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
+    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
+    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
+    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
+    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
+    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
+    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
+    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=182
+    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=182
+    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=182
+    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=182
+    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=182
+    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=182
+    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=182
+    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=182
+    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=182
+    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=182
+    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=182
     // Deprecated methods
-    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=163
-    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=163
-    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=163
-    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=163
-    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
-    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
-
-    NSString().write(to: remoteUrl, atomically: true, encoding: 0)  // $ hasPathInjection=163
-    NSString().write(toFile: remoteString, atomically: true, encoding: 0) // $ hasPathInjection=163
-    let _ = NSKeyedUnarchiver().unarchiveObject(withFile: remoteString) // $ hasPathInjection=163
-    let _ = ArchiveByteStream.fileStream(fd: remoteString as! FileDescriptor, automaticClose: true) // $ hasPathInjection=163
-    ArchiveByteStream.withFileStream(fd: remoteString as! FileDescriptor, automaticClose: true) { _ in } // $ hasPathInjection=163
-    let _ = ArchiveByteStream.fileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) // $ hasPathInjection=163
-    ArchiveByteStream.withFileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) { _ in } // $ hasPathInjection=163
-    let _ = Bundle(url: remoteUrl) // $ hasPathInjection=163
-    let _ = Bundle(path: remoteString) // $ hasPathInjection=163
-
-    let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=163
+    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=182
+    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=182
+    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=182
+    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=182
+    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
+    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=182
+
+    var encoding = String.Encoding.utf8
+    let _ = try! String(contentsOfFile: remoteString) // $ hasPathInjection=182
+    let _ = try! String(contentsOfFile: remoteString, encoding: String.Encoding.utf8) // $ hasPathInjection=182
+    let _ = try! String(contentsOfFile: remoteString, usedEncoding: &encoding) // $ hasPathInjection=182
+
+    let _ = try! NSString(contentsOfFile: remoteString, encoding: 0) // $ hasPathInjection=182
+    let _ = try! NSString(contentsOfFile: remoteString, usedEncoding: nil) // $ hasPathInjection=182
+    NSString().write(to: remoteUrl, atomically: true, encoding: 0)  // $ hasPathInjection=182
+    NSString().write(toFile: remoteString, atomically: true, encoding: 0) // $ hasPathInjection=182
+
+    let _ = NSKeyedUnarchiver().unarchiveObject(withFile: remoteString) // $ hasPathInjection=182
+    let _ = ArchiveByteStream.fileStream(fd: remoteString as! FileDescriptor, automaticClose: true) // $ hasPathInjection=182
+    ArchiveByteStream.withFileStream(fd: remoteString as! FileDescriptor, automaticClose: true) { _ in } // $ hasPathInjection=182
+    let _ = ArchiveByteStream.fileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) // $ hasPathInjection=182
+    ArchiveByteStream.withFileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) { _ in } // $ hasPathInjection=182
+    let _ = Bundle(url: remoteUrl) // $ hasPathInjection=182
+    let _ = Bundle(path: remoteString) // $ hasPathInjection=182
+
+    let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=182
     let _ = Database(path: "", description: "", configuration: Configuration()) // Safe
-    let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
+    let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
     let _ = DatabasePool(path: "", configuration: Configuration()) // Safe
-    let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
+    let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
     let _ = DatabaseQueue(path: "", configuration: Configuration()) // Safe
-    let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
+    let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=182
     let _ = DatabaseSnapshotPool(path: "", configuration: Configuration()) // Safe
-    let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=163
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=182
     let _ = SerializedDatabase(path: "", defaultLabel: "") // Safe
-    let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=163
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=182
     let _ = SerializedDatabase(path: "", defaultLabel: "", purpose: nil) // Safe
-    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=163
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=182
     let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "") // Safe
-    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=163
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=182
     let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "", purpose: nil) // Safe
 }
 
@@ -263,5 +290,5 @@ func testSanitizers() {
     if (filePath.lexicallyNormalized().starts(with: "/safe")) {
         let _ = fm.contents(atPath: remoteString) // Safe
     }
-    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=258
+    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=285
 }
