Swift: QLDoc comments and metadata.

Author: geoffw0

swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll

@@ -29,34 +29,26 @@ class CommandInjectionAdditionalFlowStep extends Unit {
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
 }
 
-private class ProcessSink2 extends CommandInjectionSink instanceof DataFlow::Node {
-  ProcessSink2() {
-    exists(AssignExpr assign, ProcessHost s |
-      assign.getDest() = s and
-      this.asExpr() = assign.getSource()
-    )
-    or
-    exists(AssignExpr assign, ProcessHost s, ArrayExpr a |
-      assign.getDest() = s and
-      a = assign.getSource() and
-      this.asExpr() = a.getAnElement()
-    )
-  }
-}
-
+/**
+ * A reference to any member of `Process`.
+ */
 private class ProcessHost extends MemberRefExpr {
   ProcessHost() { this.getBase() instanceof ProcessRef }
 }
 
-/** An expression of type `Process`. */
+/**
+ * An expression of type `Process`.
+ */
 private class ProcessRef extends Expr {
   ProcessRef() {
     this.getType() instanceof ProcessType or
     this.getType() = any(OptionalType t | t.getBaseType() instanceof ProcessType)
   }
 }
 
-/** The type `Process`. */
+/**
+ * The type `Process`.
+ */
 private class ProcessType extends NominalType {
   ProcessType() { this.getFullName() = "Process" }
 }
@@ -77,6 +69,24 @@ private class ProcessSink extends CommandInjectionSink instanceof DataFlow::Node
   }
 }
 
+/**
+ * A `DataFlow::Node` that is written into a field of a `Process` object.
+ */
+private class ProcessSink2 extends CommandInjectionSink instanceof DataFlow::Node {
+  ProcessSink2() {
+    exists(AssignExpr assign, ProcessHost s |
+      assign.getDest() = s and
+      this.asExpr() = assign.getSource()
+    )
+    or
+    exists(AssignExpr assign, ProcessHost s, ArrayExpr a |
+      assign.getDest() = s and
+      a = assign.getSource() and
+      this.asExpr() = a.getAnElement()
+    )
+  }
+}
+
 /**
  * A sink defined in a CSV model.
  */

swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll

@@ -1,6 +1,6 @@
 /**
  * Provides a taint-tracking configuration for reasoning about system
- * commands built from user-controlled sources (that is, Command injection
+ * commands built from user-controlled sources (that is, command injection
  * vulnerabilities).
  */
 
@@ -11,7 +11,7 @@ import codeql.swift.dataflow.FlowSources
 import codeql.swift.security.CommandInjectionExtensions
 
 /**
- * A taint configuration for tainted data that reaches a Command Injection sink.
+ * A taint configuration for tainted data that reaches a command injection sink.
  */
 module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -26,6 +26,6 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
 }
 
 /**
- * Detect taint flow of tainted data that reaches a Command Injection sink.
+ * Detect taint flow of tainted data that reaches a command injection sink.
  */
 module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;

swift/ql/src/experimental/Security/CWE-078/CommandInjection.ql

@@ -1,6 +1,7 @@
 /**
  * @name System command built from user-controlled sources
- * @description Building a system command from user-controlled sources is vulnerable to insertion of malicious code by the user.
+ * @description Building a system command from user-controlled sources may allow a malicious
+ *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8