Swift: Replace additional taint step with implict read.

geoffw0 · geoffw0 · commit 27bdee8058f6 · 2023-10-02T20:19:30.000+01:00
Now that we have array content, this is a more principled approach than having a special case data step.
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll
@@ -29,19 +29,6 @@ class CommandInjectionAdditionalFlowStep extends Unit {
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
 }
 
-/**
- * An additional taint step for command injection vulnerabilities.
- */
-private class CommandInjectionArrayAdditionalFlowStep extends CommandInjectionAdditionalFlowStep {
-  override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // needed until we have proper content flow through arrays.
-    exists(ArrayExpr arr |
-      nodeFrom.asExpr() = arr.getAnElement() and
-      nodeTo.asExpr() = arr
-    )
-  }
-}
-
 /**
  * A sink defined in a CSV model.
  */
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
@@ -23,6 +23,12 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from array elements of at the sink, for example in `task.arguments = [tainted]`.
+    isSink(node) and
+    c.getAReadContent() instanceof DataFlow::Content::ArrayContent
+  }
 }
 
 /**
diff --git a/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/swift/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,12 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
	`28`	+ // flow out from array elements of at the sink, for example in `task.arguments = [tainted]`.
	`29`	`+ isSink(node) and`
	`30`	`+ c.getAReadContent() instanceof DataFlow::Content::ArrayContent`
	`31`	`+ }`
`26`	`32`	`}`
`27`	`33`
`28`	`34`	`/**`