Swift: Tests for regex injection query.

geoffw0 · geoffw0 · commit 315cae21ce29 · 2023-07-03T11:35:55.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.expected
@@ -0,0 +1,8 @@
+edges
+| tests.swift:93:22:93:46 | call to String.init(contentsOf:) | tests.swift:118:19:118:19 | taintedString |
+nodes
+| tests.swift:93:22:93:46 | call to String.init(contentsOf:) | semmle.label | call to String.init(contentsOf:) |
+| tests.swift:118:19:118:19 | taintedString | semmle.label | taintedString |
+subpaths
+#select
+| tests.swift:118:19:118:19 | taintedString | tests.swift:93:22:93:46 | call to String.init(contentsOf:) | tests.swift:118:19:118:19 | taintedString | This regular expression is constructed from a $@. | tests.swift:93:22:93:46 | call to String.init(contentsOf:) | user-provided value |
diff --git a/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref b/swift/ql/test/query-tests/Security/CWE-730/RegexInjection.qlref
@@ -0,0 +1 @@
+queries/Security/CWE-730/RegexInjection.ql
diff --git a/swift/ql/test/query-tests/Security/CWE-730/tests.swift b/swift/ql/test/query-tests/Security/CWE-730/tests.swift
@@ -0,0 +1,136 @@
+
+// --- stubs ---
+
+struct URL {
+    init?(string: String) {}
+}
+
+struct AnyRegexOutput {
+}
+
+protocol RegexComponent<RegexOutput> {
+	associatedtype RegexOutput
+}
+
+struct Regex<Output> : RegexComponent {
+	struct Match {
+	}
+
+	init(_ pattern: String) throws where Output == AnyRegexOutput { }
+
+	func firstMatch(in string: String) throws -> Regex<Output>.Match? { return nil}
+
+	typealias RegexOutput = Output
+}
+
+extension RangeReplaceableCollection {
+	mutating func replace<Replacement>(_ regex: some RegexComponent, with replacement: Replacement, maxReplacements: Int = .max) where Replacement : Collection, Replacement.Element == Character { }
+}
+
+extension StringProtocol {
+	func replacingOccurrences<Target, Replacement>(of target: Target, with replacement: Replacement, options: String.CompareOptions = [], range searchRange: Range<Self.Index>? = nil) -> String where Target : StringProtocol, Replacement : StringProtocol { return "" }
+}
+
+extension String : RegexComponent {
+	typealias CompareOptions = NSString.CompareOptions
+	typealias Output = Substring
+	typealias RegexOutput = String.Output
+}
+
+class NSObject {
+}
+
+class NSString : NSObject {
+	struct CompareOptions : OptionSet {
+	    var rawValue: UInt
+
+		static var regularExpression: NSString.CompareOptions { get { return CompareOptions(rawValue: 1) } }
+	}
+
+	convenience init(string aString: String) { self.init() }
+
+	func replacingOccurrences(of target: String, with replacement: String, options: NSString.CompareOptions = [], range searchRange: NSRange) -> String { return "" }
+
+	var length: Int { get { return 0 } }
+}
+
+struct _NSRange {
+	init(location: Int, length: Int) { }
+}
+
+typealias NSRange = _NSRange
+
+func NSMakeRange(_ loc: Int, _ len: Int) -> NSRange { return NSRange(location: loc, length: len) }
+
+class NSTextCheckingResult : NSObject {
+}
+
+class NSRegularExpression : NSObject {
+	struct Options : OptionSet {
+	    var rawValue: UInt
+	}
+
+	struct MatchingOptions : OptionSet {
+	    var rawValue: UInt
+	}
+
+	init(pattern: String, options: NSRegularExpression.Options = []) throws { }
+
+	func firstMatch(in string: String, options: NSRegularExpression.MatchingOptions = [], range: NSRange) -> NSTextCheckingResult? { return nil }
+}
+
+extension String {
+    init(contentsOf: URL) {
+        let data = ""
+        self.init(data)
+    }
+}
+
+// --- tests ---
+
+func regexInjectionTests(cond: Bool, varString: String, myUrl: URL) throws {
+	let constString = ".*"
+	let taintedString = String(contentsOf: myUrl) // tainted
+
+	// --- Regex ---
+
+	_ = try Regex(constString).firstMatch(in: varString)
+	_ = try Regex(varString).firstMatch(in: varString)
+	_ = try Regex(taintedString).firstMatch(in: varString) // BAD [NOT DETECTED]
+
+	_ = try Regex("(a|" + constString + ")").firstMatch(in: varString)
+	_ = try Regex("(a|" + taintedString + ")").firstMatch(in: varString) // BAD [NOT DETECTED]
+	_ = try Regex("(a|\(constString))").firstMatch(in: varString)
+	_ = try Regex("(a|\(taintedString))").firstMatch(in: varString) // BAD [NOT DETECTED]
+
+	_ = try Regex(cond ? constString : constString).firstMatch(in: varString)
+	_ = try Regex(cond ? taintedString : constString).firstMatch(in: varString) // BAD [NOT DETECTED]
+	_ = try Regex(cond ? constString : taintedString).firstMatch(in: varString) // BAD [NOT DETECTED]
+
+	_ = try (cond ? Regex(constString) : Regex(constString)).firstMatch(in: varString)
+	_ = try (cond ? Regex(taintedString) : Regex(constString)).firstMatch(in: varString) // BAD [NOT DETECTED]
+	_ = try (cond ? Regex(constString) : Regex(taintedString)).firstMatch(in: varString) // BAD [NOT DETECTED]
+
+	// --- RangeReplaceableCollection ---
+
+	var inputVar = varString
+	inputVar.replace(constString, with: "")
+	inputVar.replace(taintedString, with: "") // BAD
+	inputVar.replace(constString, with: taintedString)
+
+	// --- StringProtocol ---
+
+	_ = inputVar.replacingOccurrences(of: constString, with: "", options: .regularExpression)
+	_ = inputVar.replacingOccurrences(of: taintedString, with: "", options: .regularExpression) // BAD [NOT DETECTED]
+
+	// --- NSRegularExpression ---
+
+	_ = try NSRegularExpression(pattern: constString).firstMatch(in: varString, range: NSMakeRange(0, varString.utf16.count))
+	_ = try NSRegularExpression(pattern: taintedString).firstMatch(in: varString, range: NSMakeRange(0, varString.utf16.count)) // BAD [NOT DETECTED]
+
+	// --- NSString ---
+
+	let nsString = NSString(string: varString)
+	_ = nsString.replacingOccurrences(of: constString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length))
+	_ = nsString.replacingOccurrences(of: taintedString, with: "", options: .regularExpression, range: NSMakeRange(0, nsString.length)) // BAD [NOT DETECTED]
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/Security/CWE-730/RegexInjection.ql`