Swift: Add SQLite.swift and sqlite3 C API test cases for swift/cleartext-storage-database.

geoffw0 · geoffw0 · commit 4245a38de9eb · 2023-09-25T20:30:48.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift
@@ -0,0 +1,188 @@
+
+// --- stubs ---
+
+public protocol Binding {}
+
+public protocol Number: Binding {}
+
+extension String: Binding {}
+
+extension Int: Number {}
+
+class Statement {
+	fileprivate let connection: Connection
+
+	init(_ connection: Connection, _ SQL: String) throws { self.connection = connection}
+
+	public func bind(_ values: Binding?...) -> Statement { return self }
+	public func bind(_ values: [Binding?]) -> Statement { return self }
+	public func bind(_ values: [String: Binding?]) -> Statement { return self }
+
+	@discardableResult public func run(_ bindings: Binding?...) throws -> Statement { return self }
+	@discardableResult public func run(_ bindings: [Binding?]) throws -> Statement { return self }
+	@discardableResult public func run(_ bindings: [String: Binding?]) throws -> Statement { return self }
+
+	public func scalar(_ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ bindings: [String: Binding?]) throws -> Binding? { return nil }
+}
+
+class Connection {
+	public func execute(_ SQL: String) throws { }
+
+	public func prepare(_ statement: String, _ bindings: Binding?...) throws -> Statement { return try Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return try Statement(self, "") }
+	public func prepare(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return try Statement(self, "") }
+
+	@discardableResult public func run(_ statement: String, _ bindings: Binding?...) throws -> Statement { return try Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [Binding?]) throws -> Statement { return try Statement(self, "") }
+	@discardableResult public func run(_ statement: String, _ bindings: [String: Binding?]) throws -> Statement { return try Statement(self, "") }
+
+	public func scalar(_ statement: String, _ bindings: Binding?...) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [Binding?]) throws -> Binding? { return nil }
+	public func scalar(_ statement: String, _ bindings: [String: Binding?]) throws -> Binding? { return nil }
+}
+
+protocol QueryType { }
+
+protocol SchemaType: QueryType { }
+
+struct Table: SchemaType {
+	init(_ name: String, database: String? = nil) { }
+}
+
+protocol ExpressionType : CustomStringConvertible {
+	init(_ template: String, _ bindings: [Binding?])
+}
+
+extension ExpressionType {
+	init(_ identifier: String) {
+		self.init(identifier, [])
+	}
+
+	var description: String { get { "" } }
+}
+
+extension ExpressionType { // where UnderlyingType == String
+	public func replace(_ pattern: String, with replacement: String) -> Expression<String> {
+		return Expression<String>("")
+	}
+}
+
+struct Expression<Datatype> : ExpressionType {
+	typealias UnderlyingType = Datatype
+
+	init(_ template: String, _ bindings: [Binding?]) { }
+}
+
+struct Insert: ExpressionType {
+	init(_ template: String, _ bindings: [Binding?]) { }
+}
+
+struct Update: ExpressionType {
+	init(_ template: String, _ bindings: [Binding?]) { }
+}
+
+extension Connection {
+	@discardableResult public func run(_ query: Insert) throws -> Int64 { return 0 }
+	@discardableResult public func run(_ query: Update) throws -> Int { return 0 }
+}
+
+struct Setter { }
+
+infix operator <-
+
+func <-<V>(column: Expression<V>, value: Expression<V>) -> Setter { return Setter() }
+func <-<V>(column: Expression<V>, value: V) -> Setter { return Setter() }
+
+extension QueryType {
+	func filter(_ predicate: Expression<Bool>) -> Self { return self }
+
+	func insert(_ value: Setter, _ more: Setter...) -> Insert { return Insert("") }
+	func update(_ values: Setter...) -> Update { return Update("") }
+}
+
+func ==<V>(lhs: Expression<V>, rhs: V) -> Expression<Bool> { return Expression<Bool>("") }
+
+// --- tests ---
+
+func test_sqlite_swift_api(db: Connection, id: Int, mobilePhoneNumber: String) throws {
+	// --- sensitive data in SQL (in practice these cases may also be SQL injection) ---
+
+	let insertQuery = "INSERT INTO CONTACTS(ID, NUMBER) VALUES(\(id), \(mobilePhoneNumber));"
+	let updateQuery = "UPDATE CONTACTS SET NUMBER=\(mobilePhoneNumber) WHERE ID=\(id);"
+	let deleteQuery = "DELETE FROM CONTACTS WHERE ID=\(id);"
+
+	try db.execute(insertQuery) // BAD (sensitive data) [NOT DETECTED]
+	try db.execute(updateQuery) // BAD (sensitive data) [NOT DETECTED]
+	try db.execute(deleteQuery) // GOOD
+
+	_ = try db.prepare(insertQuery).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.prepare(updateQuery).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.prepare(deleteQuery).run() // GOOD
+
+	_ = try db.run(insertQuery) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.run(updateQuery) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.run(deleteQuery) // GOOD
+
+	_ = try db.scalar(insertQuery) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.scalar(updateQuery) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.scalar(deleteQuery) // GOOD
+
+	_ = try Statement(db, insertQuery).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try Statement(db, updateQuery).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try Statement(db, deleteQuery).run() // GOOD
+
+	// --- sensitive data in bindings ---
+
+	let varQuery1 = "UPDATE CONTACTS SET NUMBER=?;"
+
+	_ = try db.prepare(varQuery1, mobilePhoneNumber).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.run(varQuery1, mobilePhoneNumber) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.scalar(varQuery1, mobilePhoneNumber) // BAD (sensitive data) [NOT DETECTED]
+
+	let stmt1 = try db.prepare(varQuery1) // GOOD
+	_ = try stmt1.bind(mobilePhoneNumber).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt1.run(mobilePhoneNumber) // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt1.scalar(mobilePhoneNumber) // BAD (sensitive data) [NOT DETECTED]
+
+	let varQuery2 = "UPDATE CONTACTS SET NUMBER=? WHERE ID=?;"
+
+	_ = try db.prepare(varQuery2, [mobilePhoneNumber, id]).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.run(varQuery2, [mobilePhoneNumber, id]) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.scalar(varQuery2, [mobilePhoneNumber, id]) // BAD (sensitive data) [NOT DETECTED]
+
+	let stmt2 = try db.prepare(varQuery2) // GOOD
+	_ = try stmt2.bind([mobilePhoneNumber, id]).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt2.run([mobilePhoneNumber, id]) // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt2.scalar([mobilePhoneNumber, id]) // BAD (sensitive data) [NOT DETECTED]
+
+	let varQuery3 = "UPDATE CONTACTS SET NUMBER=$number WHERE ID=$id;"
+
+	_ = try db.prepare(varQuery3, ["id": id, "number": mobilePhoneNumber]).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.run(varQuery3, ["id": id, "number": mobilePhoneNumber]) // BAD (sensitive data) [NOT DETECTED]
+	_ = try db.scalar(varQuery3, ["id": id, "number": mobilePhoneNumber]) // BAD (sensitive data) [NOT DETECTED]
+
+	let stmt3 = try db.prepare(varQuery3) // GOOD
+	_ = try stmt3.bind(["id": id, "number": mobilePhoneNumber]).run() // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt3.run(["id": id, "number": mobilePhoneNumber]) // BAD (sensitive data) [NOT DETECTED]
+	_ = try stmt3.scalar(["id": id, "number": mobilePhoneNumber]) // BAD (sensitive data) [NOT DETECTED]
+
+	// --- higher level insert / update ---
+
+	let table = Table("TABLE")
+	let idExpr = Expression<Int>("ID")
+	let numberExpr = Expression<String>("NUMBER")
+	let filter = table.filter(idExpr == id) // GOOD
+
+	try db.run(table.insert(idExpr <- id, numberExpr <- "123")) // GOOD
+	try db.run(table.insert(idExpr <- id, numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+
+	try db.run(table.update(numberExpr <- "123")) // GOOD
+	try db.run(table.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(filter.update(numberExpr <- "123")) // GOOD
+	try db.run(filter.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: "456"))) // GOOD
+	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: mobilePhoneNumber))) // BAD (sensitive data) [NOT DETECTED]
+	// (much more complex query construction is possible in SQLite.swift)
+}
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -1,3 +1,30 @@
+| SQLite.swift:112:70:112:70 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:113:50:113:50 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:140:32:140:32 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:141:28:141:28 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:142:31:142:31 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:145:21:145:21 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:146:20:146:20 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:147:23:147:23 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:151:33:151:33 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:152:29:152:29 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:153:32:153:32 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:156:22:156:22 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:157:21:157:21 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:158:24:158:24 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:162:53:162:53 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:163:49:163:49 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:164:52:164:52 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:167:42:167:42 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:168:41:168:41 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:169:44:169:44 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:179:54:179:54 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:182:40:182:40 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:184:41:184:41 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| SQLite.swift:186:72:186:72 | mobilePhoneNumber | label:mobilePhoneNumber, type:private information |
+| sqlite3_c_api.swift:42:69:42:69 | medicalNotes | label:medicalNotes, type:private information |
+| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | label:medicalNotes, type:private information |
+| sqlite3_c_api.swift:58:36:58:36 | medicalNotes | label:medicalNotes, type:private information |
 | testAlamofire.swift:150:45:150:45 | password | label:password, type:credential |
 | testAlamofire.swift:152:51:152:51 | password | label:password, type:credential |
 | testAlamofire.swift:154:38:154:38 | email | label:email, type:private information |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift b/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
@@ -0,0 +1,63 @@
+
+// --- stubs ---
+
+var SQLITE_OK : Int32 = 0
+var SQLITE_TRANSIENT : (@convention(c) (UnsafeMutableRawPointer?) -> Void)?
+
+func sqlite3_exec(
+		_ _: OpaquePointer?,
+		_ sql: UnsafePointer<CChar>?,
+		_ callback: (@convention(c) (UnsafeMutableRawPointer?, Int32, UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>?, UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>?) -> Int32)?,
+		_ _: UnsafeMutableRawPointer?,
+		_ errmsg: UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>?
+	) -> Int32 { return SQLITE_OK }
+
+func sqlite3_prepare(
+		_ db: OpaquePointer?,
+		_ zSql: UnsafePointer<CChar>?,
+		_ nByte: Int32,
+		_ ppStmt: UnsafeMutablePointer<OpaquePointer?>?,
+		_ pzTail: UnsafeMutablePointer<UnsafePointer<CChar>?>?
+	) -> Int32 { return SQLITE_OK }
+
+func sqlite3_bind_int(
+		_ _: OpaquePointer?,
+		_ _: Int32,
+		_ _: Int32
+	) -> Int32 { return SQLITE_OK }
+
+func sqlite3_bind_text(
+		_ _: OpaquePointer?,
+		_ _: Int32,
+		_ _: UnsafePointer<CChar>?,
+		_ _: Int32,
+		_ callback: (@convention(c) (UnsafeMutableRawPointer?) -> Void)?
+	) -> Int32 { return SQLITE_OK }
+
+// --- tests ---
+
+func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
+	// --- sensitive data in SQL (in practice these cases may also be SQL injection) ---
+
+	let insertQuery = "INSERT INTO PATIENTS(ID, NOTES) VALUES(\(id), \(medicalNotes));"
+	let updateQuery = "UPDATE PATIENTS SET NOTES=\(medicalNotes) WHERE ID=\(id);"
+	let deleteQuery = "DELETE FROM PATIENTS WHERE ID=\(id);"
+
+	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // BAD (sensitive data) [NOT DETECTED]
+	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // BAD (sensitive data) [NOT DETECTED]
+	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD
+
+	// --- sensitive data in bindings ---
+
+	let varQuery = "UPDATE PATIENTS SET NOTES=? WHERE ID=?;"
+
+	var stmt1: OpaquePointer?
+
+	if (sqlite3_prepare(db, varQuery, -1, &stmt1, nil) == SQLITE_OK) { // GOOD
+		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD
+			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // BAD (sensitive data) [NOT DETECTED]
+				// ...
+			}
+		}
+	}
+}
