Swift: Add more SQLite.swift models.

geoffw0 · geoffw0 · commit 51ed824adf52 · 2023-09-25T20:30:59.000+01:00
diff --git a/swift/ql/lib/codeql/swift/frameworks/Frameworks.qll b/swift/ql/lib/codeql/swift/frameworks/Frameworks.qll
@@ -4,6 +4,7 @@
 
 private import Alamofire.Alamofire
 private import JavaScriptCore.JavaScriptCore
+private import SQL.SQL
 private import StandardLibrary.StandardLibrary
 private import UIKit.UIKit
 private import Xml.Xml
diff --git a/swift/ql/lib/codeql/swift/frameworks/SQL/SQL.qll b/swift/ql/lib/codeql/swift/frameworks/SQL/SQL.qll
@@ -0,0 +1,23 @@
+/**
+ * Provides models for SQL libraries.
+ */
+
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A model for SQL library functions that permit taint flow.
+ */
+private class FilePathSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // SQLite.Swift
+        ";;false;<-(_:_:);;;Argument[0..1];ReturnValue;taint",
+        ";Expression;true;init(_:_:);;;Argument[0];ReturnValue;taint",
+        ";Expression;true;init(_:_:);;;Argument[1].CollectionElement;ReturnValue;taint",
+        ";ExpressionType;true;init(_:);;;Argument[0];ReturnValue;taint",
+        ";ExpressionType;true;replace(_:with:);;;Argument[1];ReturnValue;taint",
+      ]
+  }
+}
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseExtensions.qll
@@ -139,6 +139,17 @@ private class CleartextStorageDatabaseSinks extends SinkModelCsv {
         ";Statement;true;bind(_:);;;Argument[0];database-store",
         ";Statement;true;run(_:);;;Argument[0];database-store",
         ";Statement;true;scalar(_:);;;Argument[0];database-store",
+        ";QueryType;true;insert(_:);;;Argument[0];database-store",
+        ";QueryType;true;insert(_:_:);;;Argument[0..1];database-store",
+        ";QueryType;true;insert(or:_:);;;Argument[1];database-store",
+        ";QueryType;true;insertMany(_:);;;Argument[0];database-store",
+        ";QueryType;true;insertMany(or:_:);;;Argument[1];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:);;;Argument[0];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[0];database-store",
+        ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[2];database-store",
+        ";QueryType;true;update(_:);;;Argument[0];database-store",
+        ";QueryType;true;update(_:_:);;;Argument[0..1];database-store",
+        ";QueryType;true;update(or:_:);;;Argument[1];database-store",
       ]
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -45,6 +45,19 @@ edges
 | SQLite.swift:169:23:169:61 | [...] [Collection element, Tuple element at index 1] | SQLite.swift:169:23:169:61 | [...] |
 | SQLite.swift:169:34:169:44 | (...) [Tuple element at index 1] | SQLite.swift:169:23:169:61 | [...] [Collection element, Tuple element at index 1] |
 | SQLite.swift:169:44:169:44 | mobilePhoneNumber | SQLite.swift:169:34:169:44 | (...) [Tuple element at index 1] |
+| SQLite.swift:179:40:179:54 | ... <-(_:_:) ... | SQLite.swift:179:40:179:54 | [...] |
+| SQLite.swift:179:40:179:54 | [...] | SQLite.swift:179:40:179:54 | [...] |
+| SQLite.swift:179:54:179:54 | mobilePhoneNumber | SQLite.swift:179:40:179:54 | ... <-(_:_:) ... |
+| SQLite.swift:182:26:182:40 | ... <-(_:_:) ... | SQLite.swift:182:26:182:40 | [...] |
+| SQLite.swift:182:26:182:40 | [...] | SQLite.swift:182:26:182:40 | [...] |
+| SQLite.swift:182:40:182:40 | mobilePhoneNumber | SQLite.swift:182:26:182:40 | ... <-(_:_:) ... |
+| SQLite.swift:184:27:184:41 | ... <-(_:_:) ... | SQLite.swift:184:27:184:41 | [...] |
+| SQLite.swift:184:27:184:41 | [...] | SQLite.swift:184:27:184:41 | [...] |
+| SQLite.swift:184:41:184:41 | mobilePhoneNumber | SQLite.swift:184:27:184:41 | ... <-(_:_:) ... |
+| SQLite.swift:186:26:186:89 | ... <-(_:_:) ... | SQLite.swift:186:26:186:89 | [...] |
+| SQLite.swift:186:26:186:89 | [...] | SQLite.swift:186:26:186:89 | [...] |
+| SQLite.swift:186:40:186:89 | call to replace(_:with:) | SQLite.swift:186:26:186:89 | ... <-(_:_:) ... |
+| SQLite.swift:186:72:186:72 | mobilePhoneNumber | SQLite.swift:186:40:186:89 | call to replace(_:with:) |
 | file://:0:0:0:0 | self | file://:0:0:0:0 | .value |
 | file://:0:0:0:0 | self | file://:0:0:0:0 | .value2 |
 | file://:0:0:0:0 | self [value] | file://:0:0:0:0 | .value |
@@ -297,6 +310,23 @@ nodes
 | SQLite.swift:169:23:169:61 | [...] [Collection element, Tuple element at index 1] | semmle.label | [...] [Collection element, Tuple element at index 1] |
 | SQLite.swift:169:34:169:44 | (...) [Tuple element at index 1] | semmle.label | (...) [Tuple element at index 1] |
 | SQLite.swift:169:44:169:44 | mobilePhoneNumber | semmle.label | mobilePhoneNumber |
+| SQLite.swift:179:40:179:54 | ... <-(_:_:) ... | semmle.label | ... <-(_:_:) ... |
+| SQLite.swift:179:40:179:54 | [...] | semmle.label | [...] |
+| SQLite.swift:179:40:179:54 | [...] | semmle.label | [...] |
+| SQLite.swift:179:54:179:54 | mobilePhoneNumber | semmle.label | mobilePhoneNumber |
+| SQLite.swift:182:26:182:40 | ... <-(_:_:) ... | semmle.label | ... <-(_:_:) ... |
+| SQLite.swift:182:26:182:40 | [...] | semmle.label | [...] |
+| SQLite.swift:182:26:182:40 | [...] | semmle.label | [...] |
+| SQLite.swift:182:40:182:40 | mobilePhoneNumber | semmle.label | mobilePhoneNumber |
+| SQLite.swift:184:27:184:41 | ... <-(_:_:) ... | semmle.label | ... <-(_:_:) ... |
+| SQLite.swift:184:27:184:41 | [...] | semmle.label | [...] |
+| SQLite.swift:184:27:184:41 | [...] | semmle.label | [...] |
+| SQLite.swift:184:41:184:41 | mobilePhoneNumber | semmle.label | mobilePhoneNumber |
+| SQLite.swift:186:26:186:89 | ... <-(_:_:) ... | semmle.label | ... <-(_:_:) ... |
+| SQLite.swift:186:26:186:89 | [...] | semmle.label | [...] |
+| SQLite.swift:186:26:186:89 | [...] | semmle.label | [...] |
+| SQLite.swift:186:40:186:89 | call to replace(_:with:) | semmle.label | call to replace(_:with:) |
+| SQLite.swift:186:72:186:72 | mobilePhoneNumber | semmle.label | mobilePhoneNumber |
 | file://:0:0:0:0 | .value | semmle.label | .value |
 | file://:0:0:0:0 | .value | semmle.label | .value |
 | file://:0:0:0:0 | .value2 | semmle.label | .value2 |
@@ -612,6 +642,10 @@ subpaths
 | SQLite.swift:167:21:167:59 | [...] | SQLite.swift:167:42:167:42 | mobilePhoneNumber | SQLite.swift:167:21:167:59 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:167:42:167:42 | mobilePhoneNumber | mobilePhoneNumber |
 | SQLite.swift:168:20:168:58 | [...] | SQLite.swift:168:41:168:41 | mobilePhoneNumber | SQLite.swift:168:20:168:58 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:168:41:168:41 | mobilePhoneNumber | mobilePhoneNumber |
 | SQLite.swift:169:23:169:61 | [...] | SQLite.swift:169:44:169:44 | mobilePhoneNumber | SQLite.swift:169:23:169:61 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:169:44:169:44 | mobilePhoneNumber | mobilePhoneNumber |
+| SQLite.swift:179:40:179:54 | [...] | SQLite.swift:179:54:179:54 | mobilePhoneNumber | SQLite.swift:179:40:179:54 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:179:54:179:54 | mobilePhoneNumber | mobilePhoneNumber |
+| SQLite.swift:182:26:182:40 | [...] | SQLite.swift:182:40:182:40 | mobilePhoneNumber | SQLite.swift:182:26:182:40 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:182:40:182:40 | mobilePhoneNumber | mobilePhoneNumber |
+| SQLite.swift:184:27:184:41 | [...] | SQLite.swift:184:41:184:41 | mobilePhoneNumber | SQLite.swift:184:27:184:41 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:184:41:184:41 | mobilePhoneNumber | mobilePhoneNumber |
+| SQLite.swift:186:26:186:89 | [...] | SQLite.swift:186:72:186:72 | mobilePhoneNumber | SQLite.swift:186:26:186:89 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | SQLite.swift:186:72:186:72 | mobilePhoneNumber | mobilePhoneNumber |
 | sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes |
 | sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
 | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-311/SQLite.swift
@@ -176,13 +176,13 @@ func test_sqlite_swift_api(db: Connection, id: Int, mobilePhoneNumber: String) t
 	let filter = table.filter(idExpr == id) // GOOD
 
 	try db.run(table.insert(idExpr <- id, numberExpr <- "123")) // GOOD
-	try db.run(table.insert(idExpr <- id, numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(table.insert(idExpr <- id, numberExpr <- mobilePhoneNumber)) // BAD (sensitive data)
 
 	try db.run(table.update(numberExpr <- "123")) // GOOD
-	try db.run(table.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(table.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data)
 	try db.run(filter.update(numberExpr <- "123")) // GOOD
-	try db.run(filter.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(filter.update(numberExpr <- mobilePhoneNumber)) // BAD (sensitive data)
 	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: "456"))) // GOOD
-	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: mobilePhoneNumber))) // BAD (sensitive data) [NOT DETECTED]
+	try db.run(table.update(numberExpr <- numberExpr.replace("123", with: mobilePhoneNumber))) // BAD (sensitive data)
 	// (much more complex query construction is possible in SQLite.swift)
 }

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,17 @@ private class CleartextStorageDatabaseSinks extends SinkModelCsv {`
`139`	`139`	`";Statement;true;bind(_:);;;Argument[0];database-store",`
`140`	`140`	`";Statement;true;run(_:);;;Argument[0];database-store",`
`141`	`141`	`";Statement;true;scalar(_:);;;Argument[0];database-store",`
	`142`	`+ ";QueryType;true;insert(_:);;;Argument[0];database-store",`
	`143`	`+ ";QueryType;true;insert(_:_:);;;Argument[0..1];database-store",`
	`144`	`+ ";QueryType;true;insert(or:_:);;;Argument[1];database-store",`
	`145`	`+ ";QueryType;true;insertMany(_:);;;Argument[0];database-store",`
	`146`	`+ ";QueryType;true;insertMany(or:_:);;;Argument[1];database-store",`
	`147`	`+ ";QueryType;true;upsert(_:onConflictOf:);;;Argument[0];database-store",`
	`148`	`+ ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[0];database-store",`
	`149`	`+ ";QueryType;true;upsert(_:onConflictOf:setValues:);;;Argument[2];database-store",`
	`150`	`+ ";QueryType;true;update(_:);;;Argument[0];database-store",`
	`151`	`+ ";QueryType;true;update(_:_:);;;Argument[0..1];database-store",`
	`152`	`+ ";QueryType;true;update(or:_:);;;Argument[1];database-store",`
`142`	`153`	`]`
`143`	`154`	`}`
`144`	`155`	`}`