Swift: Model Connection.Location.uri sink.

geoffw0 · geoffw0 · commit 5f8f1b64c66c · 2023-07-11T18:10:43.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -47,6 +47,23 @@ private class GlobalVariablePathInjectionSink extends PathInjectionSink {
   }
 }
 
+/**
+ * A sink that is a write to a global variable.
+ */
+private class EnumConstructorPathInjectionSink extends PathInjectionSink {
+  EnumConstructorPathInjectionSink() {
+    // first argument to `Connection.Location.uri(_:parameters:)`
+    exists(ApplyExpr ae, EnumElementDecl decl, NominalTypeDecl parent |
+      ae.getFunction().(MethodLookupExpr).getMember() = decl and
+      decl.getName() = "uri" and
+      decl.getDeclaringDecl() = parent and
+      parent.getName() = "Location" and
+      parent.getDeclaringDecl().(NominalTypeDecl).(NominalTypeDecl).getName() = "Connection" and
+      this.asExpr() = ae.getArgument(0).getExpr()
+    )
+  }
+}
+
 private class DefaultPathInjectionBarrier extends PathInjectionBarrier {
   DefaultPathInjectionBarrier() {
     // This is a simplified implementation.
@@ -154,7 +171,6 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";;false;sqlite3_filename_wal(_:);;;Argument[0];path-injection",
         ";;false;sqlite3_free_filename(_:);;;Argument[0];path-injection",
         // SQLite.swift
-        ";Connection.Location.uri;true;init(_:parameters:);;;Argument[0];path-injection",
         ";Connection;true;init(_:readonly:);;;Argument[0];path-injection",
       ]
   }
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -388,7 +388,7 @@ func test(buffer1: UnsafeMutablePointer<UInt8>, buffer2: UnsafeMutablePointer<UI
 
     try! _ = Connection()
     try! _ = Connection(Connection.Location.uri("myFile.sqlite3")) // GOOD
-    try! _ = Connection(Connection.Location.uri(remoteString)) // $ MISSING: hasPathInjection=253
+    try! _ = Connection(Connection.Location.uri(remoteString)) // $ hasPathInjection=253
     try! _ = Connection("myFile.sqlite3") // GOOD
     try! _ = Connection(remoteString) // $ hasPathInjection=253
 }

Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,7 @@ func test(buffer1: UnsafeMutablePointer<UInt8>, buffer2: UnsafeMutablePointer<UI`
`388`	`388`
`389`	`389`	`try! _ = Connection()`
`390`	`390`	`try! _ = Connection(Connection.Location.uri("myFile.sqlite3")) // GOOD`
`391`		`- try! _ = Connection(Connection.Location.uri(remoteString)) // $ MISSING: hasPathInjection=253`
	`391`	`+ try! _ = Connection(Connection.Location.uri(remoteString)) // $ hasPathInjection=253`
`392`	`392`	`try! _ = Connection("myFile.sqlite3") // GOOD`
`393`	`393`	`try! _ = Connection(remoteString) // $ hasPathInjection=253`
`394`	`394`	`}`