Swift: Add the four complete examples from the doc pages to the examples directory.

Author: geoffw0

swift/ql/examples/snippets/empty_if.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Empty 'if' statement
+ * @description Finds 'if' statements where the "then" branch is empty and no
+ *              "else" branch exists.
+ * @id swift/examples/empty-if
+ * @tags example
+ */
+
+import swift
+
+from IfStmt ifStmt
+where
+  ifStmt.getThen().(BraceStmt).getNumberOfElements() = 0 and
+  not exists(ifStmt.getElse())
+select ifStmt, "This 'if' statement is redundant."

swift/ql/examples/snippets/simple_constant_password.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Constant password
+ * @description Finds places where a string literal is used in a function call
+ *              argument named "password".
+ * @id swift/examples/simple-constant-password
+ * @tags example
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+
+module ConstantPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
+
+  predicate isSink(DataFlow::Node node) {
+    // any argument called `password`
+    exists(CallExpr call | call.getArgumentWithLabel("password").getExpr() = node.asExpr())
+  }
+}
+
+module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
+
+from DataFlow::Node sourceNode, DataFlow::Node sinkNode
+where ConstantPasswordFlow::flow(sourceNode, sinkNode)
+select sinkNode, "The value '" + sourceNode.toString() + "' is used as a constant password."

swift/ql/examples/snippets/simple_sql_injection.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Finds places where a value from a remote or local user input
+ *              is used as an argument to the SQLite ``Connection.execute(_:)``
+ *              function.
+ * @id swift/examples/simple-sql-injection
+ * @tags example
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("Connection", ["execute(_:)"]) and
+      call.getArgument(0).getExpr() = node.asExpr()
+    )
+  }
+}
+
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
+
+from DataFlow::Node sourceNode, DataFlow::Node sinkNode
+where SqlInjectionFlow::flow(sourceNode, sinkNode)
+select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"

swift/ql/examples/snippets/simple_uncontrolled_string_format.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Uncontrolled format string
+ * @description Finds calls to ``String.init(format:_:)`` where the format
+ *              string is not a hard-coded string literal.
+ * @id swift/examples/simple-uncontrolled-format-string
+ * @tags example
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+from CallExpr call, MethodDecl method, Expr sinkExpr
+where
+  call.getStaticTarget() = method and
+  method.hasQualifiedName("String", "init(format:_:)") and
+  sinkExpr = call.getArgument(0).getExpr() and
+  not exists(StringLiteralExpr sourceLiteral |
+    DataFlow::localFlow(DataFlow::exprNode(sourceLiteral), DataFlow::exprNode(sinkExpr))
+  )
+select call, "Format argument to " + method.getName() + " isn't hard-coded."