Skip to content

Commit 7b9b96d

Browse files
geoffw0geoffw0
committed
Swift: Unify the two sink models into one (needs further polish).
1 parent 8c2140b commit 7b9b96d

File tree

3 files changed

+226
-59
lines changed

3 files changed

+226
-59
lines changed

swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll

Lines changed: 11 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -30,29 +30,18 @@ class CommandInjectionAdditionalFlowStep extends Unit {
3030
}
3131

3232
/**
33-
* A reference to any member of `Process`.
33+
* An additional taint step for command injection vulnerabilities.
3434
*/
35-
private class ProcessHost extends MemberRefExpr {
36-
ProcessHost() { this.getBase() instanceof ProcessRef }
37-
}
38-
39-
/**
40-
* An expression of type `Process`.
41-
*/
42-
private class ProcessRef extends Expr {
43-
ProcessRef() {
44-
this.getType() instanceof ProcessType or
45-
this.getType() = any(OptionalType t | t.getBaseType() instanceof ProcessType)
35+
private class CommandInjectionArrayAdditionalFlowStep extends CommandInjectionAdditionalFlowStep {
36+
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
37+
// needed until we have proper content flow through arrays.
38+
exists(ArrayExpr arr |
39+
nodeFrom.asExpr() = arr.getAnElement() and
40+
nodeTo.asExpr() = arr
41+
)
4642
}
4743
}
4844

49-
/**
50-
* The type `Process`.
51-
*/
52-
private class ProcessType extends NominalType {
53-
ProcessType() { this.getFullName() = "Process" }
54-
}
55-
5645
/**
5746
* A `DataFlow::Node` that is written into a `Process` object.
5847
*/
@@ -63,26 +52,9 @@ private class ProcessSink extends CommandInjectionSink instanceof DataFlow::Node
6352
// with `Process.launchPath` is a sink.
6453
exists(NominalType t, Expr e |
6554
t.getABaseType*().getUnderlyingType().getName() = "Process" and
66-
e.getFullyConverted() = this.asExpr() and
67-
e.getFullyConverted().getType() = t
68-
)
69-
}
70-
}
71-
72-
/**
73-
* A `DataFlow::Node` that is written into a field of a `Process` object.
74-
*/
75-
private class ProcessSink2 extends CommandInjectionSink instanceof DataFlow::Node {
76-
ProcessSink2() {
77-
exists(AssignExpr assign, ProcessHost s |
78-
assign.getDest() = s and
79-
this.asExpr() = assign.getSource()
80-
)
81-
or
82-
exists(AssignExpr assign, ProcessHost s, ArrayExpr a |
83-
assign.getDest() = s and
84-
a = assign.getSource() and
85-
this.asExpr() = a.getAnElement()
55+
this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
56+
e.getFullyConverted().getType() = t and
57+
not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
8658
)
8759
}
8860
}

0 commit comments

Comments
 (0)