Qhelp and examples

Author: maikypedia

swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll

@@ -42,9 +42,26 @@ private class ProcessType extends NominalType {
   ProcessType() { this.getFullName() = "Process" }
 }
 
+/**
+ * A `DataFlow::Node` that is an expression stored with the Realm database
+ * library.
+ */
+private class ProcessSink extends CommandInjectionSink instanceof DataFlow::Node {
+  ProcessSink() {
+    // any write into a class derived from `Process` is a sink. For
+    // example in `Process.launchPath = sensitive` the post-update node corresponding
+    // with `Process.launchPath` is a sink.
+    exists(NominalType t, Expr e |
+      t.getABaseType*().getUnderlyingType().getName() = "Process" and
+      e.getFullyConverted() = this.asExpr() and
+      e.getFullyConverted().getType() = t
+    )
+  }
+}
+
 /**
  * A sink defined in a CSV model.
  */
 private class DefaultCommandInjectionSink extends CommandInjectionSink {
-  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
+  DefaultCommandInjectionSink() { sinkNode(this, "command-line-injection") }
 }

swift/ql/src/change-notes/2023-07-12-command-injection.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added new query "Command injection" (`swift/command-line-injection`). The query finds places where user input is used to execute system commands without proper escaping.

swift/ql/src/queries/Security/CWE-078/CommandInjection.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Constructing a system command with unsanitized user input is dangerous,
+since a malicious user to execute code.
+</p>
+</overview>
+
+<recommendation>
+<p>
+If possible, use hard-coded string literals to specify the command to run. Instead of interpreting
+user input directly as command names, examine the input and then choose among hard-coded string
+literals.
+</p>
+<p>
+If this is not possible, then add sanitization code to verify that the user input is safe before
+using it.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following examples execute code from user input without
+sanitizing it first:
+</p>
+<sample src="CommandInjectionBad.swift" />
+<p>
+If user input is used to construct a regular expression it should be checked
+first. This ensures that the user cannot insert characters that have special
+meanings.
+</p>
+<sample src="CommandInjectionGood.swift" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-078/CommandInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name System command built from user-controlled sources
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id swift/command-line-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.CommandInjectionQuery
+import CommandInjectionFlow::PathGraph
+
+from CommandInjectionFlow::PathNode sourceNode, CommandInjectionFlow::PathNode sinkNode
+where CommandInjectionFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This command depends on a $@.",
+  sourceNode.getNode(), "user-provided value"

swift/ql/src/queries/Security/CWE-078/CommandInjectionBad.swift

@@ -0,0 +1,5 @@
+var task = Process()
+task.launchPath = "/bin/bash"
+task.arguments = ["-c", userControlledString] // BAD
+
+task.launch()

swift/ql/src/queries/Security/CWE-078/CommandInjectionGood.swift

@@ -0,0 +1,13 @@
+func validateCommand(_ command: String) -> String? {
+    let allowedCommands = ["ls -l", "pwd", "echo"]
+    if allowedCommands.contains(command) {
+        return command
+    }
+    return nil
+}
+
+var task = Process()
+task.launchPath = "/bin/bash"
+task.arguments = ["-c", validateCommand(userControlledString)] // GOOD
+
+task.launch()