Initial commit

maikypedia · maikypedia · commit e45a31744f31 · 2023-07-09T04:17:35.000+02:00
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionExtensions.qll
@@ -0,0 +1,50 @@
+/**
+ * Provides classes and predicates for reasoning about system
+ * commands built from user-controlled sources (that is, command injection
+ * vulnerabilities).
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
+
+/**
+ * A dataflow sink for command injection vulnerabilities.
+ */
+abstract class CommandInjectionSink extends DataFlow::Node { }
+
+/**
+ * A barrier for command injection vulnerabilities.
+ */
+abstract class CommandInjectionBarrier extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional flow steps.
+ */
+class CommandInjectionAdditionalFlowStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a flow
+   * step for paths related to command injection vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/** An expression of type `Process`. */
+private class ProcessRef extends Expr {
+  ProcessRef() {
+    this.getType() instanceof ProcessType or
+    this.getType() = any(OptionalType t | t.getBaseType() instanceof ProcessType)
+  }
+}
+
+/** The type `Process`. */
+private class ProcessType extends NominalType {
+  ProcessType() { this.getFullName() = "Process" }
+}
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultCommandInjectionSink extends CommandInjectionSink {
+  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about system
+ * commands built from user-controlled sources (that is, Command injection
+ * vulnerabilities).
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+import codeql.swift.security.CommandInjectionExtensions
+
+/**
+ * A taint configuration for tainted data that reaches a Command Injection sink.
+ */
+module CommandInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof CommandInjectionSink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CommandInjectionBarrier }
+}
+
+/**
+ * Detect taint flow of tainted data that reaches a Command Injection sink.
+ */
+module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
