Swift: Get the query 'working' (though lots of issues with results right now).

geoffw0 · geoffw0 · commit e74eccdd971f · 2023-06-23T16:59:25.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-116/BadTagFilter.ql b/swift/ql/src/queries/Security/CWE-116/BadTagFilter.ql
@@ -5,7 +5,7 @@
  * @problem.severity warning
  * @security-severity 7.8
  * @precision high
- * @id rb/bad-tag-filter
+ * @id swift/bad-tag-filter
  * @tags correctness
  *       security
  *       external/cwe/cwe-116
@@ -14,9 +14,12 @@
  *       external/cwe/cwe-186
  */
 
-private import codeql.ruby.regexp.RegExpTreeView::RegexTreeView as TreeView
+import codeql.swift.regex.Regex
+private import codeql.swift.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.BadTagFilterQuery::Make<TreeView>
 
 from HtmlMatchingRegExp regexp, string msg
-where msg = min(string m | isBadRegexpFilter(regexp, m) | m order by m.length(), m) // there might be multiple, we arbitrarily pick the shortest one
+where
+  // there might be multiple messages, we arbitrarily pick the shortest one
+  msg = min(string m | isBadRegexpFilter(regexp, m) | m order by m.length(), m)
 select regexp, msg
diff --git a/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected b/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected
@@ -0,0 +1,30 @@
+| test.swift:79:26:79:48 | <script.*?>.*?<\\/script> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:87:26:87:53 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:91:26:91:33 | <!--.*--> | This regular expression does not match comments containing newlines. |
+| test.swift:95:26:95:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| test.swift:99:26:99:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| test.swift:103:26:103:58 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:107:26:107:56 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:111:26:111:63 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:118:28:118:65 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:122:50:122:87 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:129:28:129:69 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:133:50:133:91 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:140:28:140:55 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:143:50:143:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:150:28:150:73 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:153:50:153:95 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:160:28:160:60 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:163:50:163:82 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:170:28:170:64 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:173:50:173:86 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:177:27:177:68 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:180:50:180:91 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:184:27:184:167 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:187:50:187:190 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:191:51:191:84 | <script\\b[^>]*>([\\s\\S]*?)<\\/script> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:195:51:195:104 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
+| test.swift:199:51:199:293 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
+| test.swift:203:51:203:77 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:207:51:207:93 | <script([^>]*)>([\\\\S\\\\s]*?)<\\/script([^>]*)> | This regular expression does not match script end tags like </script >. |
+| test.swift:211:51:211:52 | --> | This regular expression only parses --> and not --!> as a HTML comment end tag. |
diff --git a/swift/ql/test/query-tests/Security/CWE-116/test.swift b/swift/ql/test/query-tests/Security/CWE-116/test.swift
@@ -79,19 +79,19 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let re1 = try Regex(#"<script.*?>.*?<\/script>"#).ignoresCase(true)
     _ = try re1.firstMatch(in: tainted)
 
-    // BAD - doesn't match `</script >`
+    // BAD - doesn't match `</script >` [NOT DETECTED]
     let re2 = try Regex(#"<script.*?>.*?<\/script>/is"#).ignoresCase(true)
     _ = try re2.firstMatch(in: tainted)
 
-    // GOOD
+    // GOOD [FALSE POSITIVE]
     let re3 = try Regex(#"<script.*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
     _ = try re3.firstMatch(in: tainted)
 
-    // GOOD - we don't care regexps that only match comments
+    // GOOD - we don't care regexps that only match comments [FALSE POSITIVE]
     let re4 = try Regex(#"<!--.*-->"#).ignoresCase(true).dotMatchesNewlines(true)
     _ = try re4.firstMatch(in: tainted)
 
-    // GOOD
+    // GOOD [FALSE POSITIVE]
     let re5 = try Regex(#"<!--.*--!?>"#).ignoresCase(true).dotMatchesNewlines(true)
     _ = try re5.firstMatch(in: tainted)
 
@@ -111,7 +111,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let re9 = try Regex(#"<script(\s|\w|=|")*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
     _ = try re9.firstMatch(in: tainted)
 
-    // BAD - does not match double quotes for attribute values
+    // BAD - does not match double quotes for attribute values [NOT DETECTED]
     let re10a = try Regex(#"(?is)<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#)
     _ = try re10a.firstMatch(in: tainted)
     // BAD - does not match double quotes for attribute values
@@ -122,7 +122,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let ns10 = try NSRegularExpression(pattern: #"<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#, options: options10)
     _ = ns10.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
-    // BAD - does not match tabs between attributes
+    // BAD - does not match tabs between attributes [NOT DETECTED]
     let re11a = try Regex(#"(?is)<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#)
     _ = try re11a.firstMatch(in: tainted)
     // BAD - does not match tabs between attributes
@@ -133,7 +133,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let ns11 = try NSRegularExpression(pattern: #"<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#, options: options11)
     _ = ns11.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
-    // BAD - does not match uppercase SCRIPT tags
+    // BAD - does not match uppercase SCRIPT tags [NOT DETECTED]
     let re12a = try Regex(#"(?s)<script.*?>.*?<\/script[^>]*>"#)
     _ = try re12a.firstMatch(in: tainted)
     // BAD - does not match uppercase SCRIPT tags
@@ -143,7 +143,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let ns12 = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script[^>]*>"#, options: .dotMatchesLineSeparators)
     _ = ns12.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
-    // BAD - does not match mixed case script tags
+    // BAD - does not match mixed case script tags [NOT DETECTED]
     let re13a = try Regex(#"(?s)<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#)
     _ = try re13a.firstMatch(in: tainted)
     // BAD - does not match mixed case script tags
@@ -153,7 +153,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let ns13 = try NSRegularExpression(pattern: #"<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#, options: .dotMatchesLineSeparators)
     _ = ns13.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
-    // BAD - doesn't match newlines in the end tag
+    // BAD - doesn't match newlines in the end tag [NOT DETECTED]
     let re14a = try Regex(#"(?i)<script[^>]*?>[\s\S]*?<\/script.*>"#)
     _ = try re14a.firstMatch(in: tainted)
     // BAD - doesn't match newlines in the end tag
@@ -166,10 +166,10 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     // GOOD
     let re15a = try Regex(#"(?i)<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#)
     _ = try re15a.firstMatch(in: tainted)
-    // GOOD
+    // GOOD [FALSE POSITIVE]
     let re15b = try Regex(#"<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#).ignoresCase(true)
     _ = try re15b.firstMatch(in: tainted)
-    // GOOD
+    // GOOD [FALSE POSITIVE]
     let ns15 = try NSRegularExpression(pattern: #"<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#, options: .caseInsensitive)
     _ = ns15.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
@@ -203,7 +203,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let ns2_4 = try NSRegularExpression(pattern: #"<!--([\w\W]*?)-->|<([^>]*?)>"#)
     _ = ns2_4.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
-    // GOOD - it's used with the ignorecase flag
+    // GOOD - it's used with the ignorecase flag [FALSE POSITIVE]
     let ns2_5 = try NSRegularExpression(pattern: #"<script([^>]*)>([\\S\\s]*?)<\/script([^>]*)>"#, options: .caseInsensitive)
     _ = ns2_5.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
