Swift: Fix sqlite3_temp_directory sink.

geoffw0 · geoffw0 · commit ebb379f08c53 · 2023-07-11T16:50:42.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -33,6 +33,20 @@ private class DefaultPathInjectionSink extends PathInjectionSink {
   DefaultPathInjectionSink() { sinkNode(this, "path-injection") }
 }
 
+/**
+ * A sink that is a write to a global variable.
+ */
+private class GlobalVariablePathInjectionSink extends PathInjectionSink {
+  GlobalVariablePathInjectionSink() {
+    // value assigned to global variable `sqlite3_temp_directory`
+    // the sink should be the `DeclRefExpr` itself, but we don't currently have taint flow to globals.
+    exists(AssignExpr ae |
+      ae.getDest().(DeclRefExpr).getDecl().(VarDecl).getName() = "sqlite3_temp_directory" and
+      ae.getSource() = this.asExpr()
+    )
+  }
+}
+
 private class DefaultPathInjectionBarrier extends PathInjectionBarrier {
   DefaultPathInjectionBarrier() {
     // This is a simplified implementation.
@@ -139,7 +153,6 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";;false;sqlite3_filename_journal(_:);;;Argument[0];path-injection",
         ";;false;sqlite3_filename_wal(_:);;;Argument[0];path-injection",
         ";;false;sqlite3_free_filename(_:);;;Argument[0];path-injection",
-        ";;false;sqlite3_temp_directory;;;PostUpdate;path-injection",
         // SQLite.swift
         ";Connection.Location.uri;true;init(_:parameters:);;;Argument[0];path-injection",
         ";Connection;true;init(_:readonly:);;;Argument[0];path-injection",
diff --git a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -382,7 +382,7 @@ func test(buffer1: UnsafeMutablePointer<UInt8>, buffer2: UnsafeMutablePointer<UI
     _ = sqlite3_open_v2(remoteString, &db, 0, nil) // $ hasPathInjection=253
 
     sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: "myFile.sqlite3").utf8String) // GOOD
-    sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ MISSING: hasPathInjection=253
+    sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ hasPathInjection=253
 
     // SQLite.swift
 
