hohn/codeql-info
1
0
Fork 0
mirror of https://github.com/hohn/codeql-info.git synced 2025-12-16 20:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
codeql-info/ql/docs/language/learn-ql/build.html-5f4acb8/codeql-language-guides/analyzing-data-flow-in-swift.html
Michael Hohn e52393de06 Build class-based dataflow documentation
2023-11-20 11:57:03 -08:00

485 lines
33 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en" data-content_root="../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Analyzing data flow in Swift &#8212; CodeQL</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/alabaster.css?v=93459777" />
<script src="../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="icon" href="../_static/favicon.ico"/>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="QL language reference" href="../ql-language-reference/index.html" />
<link rel="prev" title="Basic query for Swift code" href="basic-query-for-swift-code.html" />
<title>CodeQL docs</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="stylesheet" href="../_static/primer.css" type="text/css" />
</head><body>
<header class="Header">
<div class="Header-item--full">
<a href="https://codeql.github.com/docs" class="Header-link f2 d-flex flex-items-center">
<!-- <%= octicon "mark-github", class: "mr-2", height: 32 %> -->
<svg height="32" class="octicon octicon-mark-github mr-2" viewBox="0 0 16 16" version="1.1" width="32"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
<span class="hide-sm">CodeQL documentation</span>
</a>
</div>
<div class="Header-item hide-sm hide-md">
<script src="https://addsearch.com/js/?key=93b4d287e2fc079a4089412b669785d5&categories=!0xhelp.semmle.com,0xcodeql.github.com,1xdocs,1xcodeql-standard-libraries,1xcodeql-query-help"></script>
</div>
<div class="Header-item">
<details class="dropdown details-reset details-overlay d-inline-block">
<summary class="btn bg-gray-dark text-white border" aria-haspopup="true">
CodeQL resources
<div class="dropdown-caret"></div>
</summary>
<ul class="dropdown-menu dropdown-menu-se dropdown-menu-dark">
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL tools
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-for-visual-studio-code">CodeQL for VS Code</a>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-cli">CodeQL CLI</a>
</li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL guides
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/writing-codeql-queries">Writing CodeQL queries</a></li>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-language-guides">CodeQL language guides</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Reference docs
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/ql-language-reference/">QL language
reference</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-standard-libraries">CodeQL
standard-libraries</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-query-help">CodeQL
query help</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Source files
</div>
<li><a class="dropdown-item" href="https://github.com/github/codeql">CodeQL repository</a>
</ul>
</details>
</div>
</header>
<main class="bg-gray-light clearfix">
<nav class="SideNav position-sticky top-0 col-lg-3 col-md-3 float-left p-4 hide-sm hide-md overflow-y-auto">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../codeql-overview/index.html">CodeQL overview</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-for-visual-studio-code/index.html">CodeQL for Visual Studio Code</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-cli/index.html">CodeQL CLI</a></li>
<li class="toctree-l1"><a class="reference internal" href="../writing-codeql-queries/index.html">Writing CodeQL queries</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">CodeQL language guides</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="codeql-for-cpp.html">CodeQL for C and C++</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-csharp.html">CodeQL for C#</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-go.html">CodeQL for Go</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-java.html">CodeQL for Java and Kotlin</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-javascript.html">CodeQL for JavaScript and TypeScript</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-python.html">CodeQL for Python</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-ruby.html">CodeQL for Ruby</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="codeql-for-swift.html">CodeQL for Swift</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="basic-query-for-swift-code.html">Basic query for Swift code</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">Analyzing data flow in Swift</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../ql-language-reference/index.html">QL language reference</a></li>
</ul>
</nav>
<div class="body col-sm-12 col-md-9 col-lg-9 float-left border-left">
<div class="hide-lg hide-xl px-4 pt-4">
<div class="related" role="navigation" aria-label="related navigation">
<ul>
<li class="nav-item nav-item-0"><a href="../contents.html">CodeQL</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="index.html"
>CodeQL language guides</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="codeql-for-swift.html"
accesskey="U">CodeQL for Swift</a> &#187;</li>
</ul>
</div>
</div>
<article class="p-4 col-lg-10 col-md-10 col-sm-12">
<section id="analyzing-data-flow-in-swift">
<span id="id1"></span><h1>Analyzing data flow in Swift<a class="headerlink" href="#analyzing-data-flow-in-swift" title="Link to this heading"></a></h1>
<p>You can use CodeQL to track the flow of data through a Swift program to places where the data is used.</p>
<blockquote>
<div><blockquote class="pull-quote">
<div><p>Note</p>
<p>CodeQL analysis for Swift is currently in beta. During the beta, analysis of Swift code,
and the accompanying documentation, will not be as comprehensive as for other languages.</p>
</div></blockquote>
</div></blockquote>
<section id="about-this-article">
<h2>About this article<a class="headerlink" href="#about-this-article" title="Link to this heading"></a></h2>
<p>This article describes how data flow analysis is implemented in the CodeQL libraries for Swift and includes examples to help you write your own data flow queries.
The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking.
For a more general introduction to modeling data flow, see “<a class="reference internal" href="../writing-codeql-queries/about-data-flow-analysis.html#about-data-flow-analysis"><span class="std std-ref">About data flow analysis</span></a>.”</p>
</section>
<section id="local-data-flow">
<h2>Local data flow<a class="headerlink" href="#local-data-flow" title="Link to this heading"></a></h2>
<p>Local data flow tracks the flow of data within a single function. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.</p>
<section id="using-local-data-flow">
<h3>Using local data flow<a class="headerlink" href="#using-local-data-flow" title="Link to this heading"></a></h3>
<p>You can use the local data flow library by importing the <code class="docutils literal notranslate"><span class="pre">DataFlow</span></code> module. The library uses the class <code class="docutils literal notranslate"><span class="pre">Node</span></code> to represent any element through which data can flow.
The <code class="docutils literal notranslate"><span class="pre">Node</span></code> class has a number of useful subclasses, such as <code class="docutils literal notranslate"><span class="pre">ExprNode</span></code> for expressions and <code class="docutils literal notranslate"><span class="pre">ParameterNode</span></code> for parameters. You can map between data flow nodes and expressions/control-flow nodes using the member predicates <code class="docutils literal notranslate"><span class="pre">asExpr</span></code> and <code class="docutils literal notranslate"><span class="pre">getCfgNode</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>class Node {
/**
* Gets the expression that corresponds to this node, if any.
*/
Expr asExpr() { ... }
/**
* Gets the control flow node that corresponds to this data flow node.
*/
ControlFlowNode getCfgNode() { ... }
...
}
</pre></div>
</div>
<p>You can use the predicates <code class="docutils literal notranslate"><span class="pre">exprNode</span></code> and <code class="docutils literal notranslate"><span class="pre">parameterNode</span></code> to map from expressions and parameters to their data-flow node:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>/**
* Gets a node corresponding to expression `e`.
*/
ExprNode exprNode(DataFlowExpr e) { result.asExpr() = e }
/**
* Gets the node corresponding to the value of parameter `p` at function entry.
*/
ParameterNode parameterNode(DataFlowParameter p) { result.getParameter() = p }
</pre></div>
</div>
<p>There can be multiple data-flow nodes associated with a single expression node in the AST.</p>
<p>The predicate <code class="docutils literal notranslate"><span class="pre">localFlowStep(Node</span> <span class="pre">nodeFrom,</span> <span class="pre">Node</span> <span class="pre">nodeTo)</span></code> holds if there is an immediate data flow edge from the node <code class="docutils literal notranslate"><span class="pre">nodeFrom</span></code> to the node <code class="docutils literal notranslate"><span class="pre">nodeTo</span></code>.
You can apply the predicate recursively, by using the <code class="docutils literal notranslate"><span class="pre">+</span></code> and <code class="docutils literal notranslate"><span class="pre">*</span></code> operators, or you can use the predefined recursive predicate <code class="docutils literal notranslate"><span class="pre">localFlow</span></code>.</p>
<p>For example, you can find flow from an expression <code class="docutils literal notranslate"><span class="pre">source</span></code> to an expression <code class="docutils literal notranslate"><span class="pre">sink</span></code> in zero or more local steps:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink))
</pre></div>
</div>
</section>
<section id="using-local-taint-tracking">
<h3>Using local taint tracking<a class="headerlink" href="#using-local-taint-tracking" title="Link to this heading"></a></h3>
<p>Local taint tracking extends local data flow to include flow steps where values are not preserved, such as string manipulation.
For example:</p>
<div class="highlight-swift notranslate"><div class="highlight"><pre><span></span><span class="n">temp</span> <span class="p">=</span> <span class="n">x</span>
<span class="n">y</span> <span class="p">=</span> <span class="n">temp</span> <span class="o">+</span> <span class="s">&quot;, &quot;</span> <span class="o">+</span> <span class="n">temp</span>
</pre></div>
</div>
<p>If <code class="docutils literal notranslate"><span class="pre">x</span></code> is a tainted string then <code class="docutils literal notranslate"><span class="pre">y</span></code> is also tainted.</p>
<p>The local taint tracking library is in the module <code class="docutils literal notranslate"><span class="pre">TaintTracking</span></code>.
Like local data flow, a predicate <code class="docutils literal notranslate"><span class="pre">localTaintStep(DataFlow::Node</span> <span class="pre">nodeFrom,</span> <span class="pre">DataFlow::Node</span> <span class="pre">nodeTo)</span></code> holds if there is an immediate taint propagation edge from the node <code class="docutils literal notranslate"><span class="pre">nodeFrom</span></code> to the node <code class="docutils literal notranslate"><span class="pre">nodeTo</span></code>.
You can apply the predicate recursively, by using the <code class="docutils literal notranslate"><span class="pre">+</span></code> and <code class="docutils literal notranslate"><span class="pre">*</span></code> operators, or you can use the predefined recursive predicate <code class="docutils literal notranslate"><span class="pre">localTaint</span></code>.</p>
<p>For example, you can find taint propagation from an expression <code class="docutils literal notranslate"><span class="pre">source</span></code> to an expression <code class="docutils literal notranslate"><span class="pre">sink</span></code> in zero or more local steps:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>TaintTracking::localTaint(DataFlow::exprNode(source), DataFlow::exprNode(sink))
</pre></div>
</div>
</section>
<section id="examples-of-local-data-flow">
<h3>Examples of local data flow<a class="headerlink" href="#examples-of-local-data-flow" title="Link to this heading"></a></h3>
<p>This query finds the <code class="docutils literal notranslate"><span class="pre">format</span></code> argument passed into each call to <code class="docutils literal notranslate"><span class="pre">String.init(format:_:)</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
from CallExpr call, Method method
where
call.getStaticTarget() = method and
method.hasQualifiedName(&quot;String&quot;, &quot;init(format:_:)&quot;)
select call.getArgument(0).getExpr()
</pre></div>
</div>
<p>Unfortunately this will only give the expression in the argument, not the values which could be passed to it.
So we use local data flow to find all expressions that flow into the argument:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
import codeql.swift.dataflow.DataFlow
from CallExpr call, Method method, Expr sourceExpr, Expr sinkExpr
where
call.getStaticTarget() = method and
method.hasQualifiedName(&quot;String&quot;, &quot;init(format:_:)&quot;) and
sinkExpr = call.getArgument(0).getExpr() and
DataFlow::localFlow(DataFlow::exprNode(sourceExpr), DataFlow::exprNode(sinkExpr))
select sourceExpr, sinkExpr
</pre></div>
</div>
<p>We can vary the source, for example, making the source the parameter of a function rather than an expression. The following query finds where a parameter is used for the format:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
import codeql.swift.dataflow.DataFlow
from CallExpr call, Method method, ParamDecl sourceParam, Expr sinkExpr
where
call.getStaticTarget() = method and
method.hasQualifiedName(&quot;String&quot;, &quot;init(format:_:)&quot;) and
sinkExpr = call.getArgument(0).getExpr() and
DataFlow::localFlow(DataFlow::parameterNode(sourceParam), DataFlow::exprNode(sinkExpr))
select sourceParam, sinkExpr
</pre></div>
</div>
<p>The following example finds calls to <code class="docutils literal notranslate"><span class="pre">String.init(format:_:)</span></code> where the format string is not a hard-coded string literal:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
import codeql.swift.dataflow.DataFlow
from CallExpr call, Method method, DataFlow::Node sinkNode
where
call.getStaticTarget() = method and
method.hasQualifiedName(&quot;String&quot;, &quot;init(format:_:)&quot;) and
sinkNode.asExpr() = call.getArgument(0).getExpr() and
not exists(StringLiteralExpr sourceLiteral |
DataFlow::localFlow(DataFlow::exprNode(sourceLiteral), sinkNode)
)
select call, &quot;Format argument to &quot; + method.getName() + &quot; isn&#39;t hard-coded.&quot;
</pre></div>
</div>
</section>
</section>
<section id="global-data-flow">
<h2>Global data flow<a class="headerlink" href="#global-data-flow" title="Link to this heading"></a></h2>
<p>Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow.
However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform.</p>
<blockquote class="pull-quote">
<div><p>Note</p>
<p>You can model data flow paths in CodeQL by creating path queries. To view data flow paths generated by a path query in CodeQL for VS Code, you need to make sure that it has the correct metadata and <code class="docutils literal notranslate"><span class="pre">select</span></code> clause. For more information, see <a class="reference internal" href="../writing-codeql-queries/creating-path-queries.html#creating-path-queries"><span class="std std-ref">Creating path queries</span></a>.</p>
</div></blockquote>
<section id="using-global-data-flow">
<h3>Using global data flow<a class="headerlink" href="#using-global-data-flow" title="Link to this heading"></a></h3>
<p>You can use the global data flow library by implementing the module <code class="docutils literal notranslate"><span class="pre">DataFlow::ConfigSig</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import codeql.swift.dataflow.DataFlow
module MyDataFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
...
}
predicate isSink(DataFlow::Node sink) {
...
}
}
module MyDataFlow = DataFlow::Global&lt;MyDataFlowConfiguration&gt;;
</pre></div>
</div>
<p>These predicates are defined in the configuration:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">isSource</span></code> - defines where data may flow from.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">isSink</span></code> - defines where data may flow to.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">isBarrier</span></code> - optionally, restricts the data flow.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">isAdditionalFlowStep</span></code> - optionally, adds additional flow steps.</p></li>
</ul>
<p>The last line (<code class="docutils literal notranslate"><span class="pre">module</span> <span class="pre">MyDataFlow</span> <span class="pre">=</span> <span class="pre">...</span></code>) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using <code class="docutils literal notranslate"><span class="pre">MyDataFlow::flow(DataFlow::Node</span> <span class="pre">source,</span> <span class="pre">DataFlow::Node</span> <span class="pre">sink)</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>from DataFlow::Node source, DataFlow::Node sink
where MyDataFlow::flow(source, sink)
select source, &quot;Dataflow to $@.&quot;, sink, sink.toString()
</pre></div>
</div>
</section>
<section id="using-global-taint-tracking">
<h3>Using global taint tracking<a class="headerlink" href="#using-global-taint-tracking" title="Link to this heading"></a></h3>
<p>Global taint tracking is to global data flow what local taint tracking is to local data flow.
That is, global taint tracking extends global data flow with additional non-value-preserving steps.
The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using <code class="docutils literal notranslate"><span class="pre">TaintTracking::Global</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>module MyTaintFlow = TaintTracking::Global&lt;MyDataFlowConfiguration&gt;;
from DataFlow::Node source, DataFlow::Node sink
where MyTaintFlow::flow(source, sink)
select source, &quot;Taint flow to $@.&quot;, sink, sink.toString()
</pre></div>
</div>
</section>
<section id="predefined-sources">
<h3>Predefined sources<a class="headerlink" href="#predefined-sources" title="Link to this heading"></a></h3>
<p>The data flow library module <code class="docutils literal notranslate"><span class="pre">codeql.swift.dataflow.FlowSources</span></code> contains a number of predefined sources that you can use to write security queries to track data flow and taint flow.</p>
<ul class="simple">
<li><p>The class <code class="docutils literal notranslate"><span class="pre">RemoteFlowSource</span></code> represents data flow from remote network inputs and from other applications.</p></li>
<li><p>The class <code class="docutils literal notranslate"><span class="pre">LocalFlowSource</span></code> represents data flow from local user input.</p></li>
<li><p>The class <code class="docutils literal notranslate"><span class="pre">FlowSource</span></code> includes both of the above.</p></li>
</ul>
</section>
<section id="examples-of-global-data-flow">
<h3>Examples of global data flow<a class="headerlink" href="#examples-of-global-data-flow" title="Link to this heading"></a></h3>
<dl class="simple">
<dt>The following global taint-tracking query finds places where a string literal is used in a function call argument named “password”.</dt><dd><ul class="simple">
<li><p>Since this is a taint-tracking query, the <code class="docutils literal notranslate"><span class="pre">TaintTracking::Global</span></code> module is used.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">isSource</span></code> predicate defines sources as any <code class="docutils literal notranslate"><span class="pre">StringLiteralExpr</span></code>.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">isSink</span></code> predicate defines sinks as arguments to a <code class="docutils literal notranslate"><span class="pre">CallExpr</span></code> called “password”.</p></li>
<li><p>The sources and sinks may need tuning to a particular use, for example, if passwords are represented by a type other than <code class="docutils literal notranslate"><span class="pre">String</span></code> or passed in arguments of a different name than “password”.</p></li>
</ul>
</dd>
</dl>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
import codeql.swift.dataflow.DataFlow
import codeql.swift.dataflow.TaintTracking
module ConstantPasswordConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
predicate isSink(DataFlow::Node node) {
// any argument called `password`
exists(CallExpr call | call.getArgumentWithLabel(&quot;password&quot;).getExpr() = node.asExpr())
}
module ConstantPasswordFlow = TaintTracking::Global&lt;ConstantPasswordConfig&gt;;
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where ConstantPasswordFlow::flow(sourceNode, sinkNode)
select sinkNode, &quot;The value $@ is used as a constant password.&quot;, sourceNode, sourceNode.toString()
</pre></div>
</div>
<dl class="simple">
<dt>The following global taint-tracking query finds places where a value from a remote or local user input is used as an argument to the SQLite <code class="docutils literal notranslate"><span class="pre">Connection.execute(_:)</span></code> function.</dt><dd><ul class="simple">
<li><p>Since this is a taint-tracking query, the <code class="docutils literal notranslate"><span class="pre">TaintTracking::Global</span></code> module is used.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">isSource</span></code> predicate defines sources as a <code class="docutils literal notranslate"><span class="pre">FlowSource</span></code> (remote or local user input).</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">isSink</span></code> predicate defines sinks as the first argument in any call to <code class="docutils literal notranslate"><span class="pre">Connection.execute(_:)</span></code>.</p></li>
</ul>
</dd>
</dl>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import swift
import codeql.swift.dataflow.DataFlow
import codeql.swift.dataflow.TaintTracking
import codeql.swift.dataflow.FlowSources
module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
predicate isSink(DataFlow::Node node) {
exists(CallExpr call |
call.getStaticTarget().(Method).hasQualifiedName(&quot;Connection&quot;, &quot;execute(_:)&quot;) and
call.getArgument(0).getExpr() = node.asExpr()
)
}
}
module SqlInjectionFlow = TaintTracking::Global&lt;SqlInjectionConfig&gt;;
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where SqlInjectionFlow::flow(sourceNode, sinkNode)
select sinkNode, &quot;This query depends on a $@.&quot;, sourceNode, &quot;user-provided value&quot;
</pre></div>
</div>
</section>
</section>
<section id="further-reading">
<h2>Further reading<a class="headerlink" href="#further-reading" title="Link to this heading"></a></h2>
<ul class="simple">
<li><p><a class="reference internal" href="../codeql-for-visual-studio-code/exploring-data-flow-with-path-queries.html#exploring-data-flow-with-path-queries"><span class="std std-ref">Exploring data flow with path queries</span></a></p></li>
</ul>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/github/codeql/tree/main/swift/ql/src/queries">CodeQL queries for Swift</a></p></li>
<li><p><a class="reference external" href="https://github.com/github/codeql/tree/main/swift/ql/examples">Example queries for Swift</a></p></li>
<li><p><a class="reference external" href="https://codeql.github.com/codeql-standard-libraries/swift/">CodeQL library reference for Swift</a></p></li>
</ul>
<ul class="simple">
<li><p><a class="reference internal" href="../ql-language-reference/index.html#ql-language-reference"><span class="std std-ref">QL language reference</span></a></p></li>
<li><p><a class="reference internal" href="../codeql-overview/codeql-tools.html#codeql-tools"><span class="std std-ref">CodeQL tools</span></a></p></li>
</ul>
</section>
</section>
</article>
<!-- GitHub footer, with links to terms and privacy statement -->
<div class="px-3 px-md-6 f6 py-4 d-sm-flex flex-justify-between flex-row-reverse flex-items-center border-top">
<ul class="list-style-none d-flex flex-items-center mb-3 mb-sm-0 lh-condensed-ultra">
<li class="mr-3">
<a href="https://twitter.com/github" title="GitHub on Twitter" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 273.5 222.3" class="d-block" height="18">
<path
d="M273.5 26.3a109.77 109.77 0 0 1-32.2 8.8 56.07 56.07 0 0 0 24.7-31 113.39 113.39 0 0 1-35.7 13.6 56.1 56.1 0 0 0-97 38.4 54 54 0 0 0 1.5 12.8A159.68 159.68 0 0 1 19.1 10.3a56.12 56.12 0 0 0 17.4 74.9 56.06 56.06 0 0 1-25.4-7v.7a56.11 56.11 0 0 0 45 55 55.65 55.65 0 0 1-14.8 2 62.39 62.39 0 0 1-10.6-1 56.24 56.24 0 0 0 52.4 39 112.87 112.87 0 0 1-69.7 24 119 119 0 0 1-13.4-.8 158.83 158.83 0 0 0 86 25.2c103.2 0 159.6-85.5 159.6-159.6 0-2.4-.1-4.9-.2-7.3a114.25 114.25 0 0 0 28.1-29.1"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.facebook.com/GitHub" title="GitHub on Facebook" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 15.3 15.4" class="d-block" height="18">
<path
d="M14.5 0H.8a.88.88 0 0 0-.8.9v13.6a.88.88 0 0 0 .8.9h7.3v-6h-2V7.1h2V5.4a2.87 2.87 0 0 1 2.5-3.1h.5a10.87 10.87 0 0 1 1.8.1v2.1h-1.3c-1 0-1.1.5-1.1 1.1v1.5h2.3l-.3 2.3h-2v5.9h3.9a.88.88 0 0 0 .9-.8V.8a.86.86 0 0 0-.8-.8z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.youtube.com/github" title="GitHub on YouTube" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.17 13.6" class="d-block" height="16">
<path
d="M18.77 2.13A2.4 2.4 0 0 0 17.09.42C15.59 0 9.58 0 9.58 0a57.55 57.55 0 0 0-7.5.4A2.49 2.49 0 0 0 .39 2.13 26.27 26.27 0 0 0 0 6.8a26.15 26.15 0 0 0 .39 4.67 2.43 2.43 0 0 0 1.69 1.71c1.52.42 7.5.42 7.5.42a57.69 57.69 0 0 0 7.51-.4 2.4 2.4 0 0 0 1.68-1.71 25.63 25.63 0 0 0 .4-4.67 24 24 0 0 0-.4-4.69zM7.67 9.71V3.89l5 2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3 flex-self-start">
<a href="https://www.linkedin.com/company/github" title="GitHub on Linkedin" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19 18" class="d-block" height="18">
<path
d="M3.94 2A2 2 0 1 1 2 0a2 2 0 0 1 1.94 2zM4 5.48H0V18h4zm6.32 0H6.34V18h3.94v-6.57c0-3.66 4.77-4 4.77 0V18H19v-7.93c0-6.17-7.06-5.94-8.72-2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li>
<a href="https://github.com/github" title="GitHub's organization" style="color: #959da5;">
<svg version="1.1" width="20" height="20" viewBox="0 0 16 16" class="octicon octicon-mark-github"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
</a>
</li>
</ul>
<ul class="list-style-none d-flex text-gray">
<li class="mr-3">&copy;
<script type="text/javascript">document.write(new Date().getFullYear());</script> GitHub, Inc.</li>
<li class="mr-3"><a
href="https://docs.github.com/github/site-policy/github-terms-of-service"
class="link-gray">Terms </a></li>
<li><a href="https://docs.github.com/github/site-policy/github-privacy-statement"
class="link-gray">Privacy </a></li>
</ul>
</div>
</div>
</main>
<script type="text/javascript">
$(document).ready(function () {
$(".toggle > *").hide();
$(".toggle .name").show();
$(".toggle .name").click(function () {
$(this).parent().children().not(".name").toggle(400);
$(this).parent().children(".name").toggleClass("open");
})
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink