hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 05:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add path injection sinks

Browse Source
This commit is contained in:
Tony Torralba
2022-12-23 17:03:52 +01:00
parent 4215a89bc8
commit 07d99bd643
2 changed files with 103 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
swift/ql/lib/codeql/swift/security/PathInjection.qll
View File

@@ -104,7 +104,13 @@ private class PathInjectionSinks extends SinkModelCsv {
";FileManager;true;replaceItemAtURL(originalItemURL:withItemAtURL:backupItemName:options:);;;Argument[0..1];path-injection",
";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
";NIOFileHandle;true;init(path:);;;Argument[0];path-injection"
";NIOFileHandle;true;init(path:);;;Argument[0];path-injection",
// GRDB
";Database;true;init(path:description:configuration:);;;Argument[0];path-injection",
";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
";DatabaseQueue;true;init(path:configuration:);;;Argument[0];path-injection",
";DatabaseSnapshotPool;true;init(path:configuration:);;;Argument[0];path-injection",
";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection"
]
}
}

151
swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
View File

@@ -91,6 +91,30 @@ class FileManager {
func replaceItemAtURL(originalItemURL: NSURL, withItemAtURL: NSURL, backupItemName: String?, options: FileManager.ItemReplacementOptions) -> NSURL? { return nil }
}
// GRDB
struct Configuration {}
class Database {
init(path: String, description: String, configuration: Configuration) {}
}
class DatabasePool {
init(path: String, configuration: Configuration) {}
}
class DatabaseQueue {
init(path: String, configuration: Configuration) {}
}
class DatabaseSnapshotPool {
init(path: String, configuration: Configuration) {}
}
class SerializedDatabase {
init(path: String, configuration: Configuration = Configuration(), defaultLabel: String, purpose: String? = nil) {}
}
// --- tests ---
func test() {
@@ -100,65 +124,82 @@ func test() {
let safeUrl = URL(string: "")!
let safeNsUrl = NSURL(string: "")!
Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=97
Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=121
let nsData = NSData()
let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=97
nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=97
let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=97
nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=97
let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=121
nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=121
let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=121
nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=121
let fm = FileManager()
let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=97
let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=97
let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=97
fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=97
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=97
let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=97
fm.removeItem(at: remoteUrl) // $ hasPathInjection=97
fm.removeItem(atPath: remoteString) // $ hasPathInjection=97
fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=97
fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=97
fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=97
fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=97
fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=97
fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=97
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=97
let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=97
let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=97
let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=97
let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=121
let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=121
let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=121
fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=121
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=121
fm.removeItem(at: remoteUrl) // $ hasPathInjection=121
fm.removeItem(atPath: remoteString) // $ hasPathInjection=121
fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=121
fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=121
fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=121
fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=121
fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=121
fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=121
let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=121
let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=121
let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=121
let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=121
// Deprecated methods
let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=97
let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=97
let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=97
let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=97
let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=97
let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=121
let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=121
let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=121
let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=121
let _ = Database(path: "", description: "", configuration: Configuration()) // Safe
let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
let _ = DatabasePool(path: "", configuration: Configuration()) // Safe
let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
let _ = DatabaseQueue(path: "", configuration: Configuration()) // Safe
let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
let _ = DatabaseSnapshotPool(path: "", configuration: Configuration()) // Safe
let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=121
let _ = SerializedDatabase(path: "", defaultLabel: "") // Safe
let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=121
let _ = SerializedDatabase(path: "", defaultLabel: "", purpose: nil) // Safe
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=121
let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "") // Safe
let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=121
let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "", purpose: nil) // Safe
}
func testSanitizers() {
@@ -170,5 +211,5 @@ func testSanitizers() {
if (filePath.lexicallyNormalized().starts(with: FilePath(stringLiteral: "/safe"))) {
fm.contents(atPath: remoteString) // Safe
}
fm.contents(atPath: remoteString) // $ hasPathInjection=165
fm.contents(atPath: remoteString) // $ hasPathInjection=206
}