hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Exclude tel:, mailto: and similar URLs from the query.

Browse Source
This commit is contained in:
Geoffrey White
2024-08-12 18:43:10 +01:00
parent 897bfb5517
commit 446c992181
3 changed files with 44 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
View File

@@ -7,6 +7,7 @@ import swift
import codeql.swift.security.SensitiveExprs
import codeql.swift.dataflow.DataFlow
import codeql.swift.dataflow.ExternalFlow
import codeql.swift.dataflow.TaintTracking
/**
* A dataflow sink for cleartext transmission vulnerabilities. That is,
@@ -48,20 +49,45 @@ private class AlamofireTransmittedSink extends CleartextTransmissionSink {
}
}
/**
* A call to `URL.init`.
*/
private predicate urlInit(CallExpr urlInit, Expr withString) {
urlInit
.getStaticTarget()
.(Method)
.hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
urlInit.getArgument(0).getExpr() = withString
}
/**
* A data flow configuration for tracking string literals representing `tel:` and similar
* URLs to creation of URL objects.
*/
private module ExcludeUrlConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
node.asExpr()
.(StringLiteralExpr)
.getValue()
.regexpMatch("^(mailto|file|tel|telprompt|callto|sms):.*")
}
predicate isSink(DataFlow::Node node) { urlInit(_, node.asExpr()) }
}
private module ExcludeUrlFlow = TaintTracking::Global<ExcludeUrlConfig>;
/**
* A `URL` that is a sink for this query. Not all URLs are considered sinks, depending
* on their content.
*/
private class URLTransmittedSink extends CleartextTransmissionSink {
URLTransmittedSink() {
// sinks are the first argument containing the URL, and the `parameters`
// and `headers` arguments to appropriate methods of `Session`.
exists(CallExpr call |
call.getStaticTarget()
.(Method)
.hasQualifiedName("URL", ["init(string:)", "init(string:relativeTo:)"]) and
call.getArgument(0).getExpr() = this.asExpr()
)
private class UrlTransmittedSink extends CleartextTransmissionSink {
UrlTransmittedSink() {
urlInit(_, this.asExpr()) and
// exclude `tel:` and similar URLs. These URLs necessarily contain
// sensitive data which you expect to transmit only by making the
// phone call (or similar operation).
not ExcludeUrlFlow::flow(_, this)
}
}

32
swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
View File

@@ -33,15 +33,7 @@ edges
| testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | testURL.swift:105:6:105:10 | let ...? [some:0] | provenance | |
| testURL.swift:105:32:105:32 | data | testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | provenance | |
| testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | provenance | |
| testURL.swift:117:28:117:28 | email | testURL.swift:117:18:117:18 | "..." | provenance | |
| testURL.swift:118:53:118:53 | secret_key | testURL.swift:118:18:118:18 | "..." | provenance | |
| testURL.swift:119:60:119:60 | email | testURL.swift:119:18:119:18 | "..." | provenance | |
| testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | provenance | |
| testURL.swift:124:25:124:25 | phone_number | testURL.swift:124:18:124:18 | "..." | provenance | |
| testURL.swift:125:31:125:31 | phone_number | testURL.swift:125:18:125:18 | "..." | provenance | |
| testURL.swift:126:28:126:28 | phone_number | testURL.swift:126:18:126:18 | "..." | provenance | |
| testURL.swift:127:25:127:25 | phone_number | testURL.swift:127:18:127:18 | "..." | provenance | |
| testURL.swift:131:37:131:37 | account_no | testURL.swift:131:18:131:18 | "..." | provenance | |
| testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | provenance | |
nodes
| file://:0:0:0:0 | .value | semmle.label | .value |
@@ -103,24 +95,8 @@ nodes
| testURL.swift:106:20:106:20 | "..." | semmle.label | "..." |
| testURL.swift:116:18:116:18 | "..." | semmle.label | "..." |
| testURL.swift:116:52:116:52 | email | semmle.label | email |
| testURL.swift:117:18:117:18 | "..." | semmle.label | "..." |
| testURL.swift:117:28:117:28 | email | semmle.label | email |
| testURL.swift:118:18:118:18 | "..." | semmle.label | "..." |
| testURL.swift:118:53:118:53 | secret_key | semmle.label | secret_key |
| testURL.swift:119:18:119:18 | "..." | semmle.label | "..." |
| testURL.swift:119:60:119:60 | email | semmle.label | email |
| testURL.swift:123:18:123:18 | "..." | semmle.label | "..." |
| testURL.swift:123:52:123:52 | phone_number | semmle.label | phone_number |
| testURL.swift:124:18:124:18 | "..." | semmle.label | "..." |
| testURL.swift:124:25:124:25 | phone_number | semmle.label | phone_number |
| testURL.swift:125:18:125:18 | "..." | semmle.label | "..." |
| testURL.swift:125:31:125:31 | phone_number | semmle.label | phone_number |
| testURL.swift:126:18:126:18 | "..." | semmle.label | "..." |
| testURL.swift:126:28:126:28 | phone_number | semmle.label | phone_number |
| testURL.swift:127:18:127:18 | "..." | semmle.label | "..." |
| testURL.swift:127:25:127:25 | phone_number | semmle.label | phone_number |
| testURL.swift:131:18:131:18 | "..." | semmle.label | "..." |
| testURL.swift:131:37:131:37 | account_no | semmle.label | account_no |
| testURL.swift:132:18:132:18 | "..." | semmle.label | "..." |
| testURL.swift:132:39:132:39 | account_no | semmle.label | account_no |
subpaths
@@ -155,13 +131,5 @@ subpaths
| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate |
| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) |
| testURL.swift:116:18:116:18 | "..." | testURL.swift:116:52:116:52 | email | testURL.swift:116:18:116:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:116:52:116:52 | email | email |
| testURL.swift:117:18:117:18 | "..." | testURL.swift:117:28:117:28 | email | testURL.swift:117:18:117:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:117:28:117:28 | email | email |
| testURL.swift:118:18:118:18 | "..." | testURL.swift:118:53:118:53 | secret_key | testURL.swift:118:18:118:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:118:53:118:53 | secret_key | secret_key |
| testURL.swift:119:18:119:18 | "..." | testURL.swift:119:60:119:60 | email | testURL.swift:119:18:119:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:119:60:119:60 | email | email |
| testURL.swift:123:18:123:18 | "..." | testURL.swift:123:52:123:52 | phone_number | testURL.swift:123:18:123:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:123:52:123:52 | phone_number | phone_number |
| testURL.swift:124:18:124:18 | "..." | testURL.swift:124:25:124:25 | phone_number | testURL.swift:124:18:124:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:124:25:124:25 | phone_number | phone_number |
| testURL.swift:125:18:125:18 | "..." | testURL.swift:125:31:125:31 | phone_number | testURL.swift:125:18:125:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:125:31:125:31 | phone_number | phone_number |
| testURL.swift:126:18:126:18 | "..." | testURL.swift:126:28:126:28 | phone_number | testURL.swift:126:18:126:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:126:28:126:28 | phone_number | phone_number |
| testURL.swift:127:18:127:18 | "..." | testURL.swift:127:25:127:25 | phone_number | testURL.swift:127:18:127:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:127:25:127:25 | phone_number | phone_number |
| testURL.swift:131:18:131:18 | "..." | testURL.swift:131:37:131:37 | account_no | testURL.swift:131:18:131:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:131:37:131:37 | account_no | account_no |
| testURL.swift:132:18:132:18 | "..." | testURL.swift:132:39:132:39 | account_no | testURL.swift:132:18:132:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:132:39:132:39 | account_no | account_no |

16
swift/ql/test/query-tests/Security/CWE-311/testURL.swift
View File

@@ -114,20 +114,20 @@ func test5() {
let secret_key = get_string()
_ = URL(string: "http://example.com/login?email=\(email)"); // BAD
_ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected) [FALSE POSITIVE]
_ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD
_ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD [FALSE POSITIVE]
_ = URL(string: "mailto:\(email)"); // GOOD (revealing your e-amil address in an e-mail is expected)
_ = URL(string: "mailto:info@example.com?subject=\(secret_key)"); // BAD [NOT DETECTED]
_ = URL(string: "mailto:info@example.com?subject=foo&cc=\(email)"); // GOOD
let phone_number = get_string()
_ = URL(string: "http://example.com/profile?tel=\(phone_number)"); // BAD
_ = URL(string: "tel:\(phone_number)") // GOOD [FALSE POSITIVE]
_ = URL(string: "telprompt:\(phone_number)") // GOOD [FALSE POSITIVE]
_ = URL(string: "callto:\(phone_number)") // GOOD [FALSE POSITIVE]
_ = URL(string: "sms:\(phone_number)") // GOOD [FALSE POSITIVE]
_ = URL(string: "tel:\(phone_number)") // GOOD
_ = URL(string: "telprompt:\(phone_number)") // GOOD
_ = URL(string: "callto:\(phone_number)") // GOOD
_ = URL(string: "sms:\(phone_number)") // GOOD
let account_no = get_string()
_ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted) [FALSE POSITIVE]
_ = URL(string: "file:///foo/bar/\(account_no).csv") // GOOD (local, so not transmitted)
_ = URL(string: "ftp://example.com/\(account_no).csv") // BAD
}