hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17127 from geoffw0/swiftsql

Browse Source 
Swift: Improve doc for swift/sql-injection
This commit is contained in:
Geoffrey White
2024-08-02 16:14:57 +01:00
committed by GitHub
parent 6a49647a28 e66cd05f96
commit 9794309d2e
3 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp
View File

@@ -12,13 +12,13 @@ If a database query (such as a SQL query) is built from user-provided data witho
<recommendation> <recommendation>
<p> <p>
Most database connector libraries offer a way to safely embed untrusted data into a query using query parameters or prepared statements. You should use these features to build queries, rather than string concatenation or similar methods without sufficient sanitization. Most database connector libraries offer a way to safely embed untrusted data into a query using query parameters or prepared statements. You should use these features to build queries, rather than string concatenation or similar methods. You can also escape (sanitize) user-controlled strings so that they can be included directly in an SQL command. A library function should be used for escaping, because this approach is only safe if the escaping function is robust against all possible inputs.
</p> </p>
</recommendation> </recommendation>
<example> <example>
<p>In the following example, a SQL query is prepared using string interpolation to directly include a user-controlled value <code>userControlledString</code> in the query. An attacker could craft <code>userControlledString</code> to change the overall meaning of the SQL query. <p>In the following examples, an SQL query is prepared using string interpolation to directly include a user-controlled value <code>userControlledString</code> in the query. An attacker could craft <code>userControlledString</code> to change the overall meaning of the SQL query.
</p> </p>
<sample src="SqlInjectionBad.swift" /> <sample src="SqlInjectionBad.swift" />
@@ -35,4 +35,4 @@ Most database connector libraries offer a way to safely embed untrusted data int
<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li> <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li>
</references> </references>
</qhelp> </qhelp>

13
swift/ql/src/queries/Security/CWE-089/SqlInjectionBad.swift
View File

@@ -1,3 +1,12 @@
let unsafeQuery = "SELECT * FROM users WHERE username='\(userControlledString)'" // BAD // with SQLite.swift
try db.execute(unsafeQuery) let unsafeQuery = "SELECT * FROM users WHERE username='\(userControlledString)'"
try db.execute(unsafeQuery) // BAD
let stmt = try db.prepare(unsafeQuery) // also BAD
try stmt.run()
// with SQLite3 C API
let result = sqlite3_exec(db, unsafeQuery, nil, nil, nil) // BAD

17
swift/ql/src/queries/Security/CWE-089/SqlInjectionGood.swift
View File

@@ -1,4 +1,19 @@
// with SQLite.swift
let safeQuery = "SELECT * FROM users WHERE username=?" let safeQuery = "SELECT * FROM users WHERE username=?"
let stmt = try db.prepare(safeQuery, userControlledString) // GOOD let stmt = try db.prepare(safeQuery, userControlledString) // GOOD
try stmt2.run() try stmt.run()
// with sqlite3 C API
var stmt2: OpaquePointer?
if (sqlite3_prepare_v2(db, safeQuery, -1, &stmt2, nil) == SQLITE_OK) {
if (sqlite3_bind_text(stmt2, 1, userControlledString, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // GOOD
let result = sqlite3_step(stmt2)
// ...
}
sqlite3_finalize(stmt2)
}