Merge pull request #11670 from atorralba/atorralba/swift/predicate-injection

Swift: Add predicate injection query
2026-05-05 13:45:19 +02:00 · 2023-01-09 08:54:13 +00:00
parent 5b117084db 30aa9b230c
commit 9be9636816
10 changed files with 200 additions and 0 deletions
--- a/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.expected
+++ b/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.expected
--- a/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.ql
+++ b/swift/ql/test/query-tests/Security/CWE-946/PredicateInjectionTest.ql
@@ -0,0 +1,23 @@
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.PredicateInjectionQuery
+import TestUtilities.InlineExpectationsTest
+
+class PredicateInjectionTest extends InlineExpectationsTest {
+  PredicateInjectionTest() { this = "PredicateInjectionTest" }
+
+  override string getARelevantTag() { result = "hasPredicateInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(
+      PredicateInjectionConf config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr
+    |
+      config.hasFlow(source, sink) and
+      sinkExpr = sink.asExpr() and
+      location = sinkExpr.getLocation() and
+      element = sinkExpr.toString() and
+      tag = "hasPredicateInjection" and
+      value = source.asExpr().getLocation().getStartLine().toString()
+    )
+  }
+}
--- a/swift/ql/test/query-tests/Security/CWE-946/predicateInjection.swift
+++ b/swift/ql/test/query-tests/Security/CWE-946/predicateInjection.swift
@@ -0,0 +1,38 @@
+// --- stubs ---
+struct URL {
+	init?(string: String) {}
+}
+
+extension String {
+	init(contentsOf: URL) {
+        let data = ""
+        self.init(data)
+    }
+}
+
+class NSPredicate {
+    init(format: String, argumentArray: [Any]?) {}
+    init(format: String, arguments: CVaListPointer) {}
+    init(format: String, _: CVarArg...) {}
+    init?(fromMetadataQueryString: String) {}
+}
+
+// --- tests ---
+
+func test() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let safeString = "safe"
+
+    NSPredicate(format: remoteString, argumentArray: []) // $ hasPredicateInjection=23
+    NSPredicate(format: safeString, argumentArray: []) // Safe
+    NSPredicate(format: safeString, argumentArray: [remoteString]) // Safe
+    NSPredicate(format: remoteString, arguments: CVaListPointer(_fromUnsafeMutablePointer: UnsafeMutablePointer(bitPattern: 0)!)) // $ hasPredicateInjection=23
+    NSPredicate(format: safeString, arguments: CVaListPointer(_fromUnsafeMutablePointer: UnsafeMutablePointer(bitPattern: 0)!)) // Safe
+    NSPredicate(format: remoteString) // $ hasPredicateInjection=23
+    NSPredicate(format: safeString) // Safe
+    NSPredicate(format: remoteString, "" as! CVarArg) // $ hasPredicateInjection=23
+    NSPredicate(format: safeString, "" as! CVarArg) // Safe
+    NSPredicate(format: safeString, remoteString as! CVarArg) // Safe
+    NSPredicate(fromMetadataQueryString: remoteString) // $ hasPredicateInjection=23
+    NSPredicate(fromMetadataQueryString: safeString) // Safe
+}