Add more path injection sinks

2026-04-30 19:26:02 +02:00 · 2022-12-19 18:03:21 +01:00
parent 5d54482c71
commit c115a9fee4
2 changed files with 128 additions and 67 deletions
--- a/swift/ql/lib/codeql/swift/security/PathInjection.qll
+++ b/swift/ql/lib/codeql/swift/security/PathInjection.qll
@@ -105,6 +105,15 @@ private class PathInjectionSinks extends SinkModelCsv {
        ";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
        ";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
        ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection",
+        ";NSString;true;write(to:atomically:encoding:);;;Argument[0];path-injection",
+        ";NSString;true;write(toFile:atomically:encoding:);;;Argument[0];path-injection",
+        ";NSKeyedUnarchiver;true;unarchiveObject(withFile:);;;Argument[0];path-injection",
+        ";ArchiveByteStream;true;fileStream(fd:automaticClose:);;;Argument[0];path-injection",
+        ";ArchiveByteStream;true;withFileStream(fd:automaticClose:_:);;;Argument[0];path-injection",
+        ";ArchiveByteStream;true;fileStream(path:mode:options:permissions:);;;Argument[0];path-injection",
+        ";ArchiveByteStream;true;withFileStream(path:mode:options:permissions:_:);;;Argument[0];path-injection",
+        ";Bundle;true;init(url:);;;Argument[0];path-injection",
+        ";Bundle;true;init(path:);;;Argument[0];path-injection",
        // GRDB
        ";Database;true;init(path:description:configuration:);;;Argument[0];path-injection",
        ";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
--- a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
+++ b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -15,6 +15,11 @@ extension String {
    }
 }

+class NSString {
+    func write(toFile: String, atomically: Bool, encoding: UInt) {}
+    func write(to: URL, atomically: Bool, encoding: UInt) {}
+}
+
 class Data {
    struct WritingOptions : OptionSet { let rawValue: Int }
    init<S>(_ elements: S) {}
@@ -29,6 +34,10 @@ class NSData {
    func write(toFile: String, options: NSData.WritingOptions) {}
 }

+class NSKeyedUnarchiver {
+    func unarchiveObject(withFile: String) -> Any? { return nil }
+}
+
 struct URLResourceKey {}

 struct FileAttributeKey : Hashable {}
@@ -37,9 +46,10 @@ struct ObjCBool {}

 struct AutoreleasingUnsafeMutablePointer<Pointee> {}

-struct FilePath {
+struct FilePath : ExpressibleByStringLiteral {
+    typealias StringLiteralType = String
    init(stringLiteral: String) {}
-    func lexicallyNormalized() -> FilePath { return FilePath(stringLiteral: "") }
+    func lexicallyNormalized() -> FilePath { return "" }
    func starts(with: FilePath) -> Bool { return false }
 }

@@ -91,6 +101,38 @@ class FileManager {
    func replaceItemAtURL(originalItemURL: NSURL, withItemAtURL: NSURL, backupItemName: String?, options: FileManager.ItemReplacementOptions) -> NSURL? { return nil }
 }

+struct FileDescriptor {
+    struct AccessMode : RawRepresentable {
+        static let readOnly = AccessMode(rawValue: 0)
+        let rawValue: UInt8
+        init(rawValue: UInt8) { self.rawValue = rawValue}
+    }
+
+    struct OpenOptions : RawRepresentable {
+        static let append = OpenOptions(rawValue: 0)
+        let rawValue: UInt8
+        init(rawValue: UInt8) { self.rawValue = rawValue}
+    }
+}
+
+struct FilePermissions : RawRepresentable {
+    static let ownerRead = FilePermissions(rawValue: 0)
+    let rawValue: UInt8
+    init(rawValue: UInt8) { self.rawValue = rawValue}
+}
+
+class ArchiveByteStream {
+    static func fileStream(fd: FileDescriptor, automaticClose: Bool = true) -> ArchiveByteStream? { return nil }
+    static func withFileStream<E>(fd: FileDescriptor, automaticClose: Bool = true, _ body: (ArchiveByteStream) -> E) -> E { return body(ArchiveByteStream()) }
+    static func fileStream(path: FilePath, mode: FileDescriptor.AccessMode, options: FileDescriptor.OpenOptions, permissions: FilePermissions) -> ArchiveByteStream? { return nil }
+    static func withFileStream<E>(path: FilePath, mode: FileDescriptor.AccessMode, options: FileDescriptor.OpenOptions, permissions: FilePermissions, _ body: (ArchiveByteStream) -> E) -> E { return body(ArchiveByteStream()) }
+}
+
+class Bundle {
+    init?(url: URL) {}
+    init?(path: String) {}
+}
+
 // GRDB

 struct Configuration {}
@@ -124,81 +166,91 @@ func test() {
    let safeUrl =  URL(string: "")!
    let safeNsUrl = NSURL(string: "")!

-    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=121
+    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=163

    let nsData = NSData()
-    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=121
-    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=121
-    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=121
-    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=121
+    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=163
+    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=163
+    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=163
+    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=163

    let fm = FileManager()
-    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=121
-    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=121
-    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=121
-    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=121
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
-    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=121
-    fm.removeItem(at: remoteUrl) // $ hasPathInjection=121
-    fm.removeItem(atPath: remoteString) // $ hasPathInjection=121
-    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
-    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
-    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
-    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
-    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
-    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
-    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
-    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
-    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
-    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
-    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
-    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
-    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
-    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=121
-    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=121
-    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=121
-    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=121
-    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
-    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
-    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
-    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=121
-    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=121
-    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=121
-    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=121
+    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=163
+    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=163
+    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=163
+    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=163
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=163
+    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=163
+    fm.removeItem(at: remoteUrl) // $ hasPathInjection=163
+    fm.removeItem(atPath: remoteString) // $ hasPathInjection=163
+    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
+    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
+    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
+    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
+    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=163
+    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
+    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
+    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
+    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
+    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
+    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
+    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
+    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
+    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=163
+    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=163
+    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=163
+    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=163
+    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=163
+    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=163
+    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=163
+    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=163
+    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=163
+    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=163
+    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=163
    // Deprecated methods
-    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
-    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=121
-    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=121
-    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
-    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
-    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
+    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=163
+    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=163
+    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=163
+    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=163
+    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=163
+    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=163

-    let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=121
+    NSString().write(to: remoteUrl, atomically: true, encoding: 0)  // $ hasPathInjection=163
+    NSString().write(toFile: remoteString, atomically: true, encoding: 0) // $ hasPathInjection=163
+    let _ = NSKeyedUnarchiver().unarchiveObject(withFile: remoteString) // $ hasPathInjection=163
+    let _ = ArchiveByteStream.fileStream(fd: remoteString as! FileDescriptor, automaticClose: true) // $ hasPathInjection=163
+    ArchiveByteStream.withFileStream(fd: remoteString as! FileDescriptor, automaticClose: true) { _ in } // $ hasPathInjection=163
+    let _ = ArchiveByteStream.fileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) // $ hasPathInjection=163
+    ArchiveByteStream.withFileStream(path: FilePath(stringLiteral: remoteString), mode: .readOnly, options: .append, permissions: .ownerRead) { _ in } // $ hasPathInjection=163
+    let _ = Bundle(url: remoteUrl) // $ hasPathInjection=163
+    let _ = Bundle(path: remoteString) // $ hasPathInjection=163
+
+    let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=163
    let _ = Database(path: "", description: "", configuration: Configuration()) // Safe
-    let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
    let _ = DatabasePool(path: "", configuration: Configuration()) // Safe
-    let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
    let _ = DatabaseQueue(path: "", configuration: Configuration()) // Safe
-    let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=163
    let _ = DatabaseSnapshotPool(path: "", configuration: Configuration()) // Safe
-    let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=163
    let _ = SerializedDatabase(path: "", defaultLabel: "") // Safe
-    let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=163
    let _ = SerializedDatabase(path: "", defaultLabel: "", purpose: nil) // Safe
-    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=163
    let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "") // Safe
-    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=163
    let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "", purpose: nil) // Safe
 }

@@ -208,8 +260,8 @@ func testSanitizers() {
    let fm = FileManager()

    let filePath = FilePath(stringLiteral: remoteString)
-    if (filePath.lexicallyNormalized().starts(with: FilePath(stringLiteral: "/safe"))) {
-        fm.contents(atPath: remoteString) // Safe
+    if (filePath.lexicallyNormalized().starts(with: "/safe")) {
+        let _ = fm.contents(atPath: remoteString) // Safe
    }
-    fm.contents(atPath: remoteString) // $ hasPathInjection=206
+    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=258
 }