hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 15:25:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Rewrite UncontrolledFormatString to use DataFlow::ConfigSig

Browse Source
This commit is contained in:
Jeroen Ketema
2023-04-03 16:21:44 +02:00
parent 0ff607c930
commit db641e508a
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
View File

@@ -13,7 +13,7 @@ import codeql.swift.security.UncontrolledFormatStringExtensions
/**
* A taint configuration for tainted data that reaches a format string.
*/
class TaintedFormatConfiguration extends TaintTracking::Configuration {
deprecated class TaintedFormatConfiguration extends TaintTracking::Configuration {
TaintedFormatConfiguration() { this = "TaintedFormatConfiguration" }
override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -28,3 +28,25 @@ class TaintedFormatConfiguration extends TaintTracking::Configuration {
any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
}
}
/**
* A taint configuration for tainted data that reaches a format string.
*/
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
predicate isSink(DataFlow::Node node) { node instanceof UncontrolledFormatStringSink }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer instanceof UncontrolledFormatStringSanitizer
}
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(UncontrolledFormatStringAdditionalTaintStep s).step(nodeFrom, nodeTo)
}
}
/**
* Detect taint flow of tainted data that reaches a format string.
*/
module TaintedFormatFlow = TaintTracking::Global<TaintedFormatConfig>;

6
swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
View File

@@ -13,9 +13,9 @@
import swift
import codeql.swift.dataflow.DataFlow
import codeql.swift.security.UncontrolledFormatStringQuery
import DataFlow::PathGraph
import TaintedFormatFlow::PathGraph
from TaintedFormatConfiguration config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
where config.hasFlowPath(sourceNode, sinkNode)
from TaintedFormatFlow::PathNode sourceNode, TaintedFormatFlow::PathNode sinkNode
where TaintedFormatFlow::flowPath(sourceNode, sinkNode)
select sinkNode.getNode(), sourceNode, sinkNode, "This format string depends on $@.",
sourceNode.getNode(), "this user-provided value"