Swift: Fix sqlite3_temp_directory sink.

2026-04-26 09:15:12 +02:00 · 2023-07-11 16:13:53 +01:00
parent 0973fb33b9
commit ebb379f08c
2 changed files with 15 additions and 2 deletions
--- a/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll
@@ -33,6 +33,20 @@ private class DefaultPathInjectionSink extends PathInjectionSink {
  DefaultPathInjectionSink() { sinkNode(this, "path-injection") }
 }

+/**
+ * A sink that is a write to a global variable.
+ */
+private class GlobalVariablePathInjectionSink extends PathInjectionSink {
+  GlobalVariablePathInjectionSink() {
+    // value assigned to global variable `sqlite3_temp_directory`
+    // the sink should be the `DeclRefExpr` itself, but we don't currently have taint flow to globals.
+    exists(AssignExpr ae |
+      ae.getDest().(DeclRefExpr).getDecl().(VarDecl).getName() = "sqlite3_temp_directory" and
+      ae.getSource() = this.asExpr()
+    )
+  }
+}
+
 private class DefaultPathInjectionBarrier extends PathInjectionBarrier {
  DefaultPathInjectionBarrier() {
    // This is a simplified implementation.
@@ -139,7 +153,6 @@ private class PathInjectionSinks extends SinkModelCsv {
        ";;false;sqlite3_filename_journal(_:);;;Argument[0];path-injection",
        ";;false;sqlite3_filename_wal(_:);;;Argument[0];path-injection",
        ";;false;sqlite3_free_filename(_:);;;Argument[0];path-injection",
-        ";;false;sqlite3_temp_directory;;;PostUpdate;path-injection",
        // SQLite.swift
        ";Connection.Location.uri;true;init(_:parameters:);;;Argument[0];path-injection",
        ";Connection;true;init(_:readonly:);;;Argument[0];path-injection",
--- a/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
+++ b/swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift
@@ -382,7 +382,7 @@ func test(buffer1: UnsafeMutablePointer<UInt8>, buffer2: UnsafeMutablePointer<UI
    _ = sqlite3_open_v2(remoteString, &db, 0, nil) // $ hasPathInjection=253

    sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: "myFile.sqlite3").utf8String) // GOOD
-    sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ MISSING: hasPathInjection=253
+    sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ hasPathInjection=253

    // SQLite.swift