hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 05:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Corrections.

Browse Source
This commit is contained in:
Geoffrey White
2022-12-01 19:16:40 +00:00
parent 157a7829ca
commit f7ebd1312e
6 changed files with 21 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
swift/ql/lib/codeql/swift/FormatString.qll → swift/ql/lib/codeql/swift/StringFormat.qll
View File

6
swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
View File

@@ -1,8 +1,8 @@
/**
* Provides a taint-tracking configuration for reasoning about uncontrolled format string
* vulnerabilities.
* Provides a taint-tracking configuration for reasoning about uncontrolled
* format string vulnerabilities.
*/
import swift
import codeql.swift.StringFormat
import codeql.swift.dataflow.DataFlow

11
swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.qhelp
View File

@@ -4,16 +4,15 @@
<qhelp>
<overview>
<p>
Passing untrusted format strings to functions that use <code>printf</code> style formatting can lead to buffer overflows and data representation problems. An attacker can exploit this weakness to crash the program or obtain sensitive information from its internal state.</p>
</p>
Passing untrusted format strings to functions that use <code>printf</code> style formatting can lead to buffer overflows and data representation problems. An attacker may be able to exploit this weakness to crash the program or obtain sensitive information from its internal state.</p>
</overview>
<recommendation>
<p>Use a string literal for the format string to prevent the possibility of data flow from
<p>Use a constant string literal for the format string to prevent the possibility of data flow from
an untrusted source. This also helps to prevent errors where the format arguments do not match the format string.</p>
<p>If the format string cannot be constant, ensure that it comes from a secure data source or is compiled into the source code. If you need to include a value from the user, use the <code>%@</code> specifier in the format string and include that value as a format argument.
<p>If the format string cannot be constant, ensure that it comes from a secure data source or is compiled into the source code. If you need to include a string value from the user, use an appropriate specifier (such as <code>%@</code>) in the format string and include the user provided value as a format argument.
</p>
</recommendation>
@@ -21,11 +20,11 @@ an untrusted source. This also helps to prevent errors where the format argument
<p>In this example, the format string includes a user-controlled <code>inputString</code>:</p>
<sample src="UncontrolledFormatStringBad.cs" />
<sample src="UncontrolledFormatStringBad.swift" />
<p>To fix it, make <code>inputString</code> a format argument rather than part of the format string, as in the following code:</p>
<sample src="UncontrolledFormatStringGood.cs" />
<sample src="UncontrolledFormatStringGood.swift" />
</example>
<references>

4
swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
View File

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
from TaintedFormatConfiguration config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
where config.hasFlowPath(sourceNode, sinkNode)
select sinkNode.getNode(), sourceNode, sinkNode, "This format string is derived from a $@.",
sourceNode.getNode(), "user-provided value"
select sinkNode.getNode(), sourceNode, sinkNode, "This format string depends on $@.",
sourceNode.getNode(), "a user-provided value"

18
swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.expected
View File

@@ -21,12 +21,12 @@ nodes
| UncontrolledFormatString.swift:89:61:89:61 | tainted | semmle.label | tainted |
subpaths
#select
| UncontrolledFormatString.swift:68:28:68:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:68:28:68:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:71:28:71:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:71:28:71:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:72:28:72:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:72:28:72:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:74:28:74:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:74:28:74:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:75:28:75:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:75:28:75:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:76:28:76:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:76:28:76:28 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:77:46:77:46 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:77:46:77:46 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:86:11:86:11 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:86:11:86:11 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:89:61:89:61 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:89:61:89:61 | tainted | This format string is derived from a $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | user-provided value |
| UncontrolledFormatString.swift:68:28:68:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:68:28:68:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:71:28:71:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:71:28:71:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:72:28:72:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:72:28:72:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:74:28:74:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:74:28:74:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:75:28:75:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:75:28:75:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:76:28:76:28 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:76:28:76:28 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:77:46:77:46 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:77:46:77:46 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:86:11:86:11 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:86:11:86:11 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |
| UncontrolledFormatString.swift:89:61:89:61 | tainted | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) : | UncontrolledFormatString.swift:89:61:89:61 | tainted | This format string depends on $@. | UncontrolledFormatString.swift:62:24:62:77 | call to init(contentsOf:) | a user-provided value |

4
swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift
View File

@@ -3,7 +3,7 @@
struct URL
{
init?(string: String) {}
init?(string: String) {}
}
struct Locale {
@@ -12,7 +12,7 @@ struct Locale {
extension String : CVarArg {
public var _cVarArgEncoding: [Int] { get { return [] } }
init(contentsOf: URL) throws { self.init() }
init(contentsOf: URL) throws { self.init() }
init(format: String, _ arguments: CVarArg...) { self.init() }
init(format: String, arguments: [CVarArg]) { self.init() }
init(format: String, locale: Locale?, _ args: CVarArg...) { self.init() }