Merge pull request #11785 from atorralba/atorralba/swift/grdb-sinks

Swift: Add sinks for the GRDB library

Author: atorralba

swift/ql/lib/codeql/swift/security/PathInjection.qll

@@ -104,7 +104,13 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";FileManager;true;replaceItemAtURL(originalItemURL:withItemAtURL:backupItemName:options:);;;Argument[0..1];path-injection",
         ";NIOFileHandle;true;init(descriptor:);;;Argument[0];path-injection",
         ";NIOFileHandle;true;init(path:mode:flags:);;;Argument[0];path-injection",
-        ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection"
+        ";NIOFileHandle;true;init(path:);;;Argument[0];path-injection",
+        // GRDB
+        ";Database;true;init(path:description:configuration:);;;Argument[0];path-injection",
+        ";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
+        ";DatabaseQueue;true;init(path:configuration:);;;Argument[0];path-injection",
+        ";DatabaseSnapshotPool;true;init(path:configuration:);;;Argument[0];path-injection",
+        ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection"
       ]
   }
 }

swift/ql/src/queries/Security/CWE-089/SqlInjection.ql

@@ -63,6 +63,80 @@ class SQLiteSwiftSqlSink extends SqlSink {
   }
 }
 
+/** A sink for the GRDB library. */
+class GrdbSqlSink extends SqlSink {
+  GrdbSqlSink() {
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(0).getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName("Database",
+            [
+              "allStatements(sql:arguments:)", "cachedStatement(sql:)",
+              "internalCachedStatement(sql:)", "execute(sql:arguments:)", "makeStatement(sql:)",
+              "makeStatement(sql:prepFlags:)"
+            ])
+      or
+      method
+          .hasQualifiedName("SQLRequest",
+            [
+              "init(stringLiteral:)", "init(unicodeScalarLiteral:)",
+              "init(extendedGraphemeClusterLiteral:)", "init(stringInterpolation:)",
+              "init(sql:arguments:adapter:cached:)"
+            ])
+      or
+      method
+          .hasQualifiedName("SQL",
+            [
+              "init(stringLiteral:)", "init(unicodeScalarLiteral:)",
+              "init(extendedGraphemeClusterLiteral:)", "init(stringInterpolation:)",
+              "init(sql:arguments:)", "append(sql:arguments:)"
+            ])
+      or
+      method
+          .hasQualifiedName("TableDefinition", ["column(sql:)", "check(sql:)", "constraint(sql:)"])
+      or
+      method.hasQualifiedName("TableAlteration", "addColumn(sql:)")
+      or
+      method
+          .hasQualifiedName("ColumnDefinition",
+            ["check(sql:)", "defaults(sql:)", "generatedAs(sql:_:)"])
+      or
+      method
+          .hasQualifiedName("TableRecord",
+            [
+              "select(sql:arguments:)", "select(sql:arguments:as:)", "filter(sql:arguments:)",
+              "order(sql:arguments:)"
+            ])
+      or
+      method.hasQualifiedName("StatementCache", "statement(_:)")
+    )
+    or
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(1).getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName(["Row", "DatabaseValueConvertible"],
+            [
+              "fetchCursor(_:sql:arguments:adapter:)", "fetchAll(_:sql:arguments:adapter:)",
+              "fetchSet(_:sql:arguments:adapter:)", "fetchOne(_:sql:arguments:adapter:)"
+            ])
+      or
+      method.hasQualifiedName("SQLStatementCursor", "init(database:sql:arguments:prepFlags:)")
+    )
+    or
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(3).getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName("CommonTableExpression", "init(recursive:named:columns:sql:arguments:)")
+    )
+  }
+}
+
 /**
  * A taint configuration for tainted data that reaches a SQL sink.
  */

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql

@@ -56,6 +56,61 @@ class RealmStore extends Stored instanceof DataFlow::PostUpdateNode {
   }
 }
 
+/**
+ * A `DataFlow::Node` that is an expression stored with the GRDB library.
+ */
+class GrdbStore extends Stored {
+  GrdbStore() {
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgumentWithLabel("arguments").getExpr() = this.asExpr()
+    |
+      method
+          .hasQualifiedName("Database",
+            ["allStatements(sql:arguments:)", "execute(sql:arguments:)",])
+      or
+      method.hasQualifiedName("SQLRequest", "init(sql:arguments:adapter:cached:)")
+      or
+      method.hasQualifiedName("SQL", ["init(sql:arguments:)", "append(sql:arguments:)"])
+      or
+      method.hasQualifiedName("SQLStatementCursor", "init(database:sql:arguments:prepFlags:)")
+      or
+      method
+          .hasQualifiedName("TableRecord",
+            [
+              "select(sql:arguments:)", "select(sql:arguments:as:)", "filter(sql:arguments:)",
+              "order(sql:arguments:)"
+            ])
+      or
+      method
+          .hasQualifiedName(["Row", "DatabaseValueConvertible", "FetchableRecord"],
+            [
+              "fetchCursor(_:sql:arguments:adapter:)", "fetchAll(_:sql:arguments:adapter:)",
+              "fetchSet(_:sql:arguments:adapter:)", "fetchOne(_:sql:arguments:adapter:)"
+            ])
+      or
+      method
+          .hasQualifiedName("FetchableRecord",
+            [
+              "fetchCursor(_:arguments:adapter:)", "fetchAll(_:arguments:adapter:)",
+              "fetchSet(_:arguments:adapter:)", "fetchOne(_:arguments:adapter:)",
+            ])
+      or
+      method.hasQualifiedName("Statement", ["execute(arguments:)"])
+      or
+      method
+          .hasQualifiedName("CommonTableExpression", "init(recursive:named:columns:sql:arguments:)")
+    )
+    or
+    exists(CallExpr call, MethodDecl method |
+      call.getStaticTarget() = method and
+      call.getArgument(0).getExpr() = this.asExpr()
+    |
+      method.hasQualifiedName("Statement", "setArguments(_:)")
+    )
+  }
+}
+
 /**
  * A taint configuration from sensitive information to expressions that are
  * transmitted over a network.
@@ -77,6 +132,14 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
     node.asExpr() instanceof EncryptedExpr
   }
 
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Needed until we have proper content flow through arrays
+    exists(ArrayExpr arr |
+      node1.asExpr() = arr.getAnElement() and
+      node2.asExpr() = arr
+    )
+  }
+
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
     // flow out from fields of a `RealmSwiftObject` at the sink, for example in
     // `realmObj.data = sensitive`.

swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift

@@ -91,6 +91,30 @@ class FileManager {
     func replaceItemAtURL(originalItemURL: NSURL, withItemAtURL: NSURL, backupItemName: String?, options: FileManager.ItemReplacementOptions) -> NSURL? { return nil }
 }
 
+// GRDB
+
+struct Configuration {}
+
+class Database {
+    init(path: String, description: String, configuration: Configuration) {}
+}
+
+class DatabasePool {
+    init(path: String, configuration: Configuration) {}
+}
+
+class DatabaseQueue {
+    init(path: String, configuration: Configuration) {}
+}
+
+class DatabaseSnapshotPool {
+    init(path: String, configuration: Configuration) {}
+}
+
+class SerializedDatabase {
+    init(path: String, configuration: Configuration = Configuration(), defaultLabel: String, purpose: String? = nil) {}
+}
+
 // --- tests ---
 
 func test() {
@@ -100,65 +124,82 @@ func test() {
     let safeUrl =  URL(string: "")!
     let safeNsUrl = NSURL(string: "")!
 
-    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=97
+    Data("").write(to: remoteUrl, options: []) // $ hasPathInjection=121
 
     let nsData = NSData()
-    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=97
-    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=97
-    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=97
-    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=97
+    let _ = nsData.write(to: remoteUrl, atomically: false) // $ hasPathInjection=121
+    nsData.write(to: remoteUrl, options: []) // $ hasPathInjection=121
+    let _ = nsData.write(toFile: remoteString, atomically: false) // $ hasPathInjection=121
+    nsData.write(toFile: remoteString, options: []) // $ hasPathInjection=121
 
     let fm = FileManager()
-    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=97
-    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=97
-    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=97
-    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=97
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=97
-    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=97
-    fm.removeItem(at: remoteUrl) // $ hasPathInjection=97
-    fm.removeItem(atPath: remoteString) // $ hasPathInjection=97
-    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
-    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
-    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
-    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
-    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=97
-    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
-    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
-    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
-    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
-    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
-    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
-    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
-    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
-    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=97
-    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=97
-    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=97
-    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=97
-    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=97
-    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=97
-    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=97
-    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=97
-    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=97
-    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=97
-    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=97
+    let _ = fm.contentsOfDirectory(at: remoteUrl, includingPropertiesForKeys: [], options: []) // $ hasPathInjection=121
+    let _ = fm.contentsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.enumerator(at: remoteUrl, includingPropertiesForKeys: [], options: [], errorHandler: nil) // $ hasPathInjection=121
+    let _ = fm.enumerator(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.subpathsOfDirectory(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.subpaths(atPath: remoteString) // $ hasPathInjection=121
+    fm.createDirectory(at: remoteUrl, withIntermediateDirectories: false, attributes: [:]) // $ hasPathInjection=121
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
+    let _ = fm.createFile(atPath: remoteString, contents: nil, attributes: [:]) // $ hasPathInjection=121
+    fm.removeItem(at: remoteUrl) // $ hasPathInjection=121
+    fm.removeItem(atPath: remoteString) // $ hasPathInjection=121
+    fm.trashItem(at: remoteUrl, resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
+    let _ = fm.replaceItemAt(remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
+    let _ = fm.replaceItemAt(safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
+    fm.replaceItem(at: remoteUrl, withItemAt: safeUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
+    fm.replaceItem(at: safeUrl, withItemAt: remoteUrl, backupItemName: nil, options: [], resultingItemURL: AutoreleasingUnsafeMutablePointer<NSURL?>()) // $ hasPathInjection=121
+    fm.copyItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
+    fm.copyItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
+    fm.copyItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
+    fm.copyItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
+    fm.moveItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
+    fm.moveItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
+    fm.moveItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
+    fm.moveItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
+    fm.createSymbolicLink(at: remoteUrl, withDestinationURL: safeUrl) // $ hasPathInjection=121
+    fm.createSymbolicLink(at: safeUrl, withDestinationURL: remoteUrl) // $ hasPathInjection=121
+    fm.createSymbolicLink(atPath: remoteString, withDestinationPath: "") // $ hasPathInjection=121
+    fm.createSymbolicLink(atPath: "", withDestinationPath: remoteString) // $ hasPathInjection=121
+    fm.linkItem(at: remoteUrl, to: safeUrl) // $ hasPathInjection=121
+    fm.linkItem(at: safeUrl, to: remoteUrl) // $ hasPathInjection=121
+    fm.linkItem(atPath: remoteString, toPath: "") // $ hasPathInjection=121
+    fm.linkItem(atPath: "", toPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.destinationOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.fileExists(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.fileExists(atPath: remoteString, isDirectory: UnsafeMutablePointer<ObjCBool>.init(bitPattern: 0)) // $ hasPathInjection=121
+    fm.setAttributes([:], ofItemAtPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.contents(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.contentsEqual(atPath: remoteString, andPath: "") // $ hasPathInjection=121
+    let _ = fm.contentsEqual(atPath: "", andPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.changeCurrentDirectoryPath(remoteString) // $ hasPathInjection=121
+    let _ = fm.unmountVolume(at: remoteUrl, options: [], completionHandler: { _ in }) // $ hasPathInjection=121
     // Deprecated methods
-    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=97
-    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=97
-    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=97
-    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=97
-    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
-    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=97
+    let _ = fm.changeFileAttributes([:], atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.directoryContents(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.createDirectory(atPath: remoteString, attributes: [:]) // $ hasPathInjection=121
+    let _ = fm.createSymbolicLink(atPath: remoteString, pathContent: "") // $ hasPathInjection=121
+    let _ = fm.createSymbolicLink(atPath: "", pathContent: remoteString) // $ hasPathInjection=121
+    let _ = fm.pathContentOfSymbolicLink(atPath: remoteString) // $ hasPathInjection=121
+    let _ = fm.replaceItemAtURL(originalItemURL: remoteNsUrl, withItemAtURL: safeNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
+    let _ = fm.replaceItemAtURL(originalItemURL: safeNsUrl, withItemAtURL: remoteNsUrl, backupItemName: nil, options: []) // $ hasPathInjection=121
+
+    let _ = Database(path: remoteString, description: "", configuration: Configuration()) // $ hasPathInjection=121
+    let _ = Database(path: "", description: "", configuration: Configuration()) // Safe
+    let _ = DatabasePool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabasePool(path: "", configuration: Configuration()) // Safe
+    let _ = DatabaseQueue(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabaseQueue(path: "", configuration: Configuration()) // Safe
+    let _ = DatabaseSnapshotPool(path: remoteString, configuration: Configuration()) // $ hasPathInjection=121
+    let _ = DatabaseSnapshotPool(path: "", configuration: Configuration()) // Safe
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "") // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: "", defaultLabel: "") // Safe
+    let _ = SerializedDatabase(path: remoteString, defaultLabel: "", purpose: nil) // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: "", defaultLabel: "", purpose: nil) // Safe
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "") // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "") // Safe
+    let _ = SerializedDatabase(path: remoteString, configuration: Configuration(), defaultLabel: "", purpose: nil) // $ hasPathInjection=121
+    let _ = SerializedDatabase(path: "", configuration: Configuration(), defaultLabel: "", purpose: nil) // Safe
 }
 
 func testSanitizers() {
@@ -170,5 +211,5 @@ func testSanitizers() {
     if (filePath.lexicallyNormalized().starts(with: FilePath(stringLiteral: "/safe"))) {
         fm.contents(atPath: remoteString) // Safe
     }
-    fm.contents(atPath: remoteString) // $ hasPathInjection=165
+    fm.contents(atPath: remoteString) // $ hasPathInjection=206
 }