Skip to content

Commit ee9a5c7

Browse files
geoffw0geoffw0
committed
Swift: Add numeric barrier for to the JS eval query.
1 parent 158008a commit ee9a5c7

2 files changed

Lines changed: 16 additions & 22 deletions

File tree

swift/ql/lib/codeql/swift/security/UnsafeJsEvalExtensions.qll

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ class UnsafeJsEvalAdditionalFlowStep extends Unit {
3030
}
3131

3232
/**
33-
* A default SQL injection sink for the `WKWebView` interface.
33+
* A default javascript evaluation sink for the `WKWebView` interface.
3434
*/
3535
private class WKWebViewDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
3636
WKWebViewDefaultUnsafeJsEvalSink() {
@@ -50,7 +50,7 @@ private class WKWebViewDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
5050
}
5151

5252
/**
53-
* A default SQL injection sink for the `WKUserContentController` interface.
53+
* A default javascript evaluation sink for the `WKUserContentController` interface.
5454
*/
5555
private class WKUserContentControllerDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
5656
WKUserContentControllerDefaultUnsafeJsEvalSink() {
@@ -61,7 +61,7 @@ private class WKUserContentControllerDefaultUnsafeJsEvalSink extends UnsafeJsEva
6161
}
6262

6363
/**
64-
* A default SQL injection sink for the `UIWebView` and `WebView` interfaces.
64+
* A default javascript evaluation sink for the `UIWebView` and `WebView` interfaces.
6565
*/
6666
private class UIWebViewDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
6767
UIWebViewDefaultUnsafeJsEvalSink() {
@@ -74,7 +74,7 @@ private class UIWebViewDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
7474
}
7575

7676
/**
77-
* A default SQL injection sink for the `JSContext` interface.
77+
* A default javascript evaluation sink for the `JSContext` interface.
7878
*/
7979
private class JSContextDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
8080
JSContextDefaultUnsafeJsEvalSink() {
@@ -87,7 +87,7 @@ private class JSContextDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
8787
}
8888

8989
/**
90-
* A default SQL injection sink for the `JSEvaluateScript` function.
90+
* A default javascript evaluation sink for the `JSEvaluateScript` function.
9191
*/
9292
private class JSEvaluateScriptDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
9393
JSEvaluateScriptDefaultUnsafeJsEvalSink() {
@@ -98,7 +98,7 @@ private class JSEvaluateScriptDefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
9898
}
9999

100100
/**
101-
* A default SQL injection additional taint step.
101+
* A default javascript evaluation additional taint step.
102102
*/
103103
private class DefaultUnsafeJsEvalAdditionalFlowStep extends UnsafeJsEvalAdditionalFlowStep {
104104
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -120,3 +120,13 @@ private class DefaultUnsafeJsEvalAdditionalFlowStep extends UnsafeJsEvalAddition
120120
private class DefaultUnsafeJsEvalSink extends UnsafeJsEvalSink {
121121
DefaultUnsafeJsEvalSink() { sinkNode(this, "code-injection") }
122122
}
123+
124+
/**
125+
* A barrier for javascript evaluation.
126+
*/
127+
private class UnsafeJsEvalDefaultBarrier extends UnsafeJsEvalBarrier {
128+
UnsafeJsEvalDefaultBarrier() {
129+
// any numeric type
130+
this.asExpr().getType().getUnderlyingType().getABaseType*().getName() = "Numeric"
131+
}
132+
}

swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ edges
44
| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:205:7:205:7 | remoteString |
55
| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:208:7:208:39 | ... .+(_:_:) ... |
66
| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:211:24:211:37 | .utf8 |
7-
| UnsafeJsEval.swift:201:21:201:35 | call to getRemoteData() | UnsafeJsEval.swift:217:35:217:35 | remoteString |
87
| UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:265:13:265:13 | string |
98
| UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:268:13:268:13 | string |
109
| UnsafeJsEval.swift:204:7:204:66 | try! ... | UnsafeJsEval.swift:276:13:276:13 | string |
@@ -33,16 +32,6 @@ edges
3332
| UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:285:13:285:13 | string |
3433
| UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | UnsafeJsEval.swift:299:13:299:13 | string |
3534
| UnsafeJsEval.swift:214:24:214:24 | remoteData | UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) |
36-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:265:13:265:13 | string |
37-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:268:13:268:13 | string |
38-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:276:13:276:13 | string |
39-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:279:13:279:13 | string |
40-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:285:13:285:13 | string |
41-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | UnsafeJsEval.swift:299:13:299:13 | string |
42-
| UnsafeJsEval.swift:217:24:217:53 | call to String.init(_:) | UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... |
43-
| UnsafeJsEval.swift:217:31:217:47 | call to Self.init(_:) | UnsafeJsEval.swift:217:31:217:52 | ... ??(_:_:) ... |
44-
| UnsafeJsEval.swift:217:31:217:52 | ... ??(_:_:) ... | UnsafeJsEval.swift:217:24:217:53 | call to String.init(_:) |
45-
| UnsafeJsEval.swift:217:35:217:35 | remoteString | UnsafeJsEval.swift:217:31:217:47 | call to Self.init(_:) |
4635
| UnsafeJsEval.swift:265:13:265:13 | string | UnsafeJsEval.swift:266:43:266:43 | string |
4736
| UnsafeJsEval.swift:266:43:266:43 | string | UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) |
4837
| UnsafeJsEval.swift:268:13:268:13 | string | UnsafeJsEval.swift:269:43:269:43 | string |
@@ -78,11 +67,6 @@ nodes
7867
| UnsafeJsEval.swift:211:24:211:37 | .utf8 | semmle.label | .utf8 |
7968
| UnsafeJsEval.swift:214:7:214:49 | call to String.init(decoding:as:) | semmle.label | call to String.init(decoding:as:) |
8069
| UnsafeJsEval.swift:214:24:214:24 | remoteData | semmle.label | remoteData |
81-
| UnsafeJsEval.swift:217:7:217:57 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
82-
| UnsafeJsEval.swift:217:24:217:53 | call to String.init(_:) | semmle.label | call to String.init(_:) |
83-
| UnsafeJsEval.swift:217:31:217:47 | call to Self.init(_:) | semmle.label | call to Self.init(_:) |
84-
| UnsafeJsEval.swift:217:31:217:52 | ... ??(_:_:) ... | semmle.label | ... ??(_:_:) ... |
85-
| UnsafeJsEval.swift:217:35:217:35 | remoteString | semmle.label | remoteString |
8670
| UnsafeJsEval.swift:265:13:265:13 | string | semmle.label | string |
8771
| UnsafeJsEval.swift:266:22:266:107 | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) | semmle.label | call to WKUserScript.init(source:injectionTime:forMainFrameOnly:) |
8872
| UnsafeJsEval.swift:266:43:266:43 | string | semmle.label | string |

0 commit comments

Comments
 (0)