Merge pull request #9964 from geoffw0/cwe95

Swift: Query for CWE-79 / CWE-95

Author: MathiasVP

swift/ql/lib/codeql/swift/dataflow/FlowSources.qll

@@ -11,6 +11,9 @@ abstract class RemoteFlowSource extends Node {
   abstract string getSourceType();
 }
 
+/**
+ * A data flow source of remote user input that is defined through 'models as data'.
+ */
 private class ExternalRemoteFlowSource extends RemoteFlowSource {
   ExternalRemoteFlowSource() { sourceNode(this, "remote") }
 

swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.qhelp

@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, for example using <code>file://</code>. Data can then be extracted from the software using the URL of a machine under the attackers control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.</p>
+
+</overview>
+<recommendation>
+
+<p>When loading HTML into a web view, always set the <code>baseURL</code> to an appropriate URL that you control, or to <code>about:blank</code>. Do not use <code>nil</code>, as this does not restrict URLs that can be resolved. Also do not use a <code>baseURL</code> that could itself be controlled by an attacker.</p>
+
+</recommendation>
+<example>
+
+<p>In the following example, a call to <code>UIWebView.loadHTMLString</code> has the <code>baseURL</code> set to <code>nil</code>, which does not restrict URLs that can be resolved from within the web page.</p>
+
+<sample src="UnsafeWebViewFetchBad.swift" />
+
+<p>To fix the problem, we set the <code>baseURL</code> to <code>about:blank</code>. This ensures that an attacker cannot resolve URLs that point to the local file system, or to web servers under their control.</p>
+
+<sample src="UnsafeWebViewFetchGood.swift" />
+
+</example>
+<references>
+
+<li>
+  <a href="https://www.allysonomalley.com/2018/12/03/ios-bug-hunting-web-view-xss/">iOS Bug Hunting - Web View XSS</a>
+</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql

@@ -0,0 +1,143 @@
+/**
+ * @name Unsafe WebView fetch
+ * @description Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, or enable cross-site scripting attack.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision high
+ * @id swift/unsafe-webview-fetch
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-749
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+import DataFlow::PathGraph
+import codeql.swift.frameworks.StandardLibrary.String
+
+/**
+ * A taint source that is `String(contentsOf:)`.
+ * TODO: this shouldn't be needed when `StringSource` in `String.qll` is working.
+ */
+class StringContentsOfUrlSource extends RemoteFlowSource {
+  StringContentsOfUrlSource() {
+    exists(CallExpr call, AbstractFunctionDecl f |
+      call.getFunction().(ApplyExpr).getStaticTarget() = f and
+      f.getName() = "init(contentsOf:)" and
+      f.getParam(0).getType().getName() = "URL" and
+      this.asExpr() = call
+    )
+  }
+
+  override string getSourceType() { result = "" }
+}
+
+/**
+ * A sink that is a candidate result for this query, such as certain arguments
+ * to `UIWebView.loadHTMLString`.
+ */
+class Sink extends DataFlow::Node {
+  Expr baseUrl;
+
+  Sink() {
+    exists(
+      AbstractFunctionDecl funcDecl, CallExpr call, string funcName, string paramName, int arg,
+      int baseUrlArg
+    |
+      // arguments to method calls...
+      exists(string className, ClassDecl c |
+        (
+          // `loadHTMLString`
+          className = ["UIWebView", "WKWebView"] and
+          funcName = "loadHTMLString(_:baseURL:)" and
+          paramName = "string"
+          or
+          // `UIWebView.load`
+          className = "UIWebView" and
+          funcName = "load(_:mimeType:textEncodingName:baseURL:)" and
+          paramName = "data"
+          or
+          // `WKWebView.load`
+          className = "WKWebView" and
+          funcName = "load(_:mimeType:characterEncodingName:baseURL:)" and
+          paramName = "data"
+        ) and
+        c.getName() = className and
+        c.getAMember() = funcDecl and
+        call.getFunction().(ApplyExpr).getStaticTarget() = funcDecl
+      ) and
+      // match up `funcName`, `paramName`, `arg`, `node`.
+      funcDecl.getName() = funcName and
+      funcDecl.getParam(pragma[only_bind_into](arg)).getName() = paramName and
+      call.getArgument(pragma[only_bind_into](arg)).getExpr() = this.asExpr() and
+      // match up `baseURLArg`
+      funcDecl.getParam(pragma[only_bind_into](baseUrlArg)).getName() = "baseURL" and
+      call.getArgument(pragma[only_bind_into](baseUrlArg)).getExpr() = baseUrl
+    )
+  }
+
+  /**
+   * Gets the `baseURL` argument associated with this sink.
+   */
+  Expr getBaseUrl() { result = baseUrl }
+}
+
+/**
+ * A taint configuration from taint sources to sinks (and `baseURL` arguments)
+ * for this query.
+ */
+class UnsafeWebViewFetchConfig extends TaintTracking::Configuration {
+  UnsafeWebViewFetchConfig() { this = "UnsafeWebViewFetchConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node node) {
+    node instanceof Sink or
+    node.asExpr() = any(Sink s).getBaseUrl()
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // allow flow through `try!` and similar constructs
+    // TODO: this should probably be part of DataFlow / TaintTracking.
+    node1.asExpr() = node2.asExpr().(AnyTryExpr).getSubExpr()
+    or
+    // allow flow through `!`
+    // TODO: this should probably be part of DataFlow / TaintTracking.
+    node1.asExpr() = node2.asExpr().(ForceValueExpr).getSubExpr()
+    or
+    // allow flow through string concatenation.
+    // TODO: this should probably be part of TaintTracking.
+    node2.asExpr().(AddExpr).getAnOperand() = node1.asExpr()
+    or
+    // allow flow through `URL.init`.
+    exists(CallExpr call, ClassDecl c, AbstractFunctionDecl f |
+      c.getName() = "URL" and
+      c.getAMember() = f and
+      f.getName() = ["init(string:)", "init(string:relativeTo:)"] and
+      call.getFunction().(ApplyExpr).getStaticTarget() = f and
+      node1.asExpr() = call.getAnArgument().getExpr() and
+      node2.asExpr() = call
+    )
+  }
+}
+
+from
+  UnsafeWebViewFetchConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode,
+  Sink sink, string message
+where
+  config.hasFlowPath(sourceNode, sinkNode) and
+  sink = sinkNode.getNode() and
+  (
+    // base URL is nil
+    sink.getBaseUrl() instanceof NilLiteralExpr and
+    message = "Tainted data is used in a WebView fetch without restricting the base URL."
+    or
+    // base URL is tainted
+    config.hasFlowToExpr(sink.getBaseUrl()) and
+    message = "Tainted data is used in a WebView fetch with a tainted base URL."
+  )
+select sink, sourceNode, sinkNode, message

swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetchBad.swift

@@ -0,0 +1,6 @@
+
+let webview = UIWebView()
+
+...
+
+webview.loadHTMLString(htmlData, baseURL: nil) // BAD

swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetchGood.swift

@@ -0,0 +1,6 @@
+
+let webview = UIWebView()
+
+...
+
+webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD

swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.expected

@@ -0,0 +1,80 @@
+edges
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() |
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() |
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:124:25:124:51 | ... call to +(_:_:) ... |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:135:25:135:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:137:25:137:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:138:47:138:56 | ...! |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:139:48:139:57 | ...! |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:140:47:140:57 | ...! |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:141:48:141:58 | ...! |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:153:85:153:94 | ...! |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:154:86:154:95 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:182:25:182:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:184:25:184:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:185:47:185:56 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:186:48:186:57 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:187:47:187:57 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:188:48:188:58 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:200:90:200:99 | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:201:91:201:100 | ...! |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData |
+nodes
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | semmle.label | try ... :  |
+| UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | semmle.label | call to ... :  |
+| UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | semmle.label | call to getRemoteData() |
+| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:124:25:124:51 | ... call to +(_:_:) ... | semmle.label | ... call to +(_:_:) ... |
+| UnsafeWebViewFetch.swift:135:25:135:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:137:25:137:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:138:47:138:56 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:139:48:139:57 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:140:47:140:57 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:141:48:141:58 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:153:85:153:94 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:154:86:154:95 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | semmle.label | call to getRemoteData() |
+| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... | semmle.label | ... call to +(_:_:) ... |
+| UnsafeWebViewFetch.swift:182:25:182:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:184:25:184:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:185:47:185:56 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:186:48:186:57 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:187:47:187:57 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | semmle.label | remoteString |
+| UnsafeWebViewFetch.swift:188:48:188:58 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:200:90:200:99 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:201:91:201:100 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData |
+| UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData |
+subpaths
+#select
+| UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:124:25:124:51 | ... call to +(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:124:25:124:51 | ... call to +(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:139:25:139:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:141:25:141:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:168:25:168:25 | remoteString | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
+| UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. |

swift/ql/test/query-tests/Security/CWE-079/UnsafeWebViewFetch.qlref

@@ -0,0 +1 @@
+queries/Security/CWE-079/UnsafeWebViewFetch.ql