Swift: Documentation.

geoffw0 · geoffw0 · commit c635895644fe · 2022-08-03T14:45:18.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetch.qhelp b/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetch.qhelp
@@ -3,29 +3,29 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>TODO</p>
+<p>Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, for example using <code>file://</code>. Data can then be extracted from the software using the URL of a machine under the attackers control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.</p>
 
 </overview>
 <recommendation>
 
-<p>TODO</p>
+<p>When loading HTML into a web view, always set the <code>baseURL</code> to an appropriate URL that you control, or to <code>about:blank</code>. Do not use <code>nil</code>, as this does not restrict URLs that can be resolved. Also do not use a <code>baseURL</code> that could itself be controlled by an attacker.</p>
 
 </recommendation>
 <example>
 
-<p>TODO</p>
+<p>In the following example, a call to <code>UIWebView.loadHTMLString</code> has the <code>baseURL</code> set to <code>nil</code>, which does not restrict URLs that can be resolved from within the web page.</p>
 
-<sample src="StringLengthConflationBad.swift" />
+<sample src="UnsafeWebViewFetchBad.swift" />
 
-<p>TODO</p>
+<p>To fix the problem, we set the <code>baseURL</code> to <code>about:blank</code>. This ensures that an attacker cannot resolve URLs that point to the local file system, or to web servers under their control.</p>
 
-<sample src="StringLengthConflationGood.swift" />
+<sample src="UnsafeWebViewFetchGood.swift" />
 
 </example>
 <references>
 
 <li>
-  <a href="TODO">TODO</a>
+  <a href="https://www.allysonomalley.com/2018/12/03/ios-bug-hunting-web-view-xss/">iOS Bug Hunting - Web View XSS</a>
 </li>
 
 </references>
diff --git a/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetch.ql b/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetch.ql
@@ -1,6 +1,6 @@
 /**
  * @name Unsafe WebView fetch
- * @description TODO
+ * @description Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, or enable cross-site scripting attack.
  * @kind path-problem
  * @problem.severity warning
  * @security-severity 6.1
diff --git a/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetchBad.swift b/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetchBad.swift
@@ -1,2 +1,6 @@
 
-TODO
+let webview = UIWebView()
+
+...
+
+webview.loadHTMLString(htmlData, baseURL: nil) // BAD
diff --git a/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetchGood.swift b/swift/ql/src/queries/Security/CWE-095/UnsafeWebViewFetchGood.swift
@@ -1,2 +1,6 @@
 
-TODO
+let webview = UIWebView()
+
+...
+
+webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD
diff --git a/swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.expected b/swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.expected
@@ -3,6 +3,7 @@ edges
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  |
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:167:25:167:39 | call to getRemoteData() |
+| UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  |
 | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  |
 | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:121:25:121:25 | remoteString |
 | UnsafeWebViewFetch.swift:117:21:117:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:124:25:124:51 | ... call to +(_:_:) ... |
@@ -28,6 +29,8 @@ edges
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:188:48:188:58 | ...! |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:200:90:200:99 | ...! |
 | UnsafeWebViewFetch.swift:164:21:164:35 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:201:91:201:100 | ...! |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | UnsafeWebViewFetch.swift:211:25:211:25 | htmlData |
 nodes
 | UnsafeWebViewFetch.swift:94:10:94:37 | try ... :  | semmle.label | try ... :  |
 | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | semmle.label | call to ... :  |
@@ -59,6 +62,9 @@ nodes
 | UnsafeWebViewFetch.swift:188:48:188:58 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:200:90:200:99 | ...! | semmle.label | ...! |
 | UnsafeWebViewFetch.swift:201:91:201:100 | ...! | semmle.label | ...! |
+| UnsafeWebViewFetch.swift:206:17:206:31 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | semmle.label | htmlData |
+| UnsafeWebViewFetch.swift:211:25:211:25 | htmlData | semmle.label | htmlData |
 subpaths
 #select
 | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:120:25:120:39 | call to getRemoteData() | Tainted data is used in a WebView fetch without restricting the base URL. |
@@ -71,3 +77,4 @@ subpaths
 | UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:171:25:171:51 | ... call to +(_:_:) ... | Tainted data is used in a WebView fetch without restricting the base URL. |
 | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:186:25:186:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
 | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:188:25:188:25 | remoteString | Tainted data is used in a WebView fetch with a tainted base URL. |
+| UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | UnsafeWebViewFetch.swift:94:14:94:37 | call to ... :  | UnsafeWebViewFetch.swift:210:25:210:25 | htmlData | Tainted data is used in a WebView fetch without restricting the base URL. |
diff --git a/swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.swift b/swift/ql/test/query-tests/Security/CWE-095/UnsafeWebViewFetch.swift
@@ -201,6 +201,17 @@ func testWKWebView() {
 	webview.load(remoteData, mimeType: "text/html", characterEncodingName: "utf-8", baseURL: remoteURL!) // BAD [NOT DETECTED]
 }
 
+func testQHelpExamples() {
+	let webview = UIWebView()
+	let htmlData = getRemoteData()
+
+	// ...
+
+	webview.loadHTMLString(htmlData, baseURL: nil) // BAD
+	webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD
+}
+
 testSimpleFlows()
 testUIWebView()
 testWKWebView()
+testQHelpExamples()

-Original file line number
+Diff line change
@@ @@ -1,2 +1,6 @@ @@
 -TODO
 +let webview = UIWebView()
++
 +...
++
 +webview.loadHTMLString(htmlData, baseURL: nil) // BAD