Swift: Add path injection sinks for sqlite3 and SQLite.swift #13276
Conversation
There was a problem hiding this comment.
- CSV sinks don't seem to be able to match writes to global (non-member) variables.
I don't see any global variables in the added tests? In any case, Swift doesn't support global variable flow yet anyway.
This is my first PR for a while that has a change note, and possibly the first PR for Swift with a change note. Does it look right? Do we need to flip any switches to enable change note generation / publishing / the pull request check?
You don't need to do anything special other than creating the change note. (Publishing change notes happen as part of the release process.) I've added one small suggestion to move it to a different folder, though.
Otherwise, this LGTM
The variable in question is
We don't need flow through global variables, just permitting one to be a sink (expressed as CSV). I almost have a solution to this locally, actually, but something about the post-update node part isn't working. |
Oh, sorry. Completely missed that one!
Do you mean to catch the missing alert on this line: sqlite3_temp_directory = UnsafeMutablePointer<CChar>(mutating: NSString(string: remoteString).utf8String) // $ MISSING: hasPathInjection=253? If so, I don't completely follow what you're saying about post-update nodes. There shouldn't be a post-update node for |
Ah, I had assumed basically anything that is written to has a pre- and post-update node. But in the case of a simple assignment I can see there's little reason to be interested in a distinct 'pre-update' value, so the node itself is the post-update node I'm looking for. |
So in: we don't expect flow to reach anything on the second line yet. And there are no |
myGlobal = taintedwill probably be a |
I'll try expressing it as a non-MAD sink then, if that might work. I'll probably have to get back to this after my holiday now. |
|
I've just pushed some fixes:
|
![github-advanced-security[bot]](https://ssr-www.pages.dev/web/20260103134212im_/https://avatars.githubusercontent.com/in/57789?s=60&v=4&kwid=1tfa-bq%2560kjuf-lqd){kind=small}
|
I've just merged with main and fixed a merge conflict in I think this PR is ready to merge (despite the two non-MAD sink models not being as general as I'd like; but to put it into perspective, they're just two of many sinks for this query). |
MathiasVP
left a comment
MathiasVP
left a comment
There was a problem hiding this comment.
The changes LGTM! Did we ever run a DCA on this, though?
|
Running one now... |
|
Thanks a lot! Feel free to merge if DCA comes back happy 🤞 |
|
DCA shows a 3% analysis slowdown and 6 bad rows for stage timings. However the rows don't appear to relate to this PR and the slowdown is small and not consistent across projects. I think we're just looking at a bit of wobble. So I'm merging this, but let me know if you disagree about dismissing the above, I can always investigate further after the fact. |
2 participants
Add
swift/path-injectionsinks for the sqlite3 and SQLite.swift libraries. There are two missing results that will require follow-up work after this PR:EnumElementExprs (i.e.enumconstructor calls).This is my first PR for a while that has a change note, and possibly the first PR for Swift with a change note. Does it look right? Do we need to flip any switches to enable change note generation / publishing / the pull request check?