Skip to content

Swift: Add more sinks to swift/cleartext-logging #14485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 13, 2023
Merged

Swift: Add more sinks to swift/cleartext-logging #14485

merged 6 commits into from
Oct 13, 2023

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Oct 12, 2023
edited
Loading

Adds more sinks for the swift/cleartext-logging query, along with some summary models for TextOutputStream and related classes, which as you can see in the tests can be used to move data around before (potentially) outputting it.

The models for assert, assertionFailure, precondition and preconditionFailure do not work in the tests at present. I believe, like some of the existing cases, we are waiting for better handling of @autoclosure. I've made a note in the relevant issue to come back to this.

On the MRVA 1000 we go from 20,655 to 75,403 identified sinks for this query! A pretty big increase, though many of the new results are calls to assert, preconditionFailure, fatalError etc that:

  • probably never produce new results (yet!) due to the issue with @autoclosure.
  • are perhaps among the least likely sinks to connect to a sensitive data source.
    • particularly asserts where the default empty string message is used.
    • but it's not inconceivable that genuinely sensitive data could be revealed to a developer or stored in a log file this way.

Nevertheless there are more sinks (not limited to the above), and I don't see any incorrect sinks. No new results.

@geoffw0 geoffw0 added the Swift label Oct 12, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner October 12, 2023 12:25
MathiasVP
MathiasVP approved these changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT!

swift/ql/lib/codeql/swift/security/CleartextLoggingExtensions.qll
";;false;fatalError(_:file:line:);;;Argument[0];log-injection",
";;false;NSLog(_:_:);;;Argument[0..1];log-injection",
";;false;NSLogv(_:_:);;;Argument[0..1];log-injection",
";;false;vfprintf(_:_:_:);;;Agument[1..2];log-injection",
";;false;vfprintf(_:_:_:);;;Argument[1..2];log-injection",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably have a ql-for-ql query that spots these kinds of things 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. I thought I saw some code somewhere that verifies the formatting is correct, but (a) I'm not sure it would catch a typo like this and (b) I don't think it's run as a PR check. On the positive side, the tests found it.

@MathiasVP MathiasVP merged commit fb0016e into github:main Oct 13, 2023
@geoffw0
Copy link
Contributor Author

geoffw0 commented Oct 13, 2023

Agument
...
LGMT

😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

Assignees
No one assigned
Labels
documentation Swift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@geoffw0 @MathiasVP