Swift: Uncontrolled format string query #11529
Conversation
…apparently wasn't right.
|
QHelp previews: swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.qhelpUncontrolled format stringPassing untrusted format strings to functions that use RecommendationUse a constant string literal for the format string to prevent the possibility of data flow from an untrusted source. This also helps to prevent errors where the format arguments do not match the format string. If the format string cannot be constant, ensure that it comes from a secure data source or is compiled into the source code. If you need to include a string value from the user, use an appropriate specifier (such as ExampleIn this example, the format string includes a user-controlled To fix it, make References
|
![github-code-scanning[bot]](/criselda-https-web.archive.org/web/20230118080523im_/https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
Dismissed
Show resolved
Hide resolved
| from TaintedFormatConfiguration config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode | ||
| where config.hasFlowPath(sourceNode, sinkNode) | ||
| select sinkNode.getNode(), sourceNode, sinkNode, "This format string depends on $@.", | ||
| sourceNode.getNode(), "this user-provided value" |
Check warning
Code scanning / CodeQL
Consistent alert message Warning
There was a problem hiding this comment.
We're now as close to the cs/uncontrolled-format-string message as I can get, without introducing the 'source type' string into the message (which is not really suitable for display to users; I'm not sure why the csharp query does that).
swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
LGTM (with the exception of the missing autoformat)! Let's wait for @atorralba comments on dba3444 and 07ea006, though.
I don't think we've run this on DCA yet, have we?
If I have it's evolved quite a bit since. I'll push the autoformat fix and run it now. |
|
DCA is hard to read - a lot of noise is unfortunately normal on Swift right now - but I'm suspicious we have somewhat slow stage timings associated with I'm going to investigate locally next week. If I don't find anything, I'll re-run DCA instead. |
The changes LGTM |
Indeed, it does look like the new query is substantially slower than the rest of the dataflow queries. The slowest one appears to be on |
|
I've been trying to understand this performance issue here, having run the query locally quite a few times I'm beginning to doubt it really exists. It appears that evaluating I'm going to run DCA again and hopefully see through some of the noise... |
Indeed, it may be that It is strange that |
You're right - but the issue turns out to be nothing to do with the uncontrolled format string query. I've created a fix in #11708 . |
|
Great! Now the only thing left is making CI happy. I see it failed with |
|
I think the second DCA run is just showing us (1) that analysis is slower with +1 query (2) the above discussed slowness on |
|
I've just merged in latest main and fixed the merge (a Its difficult to add |
In my experience, that's normally caused by some function or class existing in the Mac Swift APIs but not in the Linux ones. When this happens, I use an Ubuntu VM where I try to compile the problematic test file and see exactly what's failing. In this case, the error is the following: I think stubbing |
|
Thanks, I've managed to fix it and will be on the lookout for this issue in future. |
|
Looks like this is all good except I've forgotten to ask for a docs review... |
geoffw0
added
the
ready-for-doc-review
|
Thanks for the docs review @stevecat . It looks like this PR has been through enough reviews, has had |
Adds a query for uncontrolled format strings. Includes tests, docs, and a re-usable library for identifying format strings in the first place.