Swift: Unsafe JS Eval Query

[d10c]

No description provided.

[geoffw0]

How will we tell which sink types each case is working for? Might we be better off with thorough tests for just one sink type, then an additional simple test of each other sink type to verify coverage?

[d10c]

True, it would be simpler if I inlined (most of) the tests. But we can eye-ball the correctness of the test by running the query in VSCode and checking that each of the sinks has the same number of paths leading to it.

[geoffw0]

Looks great. We have a lot of follow-up work to do on models!

Also thanks for updating the QL to use the new predicates (MethodDecl).hasQualifiedName and FreeFunctionDecl.

[geoffw0]

I think we should aim to create follow-up tasks for most of these things rather than addressing them all now. Many are planned already. And I don't want this PR just growing and growing.

[d10c]

Makes sense. Though it's a tradeoff between a growing PR and shipping more tech debt. An alternative is that I move these additional taint steps into the library, and create issues to flesh the library out to handle other cases that I didn't handle here.

[geoffw0]

That sounds fine as long as its straightforward.

I have a preference for smaller, faster PRs where possible as they're easier for everyone to review and manage.

[github-actions]

QHelp previews:

swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.qhelp

JavaScript Injection

Evaluating JavaScript that contains a substring from a remote origin may lead to remote code execution. Code written by an attacker can execute unauthorized actions, including exfiltration of local data through a third party web service.

Recommendation

When loading JavaScript into a web view, evaluate only known, locally-defined source code. If part of the input comes from a remote source, do not inject it into the JavaScript code to be evaluated. Instead, send it to the web view as data using an API such as WKWebView.callAsyncJavaScript with the arguments dictionary to pass remote data objects.

Example

In the following (bad) example, a call to WKWebView.evaluateJavaScript evaluates JavaScript source code that is tainted with remote data, potentially introducing a code injection vulnerability.

let webview: WKWebView
let remoteData = try String(contentsOf: URL(string: "http://example.com/evil.json")!)

...

_ = try await webview.evaluateJavaScript("console.log(" + remoteData + ")") // BAD

In the following (good) example, we sanitize the remote data by passing it using the arguments dictionary of WKWebView.callAsyncJavaScript. This ensures that untrusted data cannot be evaluated as JavaScript source code.

let webview: WKWebView
let remoteData = try String(contentsOf: URL(string: "http://example.com/evil.json")!)

...

_ = try await webview.callAsyncJavaScript(
    "console.log(data)",
    arguments: ["data": remoteData], // GOOD
    contentWorld: .page
)

References

• Apple Developer Documentation: WKWebView.callAsyncJavaScript(_:arguments:in:contentWorld:)
• Common Weakness Enumeration: CWE-94.
• Common Weakness Enumeration: CWE-95.
• Common Weakness Enumeration: CWE-749.

[geoffw0]

Otherwise I think we're just waiting for docs review. The DCA run looks fine I think.

[geoffw0]

I wonder if the results of this test might be easier to interpret if we replace the calls to getRemoteData with an in-place taint source such as:

try String(contentsOf: URL(string: "http://example.com/")!)

Then the sources + sinks on the result lines should show us all of the combinations are working?

[d10c]

Weirdly enough, they are harder to interpret (see the latest commit). Now there is a separate result for this new in-place source (as expected). But unexpectedly, for the JSEvaluateScript sinks, there are two separate paths for this result: one passing through the JSString constructor function, one omitting this taint step.

[geoffw0]

for the JSEvaluateScript sinks, there are two separate paths for this result: one passing through the JSString constructor function, one omitting this taint step.

I think I see what you mean, there's an unnecessary edge:

| UnsafeJsEval.swift:287:31:287:97 | call to JSStringCreateWithCharacters(_:_:) : | UnsafeJsEval.swift:291:17:291:17 | jsstr |

and also:

| UnsafeJsEval.swift:286:51:286:51 | stringBytes : | UnsafeJsEval.swift:291:17:291:17 | jsstr |

But they don't appear to be new in this commit.

The new results under #select look good to me. You will need to replace the other calls to getRemoteData with inline sinks to see the complete grid of results there.

[geoffw0]

Notably both unnecessary edges are the transitive closure of more than one isAdditionalTaintStep step, ending at the sink. I wonder if this is a bug in taint flow itself?

[MathiasVP]

The dataflow library will "compress" both dataflow and taint-flow steps before reporting them as edges in the edges relation. So we can't really conclude that there's a bug based on the edges data in the .expected file.

If you want to disable this compression, you can replace none() with any() in the charpred for CastNode here. Then each local step will be visible in the edges relation.

[geoffw0]

Are you saying the additional edges are expected / harmless?

[MathiasVP]

Not quite. I'm saying that the transitive closure of more than one isAdditionalTaintStep is expected (this happens all the time in dataflow/taintflow). But this shouldn't produce additional spurious edges. The presence of additional edges might indicate an unnecessary taintflow/dataflow rule somewhere.

[geoffw0]

I checked over the rules in isAdditionalTaintStep for this query again and they all seem reasonable. I'm not sure what else could be generating edges through this - JSString* isn't modelled yet so it should be nothing.

[MathiasVP]

Feel free to create an issue for it. I don't think this should block this PR.

[geoffw0]

I agree.

[sabrowning1]

@d10c hello from Docs! 👋🏼 Thanks for your work on the documentation; I made some small suggestions to bring things in line with our style guide. Let me know if you have any questions!

[sabrowning1]

Looks good for Docs, thanks for making those changes @d10c! 🎉

[geoffw0]

Do you plan to change all of the cases in testSync / testAsync work this way? I still think it will be easier to read the results like that - though if you feel otherwise I don't want us to get stuck on this.

[d10c]

Last commit LGTM 👍🏻