Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swift: CustomUrlSchemes test enhancements and minor model improvement #13756

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Jul 17, 2023

Add tests for the TaintInheritingContent defined in CustomUrlSchemes.qll.

Add one case I think was missing - NSUserActivity.referrerURL. @atorralba do you agree with this change or was it left our for a reason?

More significantly, these tests draw attention to the fact we don't model Swift Sets properly yet. This will probably come after array and dictionary improvements but we need to get around to it.

@geoffw0 geoffw0 added the Swift label Jul 17, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner July 17, 2023 14:47
@atorralba
Copy link
Contributor

Add one case I think was missing - NSUserActivity.referrerURL. @atorralba do you agree with this change or was it left our for a reason?

Hm, let's see. The NSUserActivity.webpageURL taint step was meant to represent that tainted data comes from the WebView when the user navigates to a website (i.e. they maybe clicked on a malicious link with a tainted URL).

If we consider that referrerURL also propagates taint, this means that the user isn't navigating to a malicious website, but rather from a malicious website (and even then, I'm not sure how much of the referrerURL an attacker is able to control, unless they also control the link that brought the user to their webpage).

So in a sense, controlling webpageURL seems like a prerequisite to controlling referrerURL. Having said that, there could be cases where this condition is met, but webpageURL doesn't flow to any sink whereas referrerURL does.

This means that this is a valid and useful taint step (thanks for catching it!), but may lead to some FPs when the navigation occurs from a trusted page, which I think we have no way of knowing statically (similarly to how we can't know whether the clicked link was under an attacker's control).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants