Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swift: New query: Incomplete regular expression for hostnames #14034

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Aug 23, 2023

Adds a new Swift query "Incomplete regular expression for hostnames". This is a port of js/incomplete-hostname-regexp; Ruby, Go and Python have similar queries as well.

  • we use the shared logic in shared/regex/codeql/regex/HostnameRegexp for the query, with a thin layer in swift/ql/lib/codeql/swift/security/regex/HostnameRegex.qll connecting that to the Swift libraries.
  • we use the existing Swift regex library swift/ql/lib/codeql/swift/regex/Regex.qll. ParsedStringRegex is changed to extend a new class RegexPatternSource and ultimately DataFlow::Node rather than Expr, as that is the configuration of classes the shared library expects to find.
  • tests and qhelp are similar to other languages though there has been some adapting, especially in the qhelp examples.

Before merging:

  • DCA run
  • team review
  • docs review

@geoffw0 geoffw0 added the Swift label Aug 23, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner August 23, 2023 12:10
@github-actions
Copy link
Contributor

QHelp previews:

swift/ql/src/queries/Security/CWE-020/IncompleteHostnameRegex.qhelp

Incomplete regular expression for hostnames

Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.

If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the . meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.

Recommendation

Escape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the . meta-character.

Example

The following example code checks that a URL redirection will reach the example.com domain, or one of its subdomains.

Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've only reviewed the QL code so far.

swift/ql/lib/codeql/swift/security/regex/HostnameRegex.qll Outdated Show resolved Hide resolved
swift/ql/lib/codeql/swift/regex/Regex.qll Outdated Show resolved Hide resolved
geoffw0 and others added 2 commits August 23, 2023 13:58
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
@geoffw0 geoffw0 added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Aug 24, 2023
@geoffw0
Copy link
Contributor Author

geoffw0 commented Aug 24, 2023

DCA LGTM. It shows a slight (~3%) overall analysis slowdown, which may be wobble or the real effect of adding a new query. I will check the most slowed down project (signalapp__Signal-iOS) locally for any signs of an actual problem.

@mchammer01 mchammer01 self-requested a review August 24, 2023 12:40
@mchammer01
Copy link
Contributor

I'll review this on behalf of Docs!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. Swift
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants