- Added new query "System command built from user-controlled sources" (
swift/command-line-injection
) for Swift. This query detects system commands built from user-controlled sources without sufficient validation. The query was previously contributed to the 'experimental' directory by @maikypedia but will now run by default for all code scanning users. - Added a nw query "Missing regular expression anchor" (
swift/missing-regexp-anchor
) for Swift. This query detects regular expressions without anchors that can be vulnerable to bypassing.
- Added additional sinks for the "Uncontrolled data used in path expression" (
swift/path-injection
) query. Some of these sinks are heuristic (imprecise) in nature. - Fixed an issue where some Realm database sinks were not being recognized for the
swift/cleartext-storage-database
query.
No user-facing changes.
- Added more new logging sinks to the
swift/cleartext-logging
query. - Added sinks for the GRDB database library to the
swift/hardcoded-key
query. - Added sqlite3 and SQLite.swift sinks and flow summaries for the
swift/hardcoded-key
query. - Added sqlite3 and SQLite.swift sinks and flow summaries for the
swift/cleartext-storage-database
query.
- Adder barriers for numeric type values to the injection-like queries, to reduce false positive results where the user input that can be injected is constrainted to a numerical value. The queries updated by this change are: "Predicate built from user-controlled sources" (
swift/predicate-injection
), "Database query built from user-controlled sources" (swift/sql-injection
), "Uncontrolled format string" (swift/uncontrolled-format-string
), "JavaScript Injection" (swift/unsafe-js-eval
) and "Regular expression injection" (swift/regex-injection
). - Added additional taint steps to the
swift/cleartext-transmission
,swift/cleartext-logging
andswift/cleartext-storage-preferences
queries to identify data within sensitive containers. This is similar to an existing additional taint step in theswift/cleartext-storage-database
query. - Added new logging sinks to the
swift/cleartext-logging
query. - Added sqlite3 and SQLite.swift path injection sinks for the
swift/path-injection
query.
No user-facing changes.
- Added new query "Incomplete regular expression for hostnames" (
swift/incomplete-hostname-regexp
). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected.
No user-facing changes.
- Added new query "Command injection" (
swift/command-line-injection
). The query finds places where user input is used to execute system commands without proper escaping. - Added new query "Bad HTML filtering regexp" (
swift/bad-tag-filter
). This query finds regular expressions that match HTML tags in a way that is not robust and can easily lead to security issues.
- Added new query "Regular expression injection" (
swift/regex-injection
). The query finds places where user input is used to construct a regular expression without proper escaping. - Added new query "Inefficient regular expression" (
swift/redos
). This query finds regular expressions that require exponential time to match certain inputs and may make an application vulnerable to denial-of-service attacks.
- Functions and methods modeled as flow summaries are no longer shown in the path of
path-problem
queries. This results in more succinct paths for most security queries.
No user-facing changes.
- Fixed some false positive results from the
swift/string-length-conflation
query, caused by imprecise sinks.