QHelp previews:

TODO

TODO

Are we planning on covering wrapper libraries on top of it? e.g. https://github.com/stephencelis/SQLite.swift

The tests in SQLite.swift should cover this library - assuming I've correctly identified the right / most important interfaces.

or https://github.com/groue/GRDB.swift.

Yeah it would be good to cover this library as well. However I'm a bit behind on this task as it is, so I'll create a follow-up ticket rather than addressing this now. --- update: added to the query priorities board.

QHelp previews:

./swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp:35:6: element "li" not allowed here; expected the element end-tag, text or element "a", "b", "blockquote", "code", "em", "i", "img", "ol", "p", "pre", "sample", "strong", "sub", "sup", "table", "tt", "ul" or "warning"
./swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp:36:6: element "li" not allowed here; expected the element end-tag, text or element "a", "b", "blockquote", "code", "em", "i", "img", "ol", "p", "pre", "sample", "strong", "sub", "sup", "table", "tt", "ul" or "warning"
A fatal error occurred: 1 qhelp files could not be processed.

QHelp previews:

let unsafeQuery = "SELECT * FROM users WHERE username='\(userControlledString)'" // BAD

try db.execute(unsafeQuery)

let safeQuery = "SELECT * FROM users WHERE username=?"

let stmt = try db.prepare(safeQuery, userControlledString) // GOOD
try stmt2.run()

I've removed draft status from this PR, it's ready to review.

I'd like to acknowledge a few issues though. IMO none of these prevent us from merging what we have:

• we're getting no results on the C API test due to an issue with taint flow, possibly itself caused by an extractor issue. I'm discussing this with other members of the team and I'm not sure if the fix will be something simple I can do here, or something that will need to be done as follow-up.
  • this has been fixed, though there is still an issue with the UTF-16 results (probably a missing taint flow step).
    • issue for this: github/codeql-c-team#1269
• there are no sanitizers for remote data in numerical form yet (considered to be safe). This is because in my test case taint doesn't flow into remoteNumber anyway, so there's no way to test such a sanitizer (and no strict need for it yet).
  • included in issue: github/codeql-c-team#1270
• we may also want sanitizers along the lines of Ruby's StringConstCompareBarrier and StringConstArrayInclusionCallBarrier. I might write a follow-up issue for this but I'm inclined not to worry too much until we see patterns like those in real Swift code (they are talked about in https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).
  • included in issue: github/codeql-c-team#1270

I've just merged main into this PR - with the extractor fix #10854 that gives us the C API results for this query. We still don't get results through the UTF-16 interface, but that's much less concerning than missing all C API results.

I'd be happy to see this reviewed and merged, and deal with the remaining known issues as follow-up.

Does this still need a doc review?

Oh, good point!

Thanks for the review @subatoi . I believe I've addressed all your points, but please don't hesitate to say if you think it needs more work.

Thanks - those suggestions definitely help make things read a bit more easily. Please approve the PR if you're happy with the docs now (the code has already been reviewed and approved).

Yep, whenever a change is pushed all reviews of the existing code are dismissed automatically. It makes sense but it can be a bit much sometimes (especially when the change is just accepting a suggestion from the approver!)

Thanks again for the review, suggestions and approval. On to the next query!