Swift: Promote the command injection query out of experimental

[geoffw0]

Promote swift/command-line-injection out from experimental. The query was added in #13726 and has evolved a bit while in experimental (in particular #13906, #14357 and #14661 - the latter is yet to be merged but should not conflict with this PR).

@maikypedia FYI

TODO:

• DCA run
• docs review
• team review

[github-actions]

QHelp previews:

swift/ql/src/queries/Security/CWE-078/CommandInjection.qhelp

System command built from user-controlled sources

Constructing a system command with unsanitized user input is dangerous, since a malicious user may be able to craft input that executes arbitrary code.

Recommendation

If possible, use hard-coded string literals to specify the command to run. Instead of interpreting user input directly as command names, examine the input and then choose among hard-coded string literals.

If this is not possible, then add sanitization code to verify that the user input is safe before using it.

Example

The following example executes code from user input without sanitizing it first:

var task = Process()
task.launchPath = "/bin/bash"
task.arguments = ["-c", userControlledString] // BAD

task.launch()

If user input is used to construct a command it should be checked first. This ensures that the user cannot insert characters that have special meanings:

func validateCommand(_ command: String) -> String? {
    let allowedCommands = ["ls -l", "pwd", "echo"]
    if allowedCommands.contains(command) {
        return command
    }
    return nil
}

if let validatedString = validateCommand(userControlledString) {
    var task = Process()
    task.launchPath = "/bin/bash"
    task.arguments = ["-c", validatedString] // GOOD

    task.launch()
}

References

• OWASP: Command Injection.
• Common Weakness Enumeration: CWE-78.
• Common Weakness Enumeration: CWE-88.

[geoffw0]

DCA looks good to me.

[MathiasVP]

One comment, but otherwise this LGTM

[subatoi]

👍 from Docs

[MathiasVP]

LGTM!