Swift: Update some sinks to CSV format.

2026-04-24 00:05:14 +02:00 · 2023-04-11 11:51:31 +01:00
parent 256c3f66ca
commit 03a4084c11
2 changed files with 22 additions and 43 deletions
--- a/swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll
@@ -49,33 +49,16 @@ private class CryptoSwiftEcb extends EcbEncryptionSource {
  }
 }

-/**
- * A block mode being used to form a CryptoSwift `AES` cipher.
- */
-private class AES extends EcbEncryptionSink {
-  AES() {
-    // `blockMode` arg in `AES.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
-      call.getArgument(1).getExpr() = this.asExpr()
-    )
-  }
-}
-
-/**
- * A block mode being used to form a CryptoSwift `Blowfish` cipher.
- */
-private class Blowfish extends EcbEncryptionSink {
-  Blowfish() {
-    // `blockMode` arg in `Blowfish.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
-      call.getArgument(1).getExpr() = this.asExpr()
-    )
+private class EcbEncryptionSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CryptoSwift `AES.init` block mode
+        ";AES;true;init(key:blockMode:);;;Argument[1];encryption-block-mode",
+        ";AES;true;init(key:blockMode:padding:);;;Argument[1];encryption-block-mode",
+        // CryptoSwift `Blowfish.init` block mode
+        ";Blowfish;true;init(key:blockMode:padding:);;;Argument[1];encryption-block-mode",
+      ]
  }
 }

--- a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
@@ -35,23 +35,19 @@ class WeakSensitiveDataHashingAdditionalTaintStep extends Unit {
  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
 }

-/**
- * A sink for the CryptoSwift library.
- */
-private class CryptoSwiftWeakHashingSink extends WeakSensitiveDataHashingSink {
-  string algorithm;
-
-  CryptoSwiftWeakHashingSink() {
-    exists(ApplyExpr call, FuncDecl func |
-      call.getAnArgument().getExpr() = this.asExpr() and
-      call.getStaticTarget() = func and
-      func.getName().matches(["hash(%", "update(%"]) and
-      algorithm = func.getEnclosingDecl().(ClassOrStructDecl).getName() and
-      algorithm = ["MD5", "SHA1"]
-    )
+private class WeakHashingSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CryptoKit
+        ";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
+      ]
  }
-
-  override string getAlgorithm() { result = algorithm }
 }

 /**