mirror of
https://github.com/github/codeql.git
synced 2026-04-17 21:14:02 +02:00
Swift: Create examples for the .qhelp in Swift, and test them.
This commit is contained in:
Geoffrey White
@@ -1,3 +1,8 @@
|
||||
using var sha512 = System.Security.Cryptography.SHA512.Create();
|
||||
let passwordData = Data(passwordString.utf8)
|
||||
let passwordHash = Crypto.SHA512.hash(data: passwordData)
|
||||
|
||||
var data = sha512.ComputeHash(Encoding.UTF8.GetBytes(content)); // BAD
|
||||
// ...
|
||||
|
||||
if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash {
|
||||
// ...
|
||||
}
|
||||
|
||||
@@ -1,51 +1,11 @@
|
||||
using System.Security.Cryptography;
|
||||
using Konscious.Security.Cryptography; // use NuGet package Konscious.Security.Cryptography.Argon2
|
||||
import Argon2Swift
|
||||
|
||||
// See https://github.com/kmaragon/Konscious.Security.Cryptography#konscioussecuritycryptographyargon2
|
||||
let salt = Salt.newSalt()
|
||||
let result = try! Argon2Swift.hashPasswordString(password: passwordString, salt: salt)
|
||||
let passwordHash = result.encodedString()
|
||||
|
||||
public class Argon2Hasher
|
||||
{
|
||||
public byte[] ComputeHash(byte[] password, byte[] salt)
|
||||
{
|
||||
// choose Argon2i, Argon2id or Argon2d as appropriate
|
||||
using var argon2 = new Argon2id(password);
|
||||
argon2.Salt = salt;
|
||||
// ...
|
||||
|
||||
// read the Argon2 documentation to understand these parameters, and reference:
|
||||
// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
|
||||
argon2.DegreeOfParallelism = 4; // number of threads you can spawn on your system - the higher, the better
|
||||
argon2.Iterations = 5; // set as high as your system can manage, within time constraints
|
||||
argon2.MemorySize = 1024 * 2048; // 2GB RAM, for example - set this as high as you can, within memory limits on your system
|
||||
|
||||
return argon2.GetBytes(32);
|
||||
}
|
||||
|
||||
// use a fixed-time comparison to avoid timing attacks
|
||||
public bool Equals(byte[] hash1, byte[] hash2) => CryptographicOperations.FixedTimeEquals(hash1, hash2);
|
||||
|
||||
// generate a salt securely with a cryptographic random number generator
|
||||
public static byte[] GenerateSalt()
|
||||
{
|
||||
var buffer = new byte[32];
|
||||
using var rng = new RNGCryptoServiceProvider();
|
||||
rng.GetBytes(buffer);
|
||||
return buffer;
|
||||
}
|
||||
}
|
||||
|
||||
var argon2 = new Argon2Hasher();
|
||||
|
||||
// Create the hash
|
||||
var bytes = Encoding.UTF8.GetBytes("this is a password"); // it should not be hardcoded in reality, but this is just a demo
|
||||
var salt = Argon2Hasher.GenerateSalt(); // salt is kept with hash; it is not secret, just unique per hash
|
||||
var hash = argon2.ComputeHash(bytes, salt);
|
||||
|
||||
// Check the hash - this will trivially always pass, but in reality you would have to retrieve the hash for the comparison
|
||||
if(argon2id.Equals(argon2.ComputeHash(bytes, salt), hash))
|
||||
{
|
||||
Console.WriteLine("PASS");
|
||||
}
|
||||
else
|
||||
{
|
||||
Console.WriteLine("FAIL");
|
||||
if try! Argon2Swift.verifyHashString(password: passwordString, hash: passwordHash) {
|
||||
// ...
|
||||
}
|
||||
|
||||
@@ -1,20 +1,26 @@
|
||||
edges
|
||||
| testCryptoKit.swift:193:38:193:38 | passwordString | testCryptoKit.swift:193:38:193:53 | .utf8 |
|
||||
| testCryptoKit.swift:193:38:193:53 | .utf8 | testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) |
|
||||
nodes
|
||||
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:69:37:69:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:75:37:75:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:81:37:81:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:108:23:108:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:117:23:117:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:126:23:126:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:135:32:135:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:144:32:144:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:153:32:153:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:162:32:162:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:171:32:171:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:65:47:65:47 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:71:44:71:44 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:77:37:77:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:83:37:83:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:89:37:89:37 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:98:23:98:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:107:23:107:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:116:23:116:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:125:23:125:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:134:23:134:23 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:143:32:143:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:152:32:152:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:161:32:161:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:170:32:170:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:179:32:179:32 | passwd | semmle.label | passwd |
|
||||
| testCryptoKit.swift:189:49:189:49 | passwordData | semmle.label | passwordData |
|
||||
| testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
|
||||
| testCryptoKit.swift:193:38:193:38 | passwordString | semmle.label | passwordString |
|
||||
| testCryptoKit.swift:193:38:193:53 | .utf8 | semmle.label | .utf8 |
|
||||
| testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
|
||||
| testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
|
||||
| testCryptoSwift.swift:160:47:160:47 | passwdArray | semmle.label | passwdArray |
|
||||
@@ -41,21 +47,23 @@ nodes
|
||||
| testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd |
|
||||
subpaths
|
||||
#select
|
||||
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:69:37:69:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:75:37:75:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:81:37:81:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:108:23:108:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:117:23:117:23 | passwd | testCryptoKit.swift:117:23:117:23 | passwd | testCryptoKit.swift:117:23:117:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:117:23:117:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:126:23:126:23 | passwd | testCryptoKit.swift:126:23:126:23 | passwd | testCryptoKit.swift:126:23:126:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:126:23:126:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:135:32:135:32 | passwd | testCryptoKit.swift:135:32:135:32 | passwd | testCryptoKit.swift:135:32:135:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:135:32:135:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:144:32:144:32 | passwd | testCryptoKit.swift:144:32:144:32 | passwd | testCryptoKit.swift:144:32:144:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:144:32:144:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:153:32:153:32 | passwd | testCryptoKit.swift:153:32:153:32 | passwd | testCryptoKit.swift:153:32:153:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:153:32:153:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:162:32:162:32 | passwd | testCryptoKit.swift:162:32:162:32 | passwd | testCryptoKit.swift:162:32:162:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:162:32:162:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:171:32:171:32 | passwd | testCryptoKit.swift:171:32:171:32 | passwd | testCryptoKit.swift:171:32:171:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:171:32:171:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:65:47:65:47 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:71:44:71:44 | passwd | testCryptoKit.swift:71:44:71:44 | passwd | testCryptoKit.swift:71:44:71:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:71:44:71:44 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:77:37:77:37 | passwd | testCryptoKit.swift:77:37:77:37 | passwd | testCryptoKit.swift:77:37:77:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:77:37:77:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:83:37:83:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:89:37:89:37 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:98:23:98:23 | passwd | testCryptoKit.swift:98:23:98:23 | passwd | testCryptoKit.swift:98:23:98:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:98:23:98:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:107:23:107:23 | passwd | testCryptoKit.swift:107:23:107:23 | passwd | testCryptoKit.swift:107:23:107:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:107:23:107:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:116:23:116:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:125:23:125:23 | passwd | testCryptoKit.swift:125:23:125:23 | passwd | testCryptoKit.swift:125:23:125:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:125:23:125:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:134:23:134:23 | passwd | testCryptoKit.swift:134:23:134:23 | passwd | testCryptoKit.swift:134:23:134:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:134:23:134:23 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:143:32:143:32 | passwd | testCryptoKit.swift:143:32:143:32 | passwd | testCryptoKit.swift:143:32:143:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:143:32:143:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:152:32:152:32 | passwd | testCryptoKit.swift:152:32:152:32 | passwd | testCryptoKit.swift:152:32:152:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:152:32:152:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:161:32:161:32 | passwd | testCryptoKit.swift:161:32:161:32 | passwd | testCryptoKit.swift:161:32:161:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:161:32:161:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:170:32:170:32 | passwd | testCryptoKit.swift:170:32:170:32 | passwd | testCryptoKit.swift:170:32:170:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:170:32:170:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:179:32:179:32 | passwd | testCryptoKit.swift:179:32:179:32 | passwd | testCryptoKit.swift:179:32:179:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:179:32:179:32 | passwd | password (passwd) |
|
||||
| testCryptoKit.swift:189:49:189:49 | passwordData | testCryptoKit.swift:189:49:189:49 | passwordData | testCryptoKit.swift:189:49:189:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:189:49:189:49 | passwordData | password (passwordData) |
|
||||
| testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | testCryptoKit.swift:193:38:193:38 | passwordString | testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:193:38:193:38 | passwordString | password (passwordString) |
|
||||
| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
|
||||
| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
|
||||
| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) |
|
||||
|
||||
@@ -1,23 +1,23 @@
|
||||
edges
|
||||
nodes
|
||||
| testCryptoKit.swift:57:43:57:43 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:59:43:59:43 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:64:44:64:44 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:66:44:66:44 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:91:23:91:23 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:93:23:93:23 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:100:23:100:23 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:102:23:102:23 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:136:32:136:32 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:138:32:138:32 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:139:32:139:32 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:145:32:145:32 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:147:32:147:32 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:148:32:148:32 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:66:43:66:43 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:68:43:68:43 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:69:43:69:43 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:72:44:72:44 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:74:44:74:44 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:75:44:75:44 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:99:23:99:23 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:101:23:101:23 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:102:23:102:23 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:108:23:108:23 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:110:23:110:23 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:111:23:111:23 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:144:32:144:32 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:146:32:146:32 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:147:32:147:32 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoKit.swift:153:32:153:32 | cert | semmle.label | cert |
|
||||
| testCryptoKit.swift:155:32:155:32 | account_no | semmle.label | account_no |
|
||||
| testCryptoKit.swift:156:32:156:32 | credit_card_no | semmle.label | credit_card_no |
|
||||
| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | semmle.label | phoneNumberArray |
|
||||
| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | semmle.label | phoneNumberArray |
|
||||
| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | semmle.label | phoneNumberArray |
|
||||
@@ -30,24 +30,24 @@ nodes
|
||||
| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | semmle.label | creditCardNumber |
|
||||
subpaths
|
||||
#select
|
||||
| testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:57:43:57:43 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:59:43:59:43 | account_no | testCryptoKit.swift:59:43:59:43 | account_no | testCryptoKit.swift:59:43:59:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:59:43:59:43 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:64:44:64:44 | cert | testCryptoKit.swift:64:44:64:44 | cert | testCryptoKit.swift:64:44:64:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:64:44:64:44 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:66:44:66:44 | account_no | testCryptoKit.swift:66:44:66:44 | account_no | testCryptoKit.swift:66:44:66:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:66:44:66:44 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:91:23:91:23 | cert | testCryptoKit.swift:91:23:91:23 | cert | testCryptoKit.swift:91:23:91:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:23:91:23 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:93:23:93:23 | account_no | testCryptoKit.swift:93:23:93:23 | account_no | testCryptoKit.swift:93:23:93:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:23:93:23 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:100:23:100:23 | cert | testCryptoKit.swift:100:23:100:23 | cert | testCryptoKit.swift:100:23:100:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:23:100:23 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:102:23:102:23 | account_no | testCryptoKit.swift:102:23:102:23 | account_no | testCryptoKit.swift:102:23:102:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:23:102:23 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:136:32:136:32 | cert | testCryptoKit.swift:136:32:136:32 | cert | testCryptoKit.swift:136:32:136:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:138:32:138:32 | account_no | testCryptoKit.swift:138:32:138:32 | account_no | testCryptoKit.swift:138:32:138:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:138:32:138:32 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:139:32:139:32 | credit_card_no | testCryptoKit.swift:139:32:139:32 | credit_card_no | testCryptoKit.swift:139:32:139:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:139:32:139:32 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:145:32:145:32 | cert | testCryptoKit.swift:145:32:145:32 | cert | testCryptoKit.swift:145:32:145:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:147:32:147:32 | account_no | testCryptoKit.swift:147:32:147:32 | account_no | testCryptoKit.swift:147:32:147:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:147:32:147:32 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:148:32:148:32 | credit_card_no | testCryptoKit.swift:148:32:148:32 | credit_card_no | testCryptoKit.swift:148:32:148:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:148:32:148:32 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:66:43:66:43 | cert | testCryptoKit.swift:66:43:66:43 | cert | testCryptoKit.swift:66:43:66:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:66:43:66:43 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:68:43:68:43 | account_no | testCryptoKit.swift:68:43:68:43 | account_no | testCryptoKit.swift:68:43:68:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:68:43:68:43 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:69:43:69:43 | credit_card_no | testCryptoKit.swift:69:43:69:43 | credit_card_no | testCryptoKit.swift:69:43:69:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:69:43:69:43 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:72:44:72:44 | cert | testCryptoKit.swift:72:44:72:44 | cert | testCryptoKit.swift:72:44:72:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:72:44:72:44 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:74:44:74:44 | account_no | testCryptoKit.swift:74:44:74:44 | account_no | testCryptoKit.swift:74:44:74:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:74:44:74:44 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:75:44:75:44 | credit_card_no | testCryptoKit.swift:75:44:75:44 | credit_card_no | testCryptoKit.swift:75:44:75:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:75:44:75:44 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:99:23:99:23 | cert | testCryptoKit.swift:99:23:99:23 | cert | testCryptoKit.swift:99:23:99:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:99:23:99:23 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:101:23:101:23 | account_no | testCryptoKit.swift:101:23:101:23 | account_no | testCryptoKit.swift:101:23:101:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:101:23:101:23 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:102:23:102:23 | credit_card_no | testCryptoKit.swift:102:23:102:23 | credit_card_no | testCryptoKit.swift:102:23:102:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:102:23:102:23 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:108:23:108:23 | cert | testCryptoKit.swift:108:23:108:23 | cert | testCryptoKit.swift:108:23:108:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:108:23:108:23 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:110:23:110:23 | account_no | testCryptoKit.swift:110:23:110:23 | account_no | testCryptoKit.swift:110:23:110:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:110:23:110:23 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:111:23:111:23 | credit_card_no | testCryptoKit.swift:111:23:111:23 | credit_card_no | testCryptoKit.swift:111:23:111:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:111:23:111:23 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:144:32:144:32 | cert | testCryptoKit.swift:144:32:144:32 | cert | testCryptoKit.swift:144:32:144:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:144:32:144:32 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:146:32:146:32 | account_no | testCryptoKit.swift:146:32:146:32 | account_no | testCryptoKit.swift:146:32:146:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:146:32:146:32 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:147:32:147:32 | credit_card_no | testCryptoKit.swift:147:32:147:32 | credit_card_no | testCryptoKit.swift:147:32:147:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:147:32:147:32 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoKit.swift:153:32:153:32 | cert | testCryptoKit.swift:153:32:153:32 | cert | testCryptoKit.swift:153:32:153:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:153:32:153:32 | cert | sensitive data (credential cert) |
|
||||
| testCryptoKit.swift:155:32:155:32 | account_no | testCryptoKit.swift:155:32:155:32 | account_no | testCryptoKit.swift:155:32:155:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:155:32:155:32 | account_no | sensitive data (private information account_no) |
|
||||
| testCryptoKit.swift:156:32:156:32 | credit_card_no | testCryptoKit.swift:156:32:156:32 | credit_card_no | testCryptoKit.swift:156:32:156:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:156:32:156:32 | credit_card_no | sensitive data (private information credit_card_no) |
|
||||
| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
|
||||
| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
|
||||
| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
|
||||
// --- stubs ---
|
||||
|
||||
class Data
|
||||
{
|
||||
init<S>(_ elements: S) {}
|
||||
}
|
||||
|
||||
class Salt {
|
||||
init(bytes: Data) { }
|
||||
|
||||
static func newSalt(length: Int = 16) -> Salt {
|
||||
return Salt(bytes: Data(0))
|
||||
}
|
||||
}
|
||||
|
||||
class Argon2SwiftResult {
|
||||
init(hashBytes: [Int8], encodedBytes: [Int8]) { }
|
||||
|
||||
func encodedString() -> String {
|
||||
return ""
|
||||
}
|
||||
}
|
||||
|
||||
class Argon2Swift {
|
||||
// slightly simplified (type and version changed to Int)
|
||||
static func hashPasswordString(password: String, salt: Salt, iterations: Int = 32, memory: Int = 256, parallelism: Int = 2, length: Int = 32, type: Int = 1, version: Int = 13) throws -> Argon2SwiftResult {
|
||||
return Argon2SwiftResult(hashBytes: [], encodedBytes: [])
|
||||
}
|
||||
|
||||
static func verifyHashString(password: String, hash: String, type: Int = 1) throws -> Bool {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// --- tests ---
|
||||
|
||||
func testGoodExample(passwordString: String) {
|
||||
// this is the "good" example from the .qhelp
|
||||
let salt = Salt.newSalt()
|
||||
let result = try! Argon2Swift.hashPasswordString(password: passwordString, salt: salt) // GOOD (suitable password hash)
|
||||
let passwordHash = result.encodedString()
|
||||
|
||||
// ...
|
||||
|
||||
if try! Argon2Swift.verifyHashString(password: passwordString, hash: passwordHash) {
|
||||
// ...
|
||||
}
|
||||
}
|
||||
@@ -1,5 +1,12 @@
|
||||
//codeql-extractor-options: -module-name Crypto
|
||||
|
||||
// --- stubs ---
|
||||
|
||||
class Data
|
||||
{
|
||||
init<S>(_ elements: S) {}
|
||||
}
|
||||
|
||||
struct SHA256 {
|
||||
static func hash<D>(data: D) -> [UInt8] {
|
||||
return []
|
||||
@@ -52,6 +59,8 @@ enum Insecure {
|
||||
}
|
||||
}
|
||||
|
||||
// --- tests ---
|
||||
|
||||
func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
|
||||
var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD
|
||||
hash = Crypto.Insecure.MD5.hash(data: cert) // BAD
|
||||
@@ -59,7 +68,6 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
|
||||
hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD
|
||||
hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD
|
||||
|
||||
|
||||
hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD
|
||||
hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD
|
||||
hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd) // GOOD (not sensitive)
|
||||
@@ -174,3 +182,15 @@ func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
|
||||
hash.update(bufferPointer: account_no) // GOOD
|
||||
hash.update(bufferPointer: credit_card_no) // GOOD
|
||||
}
|
||||
|
||||
func tesBadExample(passwordString: String) {
|
||||
// this is the "bad" example from the .qhelp
|
||||
let passwordData = Data(passwordString.utf8)
|
||||
let passwordHash = Crypto.SHA512.hash(data: passwordData) // BAD, not a computationally expensive hash
|
||||
|
||||
// ...
|
||||
|
||||
if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // BAD, not a computationally expensive hash
|
||||
// ...
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user