Swift: Extend cleartext logging tests (stubs).

2026-04-30 11:15:13 +02:00 · 2023-11-17 17:56:02 +00:00
parent 8be6aeda3e
commit 2a69b03092
1 changed files with 103 additions and 49 deletions
--- a/swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift
+++ b/swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift
@@ -4,6 +4,7 @@ class NSObject { }

 func NSLog(_ format: String, _ args: CVarArg...) {}
 func NSLogv(_ format: String, _ args: CVaListPointer) {}
+
 func getVaList(_ args: [CVarArg]) -> CVaListPointer { return CVaListPointer(_fromUnsafeMutablePointer: UnsafeMutablePointer(bitPattern: 0)!) }

 struct OSLogType : RawRepresentable {
@@ -92,6 +93,21 @@ extension String : CVarArg {
  public var _cVarArgEncoding: [Int] { get { return [] } }
 }

+struct NSExceptionName {
+    init(_ rawValue: String) {}
+}
+
+class NSException : NSObject
+{
+    init(name aName: NSExceptionName, reason aReason: String?, userInfo aUserInfo: [AnyHashable : Any]? = nil) {}
+    class func raise(_ name: NSExceptionName, format: String, arguments argList: CVaListPointer) {}
+    func raise() {}
+}
+
+class NSString : NSObject {
+	convenience init(string aString: String) { self.init() }
+}
+
 // from ObjC API; slightly simplified.
 func os_log(_ message: StaticString,
    dso: UnsafeRawPointer? = nil,
@@ -99,27 +115,66 @@ func os_log(_ message: StaticString,
    type: OSLogType = .default,
    _ args: CVarArg...) { }

+// imported from C
+typealias FILE = Int32 // this is a simplification
+typealias wchar_t = Int32
+typealias locale_t = OpaquePointer
+func dprintf(_ fd: Int, _ format: UnsafePointer<Int8>, _ args: CVarArg...) -> Int32 { return 0 }
+func vprintf(_ format: UnsafePointer<CChar>, _ arg: CVaListPointer) -> Int32 { return 0 }
+func vfprintf(_ file: UnsafeMutablePointer<FILE>?, _ format: UnsafePointer<CChar>?, _ arg: CVaListPointer) -> Int32 { return 0 }
+func vasprintf_l(_ ret: UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>?, _ loc: locale_t?, _ format: UnsafePointer<CChar>?, _ ap: CVaListPointer) -> Int32 { return 0 }
+
+// custom
+func log(message: String) {}
+func logging(message: String) {}
+func logfile(file: Int, message: String) {}
+func logMessage(_ msg: NSString) {}
+func logInfo(_ infoMsg: String) {}
+func logError(errorMsg str: String) {}
+func harmless(_ str: String) {} // safe
+func logarithm(_ val: Float) {} // safe
+func doLogin(login: String) {} // safe
+
+// custom
+class LogFile {
+    func log(_ str: String) {}
+    func trace(_ message: String?) {}
+    func debug(_ message: String) {}
+    func info(_ info: NSString) {}
+    func notice(_ notice: String) {}
+    func warning(_ warningMessage: String) {}
+    func error(_ msg: String) {}
+    func critical(_ criticalMsg: String) {}
+    func fatal(_ str: String) {}
+}
+
+// custom
+class Logic {
+    func addInt(_ val: Int) {} // safe
+    func addString(_ str: String) {} // safe
+}
+
 // --- tests ---

 func test1(password: String, passwordHash : String, passphrase: String, pass_phrase: String) {
-    print(password) // $ hasCleartextLogging=105
-    print(password, separator: "") // $ $ hasCleartextLogging=106
-    print("", separator: password) // $ hasCleartextLogging=107
-    print(password, separator: "", terminator: "") // $ hasCleartextLogging=108
-    print("", separator: password, terminator: "") // $ hasCleartextLogging=109
-    print("", separator: "", terminator: password) // $ hasCleartextLogging=110
+    print(password) // $ hasCleartextLogging=160
+    print(password, separator: "") // $ $ hasCleartextLogging=161
+    print("", separator: password) // $ hasCleartextLogging=162
+    print(password, separator: "", terminator: "") // $ hasCleartextLogging=163
+    print("", separator: password, terminator: "") // $ hasCleartextLogging=164
+    print("", separator: "", terminator: password) // $ hasCleartextLogging=165
    print(passwordHash) // safe

-    debugPrint(password) // $ hasCleartextLogging=113
+    debugPrint(password) // $ hasCleartextLogging=168

-    dump(password) // $ hasCleartextLogging=115
+    dump(password) // $ hasCleartextLogging=170

-    NSLog(password) // $ hasCleartextLogging=117
-    NSLog("%@", password) // $ hasCleartextLogging=118
-    NSLog("%@ %@", "", password) // $ hasCleartextLogging=119
-    NSLog("\(password)") // $ hasCleartextLogging=120
-    NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=121
-    NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=122
+    NSLog(password) // $ hasCleartextLogging=172
+    NSLog("%@", password) // $ hasCleartextLogging=173
+    NSLog("%@ %@", "", password) // $ hasCleartextLogging=174
+    NSLog("\(password)") // $ hasCleartextLogging=175
+    NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=176
+    NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=177
    NSLog(passwordHash) // safe
    NSLogv("%@", getVaList([passwordHash])) // safe

@@ -129,39 +184,38 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
    log.log("\(password)") // safe
    log.log("\(password, privacy: .auto)") // safe
    log.log("\(password, privacy: .private)") // safe
-    log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=132
+    log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=187
    log.log("\(passwordHash, privacy: .public)") // safe
    log.log("\(password, privacy: .sensitive)") // safe
-    log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=135
-    log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=136
+    log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=190
+    log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=191
    log.log("\(bankAccount, privacy: .private)") // safe
-    log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=138
+    log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=193
    log.log("\(bankAccount, privacy: .sensitive)") // safe
-    log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=140
-    log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=141
+    log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=195
+    log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=196
    log.trace("\(passwordHash, privacy: .public)") // safe
-    log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=143
+    log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=198
    log.debug("\(passwordHash, privacy: .public)") // safe
-    log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=145
+    log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=200
    log.info("\(passwordHash, privacy: .public)") // safe
-    log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=147
+    log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=202
    log.notice("\(passwordHash, privacy: .public)") // safe
-    log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=149
+    log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=204
    log.warning("\(passwordHash, privacy: .public)") // safe
-    log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=151
+    log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=206
    log.error("\(passwordHash, privacy: .public)") // safe
-    log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=153
+    log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=208
    log.critical("\(passwordHash, privacy: .public)") // safe
-    log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=155
+    log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=210
    log.fault("\(passwordHash, privacy: .public)") // safe

-    NSLog(passphrase) // $ hasCleartextLogging=158
-    NSLog(pass_phrase) // $ hasCleartextLogging=159
+    NSLog(passphrase) // $ hasCleartextLogging=213
+    NSLog(pass_phrase) // $ hasCleartextLogging=214

    os_log("%@", log: .default, type: .default, "") // safe
-    os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=162
-    os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=163
-
+    os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=217
+    os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=218
 }

 class MyClass {
@@ -175,16 +229,16 @@ func doSomething(password: String) { }
 func test3(x: String) {
 	// alternative evidence of sensitivity...

-	NSLog(x) // $ MISSING: hasCleartextLogging=179
+	NSLog(x) // $ MISSING: hasCleartextLogging=233
 	doSomething(password: x);
-	NSLog(x) // $ hasCleartextLogging=179
+	NSLog(x) // $ hasCleartextLogging=233

 	let y = getPassword();
-	NSLog(y) // $ hasCleartextLogging=182
+	NSLog(y) // $ hasCleartextLogging=236

 	let z = MyClass()
 	NSLog(z.harmless) // safe
-	NSLog(z.password) // $ hasCleartextLogging=187
+	NSLog(z.password) // $ hasCleartextLogging=241
 }

 struct MyOuter {
@@ -199,7 +253,7 @@ struct MyOuter {
 func test3(mo : MyOuter) {
 	// struct members...

-	NSLog(mo.password.value) // $ hasCleartextLogging=202
+	NSLog(mo.password.value) // $ hasCleartextLogging=256
 	NSLog(mo.harmless.value) // safe
 }

@@ -223,39 +277,39 @@ func test4(harmless: String, password: String) {
 	print(myString1) // safe

 	print(password, to: &myString2)
-	print(myString2) // $ hasCleartextLogging=225
+	print(myString2) // $ hasCleartextLogging=279

 	print("log: " + password, to: &myString3)
-	print(myString3) // $ hasCleartextLogging=228
+	print(myString3) // $ hasCleartextLogging=282

 	debugPrint(harmless, to: &myString4)
 	debugPrint(myString4) // safe

 	debugPrint(password, to: &myString5)
-	debugPrint(myString5) // $ hasCleartextLogging=234
+	debugPrint(myString5) // $ hasCleartextLogging=288

 	dump(harmless, to: &myString6)
 	dump(myString6) // safe

 	dump(password, to: &myString7)
-	dump(myString7) // $ hasCleartextLogging=240
+	dump(myString7) // $ hasCleartextLogging=294

 	myString8.write(harmless)
 	print(myString8)

 	myString9.write(password)
-	print(myString9) // $ hasCleartextLogging=246
+	print(myString9) // $ hasCleartextLogging=300

 	myString10.write(harmless)
 	myString10.write(password)
 	myString10.write(harmless)
-	print(myString10) // $ hasCleartextLogging=250
+	print(myString10) // $ hasCleartextLogging=304

 	harmless.write(to: &myString11)
 	print(myString11)

 	password.write(to: &myString12)
-	print(myString12) // $ hasCleartextLogging=257
+	print(myString12) // $ hasCleartextLogging=311

 	print(password, to: &myString13) // $ safe - only printed to another string
 	debugPrint(password, to: &myString13) // $ safe - only printed to another string
@@ -270,14 +324,14 @@ func test5(password: String, caseNum: Int) {

 	switch caseNum {
 	case 0:
-		assert(false, password) // $ MISSING: hasCleartextLogging=273
+		assert(false, password) // $ MISSING: hasCleartextLogging=327
 	case 1:
-		assertionFailure(password) // $ MISSING: hasCleartextLogging=275
+		assertionFailure(password) // $ MISSING: hasCleartextLogging=329
 	case 2:
-		precondition(false, password) // $ MISSING: hasCleartextLogging=277
+		precondition(false, password) // $ MISSING: hasCleartextLogging=331
 	case 3:
-		preconditionFailure(password) // $ MISSING: hasCleartextLogging=279
+		preconditionFailure(password) // $ MISSING: hasCleartextLogging=333
 	default:
-		fatalError(password) // $ MISSING: hasCleartextLogging=281
+		fatalError(password) // $ MISSING: hasCleartextLogging=335
 	}
 }