Swift: Use SensitiveDataHeuristics.qll in regexpProbablySafe.

2026-04-26 09:15:12 +02:00 · 2023-05-11 16:50:58 +01:00
parent cc72bfbbbb
commit 35e2e5d785
5 changed files with 19 additions and 15 deletions
--- a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
+++ b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -5,6 +5,7 @@
 */

 import swift
+import internal.SensitiveDataHeuristics

 private newtype TSensitiveDataType =
  TCredential() or
@@ -69,7 +70,7 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
 * contain hashed or encrypted data, or are only a reference to data that is
 * actually stored elsewhere.
 */
-private string regexpProbablySafe() { result = ".*(hash|crypt|file|path|url|invalid).*" }
+private string regexpProbablySafe() { result = HeuristicNames::notSensitiveRegexp() }

 /**
 * A `VarDecl` that might be used to contain sensitive data.
--- a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
+++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@@ -110,11 +110,14 @@ edges
 | testCoreData.swift:18:19:18:26 | value | testCoreData.swift:19:12:19:12 | value |
 | testCoreData.swift:31:3:31:3 | newValue | testCoreData.swift:32:13:32:13 | newValue |
 | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:18:19:18:26 | value |
+| testCoreData.swift:62:25:62:25 | password_file | testCoreData.swift:18:19:18:26 | value |
 | testCoreData.swift:64:2:64:2 | [post] obj [myValue] | testCoreData.swift:64:2:64:2 | [post] obj |
 | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:31:3:31:3 | newValue |
 | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj [myValue] |
+| testCoreData.swift:65:2:65:2 | [post] obj [myValue] | testCoreData.swift:65:2:65:2 | [post] obj |
+| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:31:3:31:3 | newValue |
+| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj [myValue] |
 | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x |
-| testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y |
 | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x |
 | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y |
 | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z |
@@ -311,14 +314,17 @@ nodes
 | testCoreData.swift:48:15:48:15 | password | semmle.label | password |
 | testCoreData.swift:51:24:51:24 | password | semmle.label | password |
 | testCoreData.swift:58:15:58:15 | password | semmle.label | password |
+| testCoreData.swift:59:15:59:15 | password_file | semmle.label | password_file |
 | testCoreData.swift:61:25:61:25 | password | semmle.label | password |
+| testCoreData.swift:62:25:62:25 | password_file | semmle.label | password_file |
 | testCoreData.swift:64:2:64:2 | [post] obj | semmle.label | [post] obj |
 | testCoreData.swift:64:2:64:2 | [post] obj [myValue] | semmle.label | [post] obj [myValue] |
 | testCoreData.swift:64:16:64:16 | password | semmle.label | password |
+| testCoreData.swift:65:2:65:2 | [post] obj | semmle.label | [post] obj |
+| testCoreData.swift:65:2:65:2 | [post] obj [myValue] | semmle.label | [post] obj [myValue] |
+| testCoreData.swift:65:16:65:16 | password_file | semmle.label | password_file |
 | testCoreData.swift:77:24:77:24 | x | semmle.label | x |
 | testCoreData.swift:78:15:78:15 | x | semmle.label | x |
-| testCoreData.swift:80:10:80:22 | call to getPassword() | semmle.label | call to getPassword() |
-| testCoreData.swift:81:15:81:15 | y | semmle.label | y |
 | testCoreData.swift:85:15:85:17 | .password | semmle.label | .password |
 | testCoreData.swift:91:10:91:10 | passwd | semmle.label | passwd |
 | testCoreData.swift:92:10:92:10 | passwd | semmle.label | passwd |
@@ -492,13 +498,16 @@ subpaths
 | testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo |
 | testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo |
 | testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password |
+| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:62:25:62:25 | password_file | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:62:25:62:25 | password_file | password_file |
 | testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password |
+| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:65:16:65:16 | password_file | password_file |
 | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password |
 | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password |
 | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password |
+| testCoreData.swift:59:15:59:15 | password_file | testCoreData.swift:59:15:59:15 | password_file | testCoreData.swift:59:15:59:15 | password_file | This operation stores 'password_file' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:59:15:59:15 | password_file | password_file |
 | testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password |
+| testCoreData.swift:65:2:65:2 | obj | testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:65:16:65:16 | password_file | password_file |
 | testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x |
-| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() |
 | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password |
 | testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd |
 | testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd |
--- a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
+++ b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -51,11 +51,12 @@
 | testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
 | testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
 | testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
+| testCoreData.swift:59:15:59:15 | password_file | label:password_file, type:credential |
 | testCoreData.swift:61:25:61:25 | password | label:password, type:credential |
+| testCoreData.swift:62:25:62:25 | password_file | label:password_file, type:credential |
 | testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
-| testCoreData.swift:77:2:77:25 | call to doSomething(password:) | label:doSomething(password:), type:credential |
+| testCoreData.swift:65:16:65:16 | password_file | label:password_file, type:credential |
 | testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
-| testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword(), type:credential |
 | testCoreData.swift:85:15:85:17 | .password | label:password, type:credential |
 | testCoreData.swift:91:10:91:10 | passwd | label:passwd, type:credential |
 | testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |
--- a/swift/ql/test/query-tests/Security/CWE-312/CleartextLoggingTest.expected
+++ b/swift/ql/test/query-tests/Security/CWE-312/CleartextLoggingTest.expected
@@ -0,0 +1 @@
+| cleartextLoggingTest.swift:153:11:154:1 | // $ hasCleartextLogging=152\n | Missing result:hasCleartextLogging=152 |
--- a/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected
+++ b/swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected
@@ -1,11 +1,9 @@
 edges
 | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x |
-| testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y |
 | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x |
 | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y |
 | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z |
 | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x |
-| testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y |
 | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x |
 | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y |
 | testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z |
@@ -13,8 +11,6 @@ nodes
 | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | semmle.label | password |
 | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | semmle.label | x |
 | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | semmle.label | x |
-| testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | semmle.label | call to getPassword() |
-| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | semmle.label | y |
 | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | semmle.label | .password |
 | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | semmle.label | passwd |
 | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | semmle.label | passwd |
@@ -25,8 +21,6 @@ nodes
 | testUserDefaults.swift:28:15:28:15 | password | semmle.label | password |
 | testUserDefaults.swift:41:24:41:24 | x | semmle.label | x |
 | testUserDefaults.swift:42:28:42:28 | x | semmle.label | x |
-| testUserDefaults.swift:44:10:44:22 | call to getPassword() | semmle.label | call to getPassword() |
-| testUserDefaults.swift:45:28:45:28 | y | semmle.label | y |
 | testUserDefaults.swift:49:28:49:30 | .password | semmle.label | .password |
 | testUserDefaults.swift:55:10:55:10 | passwd | semmle.label | passwd |
 | testUserDefaults.swift:56:10:56:10 | passwd | semmle.label | passwd |
@@ -38,14 +32,12 @@ subpaths
 #select
 | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password |
 | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x |
-| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() |
 | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password |
 | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd |
 | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd |
 | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd |
 | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password |
 | testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x |
-| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() |
 | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password |
 | testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd |
 | testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd |
				`@@ -0,0 +1 @@`
				`\| cleartextLoggingTest.swift:153:11:154:1 \| // $ hasCleartextLogging=152\n \| Missing result:hasCleartextLogging=152 \|`