hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Update InsecureTLSExtensions.ql sinks to not depend on AssignExpr.

Browse Source
This commit is contained in:
Geoffrey White
2023-04-11 11:51:56 +01:00
parent c1a95d57bb
commit 380bf21a38
4 changed files with 131 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll
View File

@@ -50,13 +50,15 @@ private class EnumInsecureTlsExtensionsSource extends InsecureTlsExtensionsSourc
*/
private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
NsUrlTlsExtensionsSink() {
exists(AssignExpr assign |
assign.getSource() = this.asExpr() and
assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
exists(MemberRefExpr e |
e.getBase().getType().getABaseType*().getUnderlyingType().getName() =
"URLSessionConfiguration" and
e.getMember().(ConcreteVarDecl).getName() =
[
"tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
"tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
]
] and
this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e.getBase()
)
}
}

11
swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
View File

@@ -22,6 +22,17 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(InsecureTlsExtensionsAdditionalTaintStep s).step(nodeFrom, nodeTo)
}
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
// flow out from fields of an `URLSessionConfiguration` at the sink,
// for example in `sessionConfig.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv10`.
isSink(node) and
exists(NominalTypeDecl d, Decl cx |
d.getType().getABaseType*().getUnderlyingType().getName() = "URLSessionConfiguration" and
cx.asNominalTypeDecl() = d and
c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
)
}
}
module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;

158
swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected
View File

@@ -1,97 +1,165 @@
edges
| InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | value |
| InsecureTLS.swift:20:7:20:7 | value : | file://:0:0:0:0 | value |
| InsecureTLS.swift:22:7:22:7 | value : | file://:0:0:0:0 | value |
| InsecureTLS.swift:23:7:23:7 | value : | file://:0:0:0:0 | value |
| InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | value : |
| InsecureTLS.swift:20:7:20:7 | value : | file://:0:0:0:0 | value : |
| InsecureTLS.swift:22:7:22:7 | value : | file://:0:0:0:0 | value : |
| InsecureTLS.swift:23:7:23:7 | value : | file://:0:0:0:0 | value : |
| InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:40:3:40:3 | [post] config |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:40:3:40:3 | [post] config |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:45:3:45:3 | [post] config |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:45:3:45:3 | [post] config |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] : | InsecureTLS.swift:57:3:57:3 | [post] config |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:20:7:20:7 | value : |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:57:3:57:3 | [post] config |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] : |
| InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] : | InsecureTLS.swift:64:3:64:3 | [post] config |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:22:7:22:7 | value : |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:64:3:64:3 | [post] config |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] : |
| InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] : | InsecureTLS.swift:76:3:76:3 | [post] config |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:23:7:23:7 | value : |
| InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:76:3:76:3 | [post] config |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] : |
| InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : |
| InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:111:3:111:3 | [post] config |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:121:55:121:66 | version : | InsecureTLS.swift:122:47:122:47 | version |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | InsecureTLS.swift:111:3:111:3 | [post] config |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:121:55:121:66 | version : | InsecureTLS.swift:122:47:122:47 | version : |
| InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:122:3:122:3 | [post] config |
| InsecureTLS.swift:122:47:122:47 | version : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:122:47:122:47 | version : | InsecureTLS.swift:122:3:122:3 | [post] config |
| InsecureTLS.swift:122:47:122:47 | version : | InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:127:25:127:48 | .TLSv11 : | InsecureTLS.swift:121:55:121:66 | version : |
| InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | file://:0:0:0:0 | self [TLSVersion] : |
| InsecureTLS.swift:158:7:158:7 | value : | file://:0:0:0:0 | value : |
| InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] : | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : |
| InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:158:7:158:7 | value : |
| InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] : |
| InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:165:3:165:3 | [post] config |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:165:47:165:51 | .TLSVersion : |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | InsecureTLS.swift:165:3:165:3 | [post] config |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : |
| InsecureTLS.swift:185:20:185:36 | withMinVersion : | InsecureTLS.swift:187:42:187:42 | withMinVersion |
| InsecureTLS.swift:193:51:193:74 | .TLSv10 : | InsecureTLS.swift:185:20:185:36 | withMinVersion : |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] : |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] : | file://:0:0:0:0 | [post] self |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] : | file://:0:0:0:0 | [post] self : |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] : | file://:0:0:0:0 | [post] self |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] : | file://:0:0:0:0 | [post] self : |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | file://:0:0:0:0 | [post] self |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | file://:0:0:0:0 | [post] self : |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] : | file://:0:0:0:0 | [post] self |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] : | file://:0:0:0:0 | [post] self : |
| file://:0:0:0:0 | self [TLSVersion] : | file://:0:0:0:0 | .TLSVersion : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [TLSVersion] : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] : |
nodes
| InsecureTLS.swift:19:7:19:7 | value : | semmle.label | value : |
| InsecureTLS.swift:20:7:20:7 | value : | semmle.label | value : |
| InsecureTLS.swift:22:7:22:7 | value : | semmle.label | value : |
| InsecureTLS.swift:23:7:23:7 | value : | semmle.label | value : |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 | semmle.label | .TLSv10 |
| InsecureTLS.swift:40:3:40:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | semmle.label | .TLSv10 : |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 | semmle.label | .TLSv11 |
| InsecureTLS.swift:45:3:45:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | semmle.label | .TLSv11 : |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 | semmle.label | .TLSv10 |
| InsecureTLS.swift:57:3:57:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMaximumSupportedProtocolVersion] : |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | semmle.label | .TLSv10 : |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
| InsecureTLS.swift:64:3:64:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] : | semmle.label | [post] config [tlsMinimumSupportedProtocol] : |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | semmle.label | .tlsProtocol10 : |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
| InsecureTLS.swift:76:3:76:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] : | semmle.label | [post] config [tlsMaximumSupportedProtocol] : |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | semmle.label | .tlsProtocol10 : |
| InsecureTLS.swift:102:10:102:33 | .TLSv10 : | semmle.label | .TLSv10 : |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | semmle.label | call to getBadTLSVersion() |
| InsecureTLS.swift:111:3:111:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | semmle.label | call to getBadTLSVersion() : |
| InsecureTLS.swift:121:55:121:66 | version : | semmle.label | version : |
| InsecureTLS.swift:122:47:122:47 | version | semmle.label | version |
| InsecureTLS.swift:122:3:122:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:122:47:122:47 | version : | semmle.label | version : |
| InsecureTLS.swift:127:25:127:48 | .TLSv11 : | semmle.label | .TLSv11 : |
| InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | semmle.label | self [TLSVersion] : |
| InsecureTLS.swift:158:7:158:7 | value : | semmle.label | value : |
| InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] : | semmle.label | [post] def [TLSVersion] : |
| InsecureTLS.swift:163:20:163:43 | .TLSv10 : | semmle.label | .TLSv10 : |
| InsecureTLS.swift:165:3:165:3 | [post] config | semmle.label | [post] config |
| InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | semmle.label | def [TLSVersion] : |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion | semmle.label | .TLSVersion |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | semmle.label | .TLSVersion : |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 | semmle.label | .TLSv10 |
| InsecureTLS.swift:181:3:181:9 | [post] getter for .config | semmle.label | [post] getter for .config |
| InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] getter for .config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | semmle.label | .TLSv10 : |
| InsecureTLS.swift:185:20:185:36 | withMinVersion : | semmle.label | withMinVersion : |
| InsecureTLS.swift:187:42:187:42 | withMinVersion | semmle.label | withMinVersion |
| InsecureTLS.swift:193:51:193:74 | .TLSv10 : | semmle.label | .TLSv10 : |
| file://:0:0:0:0 | .TLSVersion : | semmle.label | .TLSVersion : |
| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
| file://:0:0:0:0 | [post] self : | semmle.label | [post] self : |
| file://:0:0:0:0 | [post] self : | semmle.label | [post] self : |
| file://:0:0:0:0 | [post] self : | semmle.label | [post] self : |
| file://:0:0:0:0 | [post] self : | semmle.label | [post] self : |
| file://:0:0:0:0 | [post] self [TLSVersion] : | semmle.label | [post] self [TLSVersion] : |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] : | semmle.label | [post] self [tlsMaximumSupportedProtocolVersion] : |
| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] : | semmle.label | [post] self [tlsMaximumSupportedProtocol] : |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | semmle.label | [post] self [tlsMinimumSupportedProtocolVersion] : |
| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] : | semmle.label | [post] self [tlsMinimumSupportedProtocol] : |
| file://:0:0:0:0 | self [TLSVersion] : | semmle.label | self [TLSVersion] : |
| file://:0:0:0:0 | value | semmle.label | value |
| file://:0:0:0:0 | value | semmle.label | value |
| file://:0:0:0:0 | value | semmle.label | value |
| file://:0:0:0:0 | value | semmle.label | value |
| file://:0:0:0:0 | value : | semmle.label | value : |
| file://:0:0:0:0 | value : | semmle.label | value : |
| file://:0:0:0:0 | value : | semmle.label | value : |
| file://:0:0:0:0 | value : | semmle.label | value : |
| file://:0:0:0:0 | value : | semmle.label | value : |
subpaths
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:40:3:40:3 | [post] config |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:45:3:45:3 | [post] config |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:20:7:20:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:57:3:57:3 | [post] config |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:20:7:20:7 | value : | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] : | InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] : |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:22:7:22:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:64:3:64:3 | [post] config |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:22:7:22:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] : | InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] : |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:23:7:23:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:76:3:76:3 | [post] config |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:23:7:23:7 | value : | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] : | InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] : |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:111:3:111:3 | [post] config |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:122:47:122:47 | version : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:122:3:122:3 | [post] config |
| InsecureTLS.swift:122:47:122:47 | version : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:158:7:158:7 | value : | file://:0:0:0:0 | [post] self [TLSVersion] : | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] : |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | file://:0:0:0:0 | .TLSVersion : | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | file://:0:0:0:0 | .TLSVersion : | InsecureTLS.swift:165:47:165:51 | .TLSVersion : |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:165:3:165:3 | [post] config |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] : |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:19:7:19:7 | value : | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] : |
#select
| InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | This TLS configuration is insecure. |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | This TLS configuration is insecure. |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | This TLS configuration is insecure. |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | This TLS configuration is insecure. |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | This TLS configuration is insecure. |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | This TLS configuration is insecure. |
| InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | InsecureTLS.swift:122:47:122:47 | version | This TLS configuration is insecure. |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:165:47:165:51 | .TLSVersion | This TLS configuration is insecure. |
| InsecureTLS.swift:181:53:181:76 | .TLSv10 | InsecureTLS.swift:181:53:181:76 | .TLSv10 | InsecureTLS.swift:181:53:181:76 | .TLSv10 | This TLS configuration is insecure. |
| InsecureTLS.swift:187:42:187:42 | withMinVersion | InsecureTLS.swift:193:51:193:74 | .TLSv10 : | InsecureTLS.swift:187:42:187:42 | withMinVersion | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:181:53:181:76 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| InsecureTLS.swift:40:3:40:3 | [post] config | InsecureTLS.swift:40:47:40:70 | .TLSv10 : | InsecureTLS.swift:40:3:40:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:45:3:45:3 | [post] config | InsecureTLS.swift:45:47:45:70 | .TLSv11 : | InsecureTLS.swift:45:3:45:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:57:3:57:3 | [post] config | InsecureTLS.swift:57:47:57:70 | .TLSv10 : | InsecureTLS.swift:57:3:57:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:64:3:64:3 | [post] config | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | InsecureTLS.swift:64:3:64:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:76:3:76:3 | [post] config | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | InsecureTLS.swift:76:3:76:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:111:3:111:3 | [post] config | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:3:111:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:122:3:122:3 | [post] config | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | InsecureTLS.swift:122:3:122:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:165:3:165:3 | [post] config | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:165:3:165:3 | [post] config | This TLS configuration is insecure. |
| InsecureTLS.swift:181:3:181:9 | [post] getter for .config | InsecureTLS.swift:181:53:181:76 | .TLSv10 : | InsecureTLS.swift:181:3:181:9 | [post] getter for .config | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:40:47:40:70 | .TLSv10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:45:47:45:70 | .TLSv11 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:57:47:57:70 | .TLSv10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
| file://:0:0:0:0 | [post] self | InsecureTLS.swift:181:53:181:76 | .TLSv10 : | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |

2
swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift
View File

@@ -190,7 +190,7 @@ extension URLSessionConfiguration {
func case_21() {
let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv13) // GOOD
let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv10) // BAD
let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv10) // BAD [NOT DETECTED]
}
func setVersion(version: inout tls_protocol_version_t, value: tls_protocol_version_t) {