From 4225774a3a218b48c332bd1c13a0dc33147cfbf3 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 2 Aug 2024 17:06:28 +0100
Subject: [PATCH] Swift: Add test cases for swift/hardcoded-key.

---
 .../CWE-321/HardcodedEncryptionKey.expected   | 23 ++++++++++++++
 .../query-tests/Security/CWE-321/misc.swift   | 31 +++++++++++++------
 2 files changed, 45 insertions(+), 9 deletions(-)

diff --git a/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected b/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected
index 7c60e703b8b..0d8a259fe90 100644
--- a/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected
+++ b/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected
@@ -51,6 +51,15 @@ edges
 | misc.swift:70:41:70:41 | myConstKey | misc.swift:30:7:30:7 | value | provenance |  |
 | misc.swift:70:41:70:41 | myConstKey | misc.swift:70:2:70:18 | [post] getter for .config | provenance |  |
 | misc.swift:70:41:70:41 | myConstKey | misc.swift:70:2:70:18 | [post] getter for .config [encryptionKey] | provenance |  |
+| misc.swift:73:14:73:20 | k1 | misc.swift:76:26:76:29 | .utf8 | provenance |  |
+| misc.swift:73:28:73:34 | k2 | misc.swift:77:26:77:29 | .utf8 | provenance |  |
+| misc.swift:76:20:76:33 | call to Array<Element>.init(_:) [Collection element] | misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | provenance |  |
+| misc.swift:76:26:76:29 | .utf8 | misc.swift:76:20:76:33 | call to Array<Element>.init(_:) [Collection element] | provenance |  |
+| misc.swift:77:20:77:33 | call to Array<Element>.init(_:) [Collection element] | misc.swift:77:20:77:33 | call to Array<Element>.init(_:) | provenance |  |
+| misc.swift:77:26:77:29 | .utf8 | misc.swift:77:20:77:33 | call to Array<Element>.init(_:) [Collection element] | provenance |  |
+| misc.swift:82:10:82:10 | abc123 | misc.swift:73:14:73:20 | k1 | provenance |  |
+| misc.swift:83:10:83:10 | abc123 | misc.swift:73:14:73:20 | k1 | provenance |  |
+| misc.swift:83:20:83:20 | abc123 | misc.swift:73:28:73:34 | k2 | provenance |  |
 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) | rncryptor.swift:65:73:65:73 | myConstKey | provenance |  |
 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) | rncryptor.swift:66:73:66:73 | myConstKey | provenance |  |
 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) | rncryptor.swift:67:73:67:73 | myConstKey | provenance |  |
@@ -131,6 +140,17 @@ nodes
 | misc.swift:70:2:70:18 | [post] getter for .config | semmle.label | [post] getter for .config |
 | misc.swift:70:2:70:18 | [post] getter for .config [encryptionKey] | semmle.label | [post] getter for .config [encryptionKey] |
 | misc.swift:70:41:70:41 | myConstKey | semmle.label | myConstKey |
+| misc.swift:73:14:73:20 | k1 | semmle.label | k1 |
+| misc.swift:73:28:73:34 | k2 | semmle.label | k2 |
+| misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | semmle.label | call to Array<Element>.init(_:) |
+| misc.swift:76:20:76:33 | call to Array<Element>.init(_:) [Collection element] | semmle.label | call to Array<Element>.init(_:) [Collection element] |
+| misc.swift:76:26:76:29 | .utf8 | semmle.label | .utf8 |
+| misc.swift:77:20:77:33 | call to Array<Element>.init(_:) | semmle.label | call to Array<Element>.init(_:) |
+| misc.swift:77:20:77:33 | call to Array<Element>.init(_:) [Collection element] | semmle.label | call to Array<Element>.init(_:) [Collection element] |
+| misc.swift:77:26:77:29 | .utf8 | semmle.label | .utf8 |
+| misc.swift:82:10:82:10 | abc123 | semmle.label | abc123 |
+| misc.swift:83:10:83:10 | abc123 | semmle.label | abc123 |
+| misc.swift:83:20:83:20 | abc123 | semmle.label | abc123 |
 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
 | rncryptor.swift:60:24:60:24 | abcdef123456 | semmle.label | abcdef123456 |
 | rncryptor.swift:65:73:65:73 | myConstKey | semmle.label | myConstKey |
@@ -194,6 +214,9 @@ subpaths
 | misc.swift:62:41:62:41 | myConstKey | misc.swift:57:24:57:24 | abcdef123456 | misc.swift:62:41:62:41 | myConstKey | The key 'myConstKey' has been initialized with hard-coded values from $@. | misc.swift:57:24:57:24 | abcdef123456 | abcdef123456 |
 | misc.swift:66:2:66:2 | [post] config | misc.swift:57:24:57:24 | abcdef123456 | misc.swift:66:2:66:2 | [post] config | The key '[post] config' has been initialized with hard-coded values from $@. | misc.swift:57:24:57:24 | abcdef123456 | abcdef123456 |
 | misc.swift:70:2:70:18 | [post] getter for .config | misc.swift:57:24:57:24 | abcdef123456 | misc.swift:70:2:70:18 | [post] getter for .config | The key '[post] getter for .config' has been initialized with hard-coded values from $@. | misc.swift:57:24:57:24 | abcdef123456 | abcdef123456 |
+| misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | misc.swift:82:10:82:10 | abc123 | misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | The key 'call to Array<Element>.init(_:)' has been initialized with hard-coded values from $@. | misc.swift:82:10:82:10 | abc123 | abc123 |
+| misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | misc.swift:83:10:83:10 | abc123 | misc.swift:76:20:76:33 | call to Array<Element>.init(_:) | The key 'call to Array<Element>.init(_:)' has been initialized with hard-coded values from $@. | misc.swift:83:10:83:10 | abc123 | abc123 |
+| misc.swift:77:20:77:33 | call to Array<Element>.init(_:) | misc.swift:83:20:83:20 | abc123 | misc.swift:77:20:77:33 | call to Array<Element>.init(_:) | The key 'call to Array<Element>.init(_:)' has been initialized with hard-coded values from $@. | misc.swift:83:20:83:20 | abc123 | abc123 |
 | rncryptor.swift:65:73:65:73 | myConstKey | rncryptor.swift:60:24:60:24 | abcdef123456 | rncryptor.swift:65:73:65:73 | myConstKey | The key 'myConstKey' has been initialized with hard-coded values from $@. | rncryptor.swift:60:24:60:24 | abcdef123456 | abcdef123456 |
 | rncryptor.swift:66:73:66:73 | myConstKey | rncryptor.swift:60:24:60:24 | abcdef123456 | rncryptor.swift:66:73:66:73 | myConstKey | The key 'myConstKey' has been initialized with hard-coded values from $@. | rncryptor.swift:60:24:60:24 | abcdef123456 | abcdef123456 |
 | rncryptor.swift:67:73:67:73 | myConstKey | rncryptor.swift:60:24:60:24 | abcdef123456 | rncryptor.swift:67:73:67:73 | myConstKey | The key 'myConstKey' has been initialized with hard-coded values from $@. | rncryptor.swift:60:24:60:24 | abcdef123456 | abcdef123456 |
diff --git a/swift/ql/test/query-tests/Security/CWE-321/misc.swift b/swift/ql/test/query-tests/Security/CWE-321/misc.swift
index a993e2eb4d4..9b225bea84a 100644
--- a/swift/ql/test/query-tests/Security/CWE-321/misc.swift
+++ b/swift/ql/test/query-tests/Security/CWE-321/misc.swift
@@ -1,7 +1,7 @@
 
 // --- stubs ---
 
-class Data {
+struct Data {
     init<S>(_ elements: S) {}
 }
 
@@ -31,16 +31,16 @@ extension Realm {
 	}
 }
 
+protocol BlockMode { }
 
+struct CBC: BlockMode {
+	init(iv: Array<UInt8>) { }
+}
 
-
-
-
-
-
-
-
-
+class AES
+{
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
 
 // --- tests ---
 
@@ -69,3 +69,16 @@ func test(myVarStr: String) {
 	configContainer.config.encryptionKey = myVarKey // GOOD
 	configContainer.config.encryptionKey = myConstKey // BAD
 }
+
+func useKeys(_ k1: String, _ k2: String, _ k3: String, _ myIV: Array<UInt8>) {
+	// --- cryptoswift ---
+
+	let a1 = AES(key: Array(k1.utf8), blockMode: CBC(iv: myIV)) // BAD
+	let a2 = AES(key: Array(k2.utf8), blockMode: CBC(iv: myIV)) // BAD
+	let a3 = AES(key: Array(k3.utf8), blockMode: CBC(iv: myIV)) // GOOD
+}
+
+func caller(varString: String, myIV: Array<UInt8>) {
+	useKeys("abc123", varString, varString, myIV)
+	useKeys("abc123", "abc123", varString, myIV)
+}