hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Add low-level CryptoSwift sinks.

Browse Source
This commit is contained in:
Geoffrey White
2023-04-11 19:22:17 +01:00
parent d299d92025
commit 51a62b54ee
3 changed files with 43 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
View File

@@ -46,6 +46,13 @@ private class WeakHashingSinks extends SinkModelCsv {
";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
// CryptoSwift
";MD5;true;calculate(for:);;;Argument[0];weak-hash-input-MD5",
";MD5;true;callAsFunction(_:);;;Argument[0];weak-hash-input-MD5",
";MD5;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-MD5",
";SHA1;true;calculate(for:);;;Argument[0];weak-hash-input-SHA1",
";SHA1;true;callAsFunction(_:);;;Argument[0];weak-hash-input-SHA1",
";SHA1;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-SHA1",
]
}
}

30
swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
View File

@@ -1,4 +1,14 @@
edges
| testCryptoSwift.swift:38:21:38:41 | bytes : | testCryptoSwift.swift:39:37:39:37 | bytes |
| testCryptoSwift.swift:42:22:42:42 | bytes : | testCryptoSwift.swift:43:38:43:38 | bytes |
| testCryptoSwift.swift:60:10:60:10 | self : | testCryptoSwift.swift:61:27:61:27 | self : |
| testCryptoSwift.swift:61:27:61:27 | self : | testCryptoSwift.swift:38:21:38:41 | bytes : |
| testCryptoSwift.swift:64:10:64:10 | self : | testCryptoSwift.swift:65:28:65:28 | self : |
| testCryptoSwift.swift:65:28:65:28 | self : | testCryptoSwift.swift:42:22:42:42 | bytes : |
| testCryptoSwift.swift:120:20:120:20 | passwdArray : | testCryptoSwift.swift:38:21:38:41 | bytes : |
| testCryptoSwift.swift:122:21:122:21 | passwdArray : | testCryptoSwift.swift:42:22:42:42 | bytes : |
| testCryptoSwift.swift:127:9:127:9 | passwdArray : | testCryptoSwift.swift:60:10:60:10 | self : |
| testCryptoSwift.swift:129:9:129:9 | passwdArray : | testCryptoSwift.swift:64:10:64:10 | self : |
nodes
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
| testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
@@ -13,6 +23,20 @@ nodes
| testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoSwift.swift:38:21:38:41 | bytes : | semmle.label | bytes : |
| testCryptoSwift.swift:39:37:39:37 | bytes | semmle.label | bytes |
| testCryptoSwift.swift:42:22:42:42 | bytes : | semmle.label | bytes : |
| testCryptoSwift.swift:43:38:43:38 | bytes | semmle.label | bytes |
| testCryptoSwift.swift:60:10:60:10 | self : | semmle.label | self : |
| testCryptoSwift.swift:61:27:61:27 | self : | semmle.label | self : |
| testCryptoSwift.swift:64:10:64:10 | self : | semmle.label | self : |
| testCryptoSwift.swift:65:28:65:28 | self : | semmle.label | self : |
| testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:120:20:120:20 | passwdArray : | semmle.label | passwdArray : |
| testCryptoSwift.swift:122:21:122:21 | passwdArray : | semmle.label | passwdArray : |
| testCryptoSwift.swift:127:9:127:9 | passwdArray : | semmle.label | passwdArray : |
| testCryptoSwift.swift:129:9:129:9 | passwdArray : | semmle.label | passwdArray : |
subpaths
#select
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
@@ -28,3 +52,9 @@ subpaths
| testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
| testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:120:20:120:20 | passwdArray : | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:127:9:127:9 | passwdArray : | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:122:21:122:21 | passwdArray : | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |
| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:129:9:129:9 | passwdArray : | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
| testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
| testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |

12
swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift
View File

@@ -110,23 +110,23 @@ extension String {
func testArrays(harmlessArray: Array<UInt8>, passwdArray: Array<UInt8>) {
_ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
_ = MD5().calculate(for: passwdArray) // BAD [NOT DETECTED]
_ = MD5().calculate(for: passwdArray) // BAD
_ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
_ = SHA1().calculate(for: passwdArray) // BAD [NOT DETECTED]
_ = SHA1().calculate(for: passwdArray) // BAD
_ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
_ = SHA2(variant: .sha512).calculate(for: passwdArray) // GOOD
_ = Digest.md5(harmlessArray) // GOOD (not sensitive)
_ = Digest.md5(passwdArray) // BAD [NOT DETECTED]
_ = Digest.md5(passwdArray) // BAD
_ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
_ = Digest.sha1(passwdArray) // BAD [NOT DETECTED]
_ = Digest.sha1(passwdArray) // BAD
_ = Digest.sha512(harmlessArray) // GOOD
_ = Digest.sha512(passwdArray) // GOOD
_ = harmlessArray.md5() // GOOD (not sensitive)
_ = passwdArray.md5() // BAD [NOT DETECTED]
_ = passwdArray.md5() // BAD
_ = harmlessArray.sha1() // GOOD (not sensitive)
_ = passwdArray.sha1() // BAD [NOT DETECTED]
_ = passwdArray.sha1() // BAD
_ = harmlessArray.sha512() // GOOD
_ = passwdArray.sha512() // GOOD
}