hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Add a few more test cases.

Browse Source
This commit is contained in:
Geoffrey White
2023-11-21 11:32:40 +00:00
parent 57a1becd22
commit 5bbc61e83c
1 changed files with 88 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift
View File

@@ -154,27 +154,34 @@ class Logic {
func addString(_ str: String) {} // safe
}
// custom
class MyRemoteLogger {
func setPassword(password: String) { }
func login(password: String) { }
func logout(secret: String) { }
}
// --- tests ---
func test1(password: String, passwordHash : String, passphrase: String, pass_phrase: String) {
print(password) // $ hasCleartextLogging=160
print(password, separator: "") // $ $ hasCleartextLogging=161
print("", separator: password) // $ hasCleartextLogging=162
print(password, separator: "", terminator: "") // $ hasCleartextLogging=163
print("", separator: password, terminator: "") // $ hasCleartextLogging=164
print("", separator: "", terminator: password) // $ hasCleartextLogging=165
print(password) // $ hasCleartextLogging=167
print(password, separator: "") // $ $ hasCleartextLogging=168
print("", separator: password) // $ hasCleartextLogging=169
print(password, separator: "", terminator: "") // $ hasCleartextLogging=170
print("", separator: password, terminator: "") // $ hasCleartextLogging=171
print("", separator: "", terminator: password) // $ hasCleartextLogging=172
print(passwordHash) // safe
debugPrint(password) // $ hasCleartextLogging=168
debugPrint(password) // $ hasCleartextLogging=175
dump(password) // $ hasCleartextLogging=170
dump(password) // $ hasCleartextLogging=177
NSLog(password) // $ hasCleartextLogging=172
NSLog("%@", password) // $ hasCleartextLogging=173
NSLog("%@ %@", "", password) // $ hasCleartextLogging=174
NSLog("\(password)") // $ hasCleartextLogging=175
NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=176
NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=177
NSLog(password) // $ hasCleartextLogging=179
NSLog("%@", password) // $ hasCleartextLogging=180
NSLog("%@ %@", "", password) // $ hasCleartextLogging=181
NSLog("\(password)") // $ hasCleartextLogging=182
NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=183
NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=184
NSLog(passwordHash) // safe
NSLogv("%@", getVaList([passwordHash])) // safe
@@ -184,38 +191,38 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
log.log("\(password)") // safe
log.log("\(password, privacy: .auto)") // safe
log.log("\(password, privacy: .private)") // safe
log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=187
log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=194
log.log("\(passwordHash, privacy: .public)") // safe
log.log("\(password, privacy: .sensitive)") // safe
log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=190
log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=191
log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=197
log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=198
log.log("\(bankAccount, privacy: .private)") // safe
log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=193
log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=200
log.log("\(bankAccount, privacy: .sensitive)") // safe
log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=195
log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=196
log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=202
log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=203
log.trace("\(passwordHash, privacy: .public)") // safe
log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=198
log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=205
log.debug("\(passwordHash, privacy: .public)") // safe
log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=200
log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=207
log.info("\(passwordHash, privacy: .public)") // safe
log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=202
log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=209
log.notice("\(passwordHash, privacy: .public)") // safe
log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=204
log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=211
log.warning("\(passwordHash, privacy: .public)") // safe
log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=206
log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=213
log.error("\(passwordHash, privacy: .public)") // safe
log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=208
log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=215
log.critical("\(passwordHash, privacy: .public)") // safe
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=210
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=217
log.fault("\(passwordHash, privacy: .public)") // safe
NSLog(passphrase) // $ hasCleartextLogging=213
NSLog(pass_phrase) // $ hasCleartextLogging=214
NSLog(passphrase) // $ hasCleartextLogging=220
NSLog(pass_phrase) // $ hasCleartextLogging=221
os_log("%@", log: .default, type: .default, "") // safe
os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=217
os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=218
os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=224
os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=225
}
class MyClass {
@@ -229,16 +236,16 @@ func doSomething(password: String) { }
func test3(x: String) {
// alternative evidence of sensitivity...
NSLog(x) // $ MISSING: hasCleartextLogging=233
NSLog(x) // $ MISSING: hasCleartextLogging=240
doSomething(password: x);
NSLog(x) // $ hasCleartextLogging=233
NSLog(x) // $ hasCleartextLogging=240
let y = getPassword();
NSLog(y) // $ hasCleartextLogging=236
NSLog(y) // $ hasCleartextLogging=243
let z = MyClass()
NSLog(z.harmless) // safe
NSLog(z.password) // $ hasCleartextLogging=241
NSLog(z.password) // $ hasCleartextLogging=248
}
struct MyOuter {
@@ -253,7 +260,7 @@ struct MyOuter {
func test3(mo : MyOuter) {
// struct members...
NSLog(mo.password.value) // $ hasCleartextLogging=256
NSLog(mo.password.value) // $ hasCleartextLogging=263
NSLog(mo.harmless.value) // safe
}
@@ -277,39 +284,39 @@ func test4(harmless: String, password: String) {
print(myString1) // safe
print(password, to: &myString2)
print(myString2) // $ hasCleartextLogging=279
print(myString2) // $ hasCleartextLogging=286
print("log: " + password, to: &myString3)
print(myString3) // $ hasCleartextLogging=282
print(myString3) // $ hasCleartextLogging=289
debugPrint(harmless, to: &myString4)
debugPrint(myString4) // safe
debugPrint(password, to: &myString5)
debugPrint(myString5) // $ hasCleartextLogging=288
debugPrint(myString5) // $ hasCleartextLogging=295
dump(harmless, to: &myString6)
dump(myString6) // safe
dump(password, to: &myString7)
dump(myString7) // $ hasCleartextLogging=294
dump(myString7) // $ hasCleartextLogging=301
myString8.write(harmless)
print(myString8)
myString9.write(password)
print(myString9) // $ hasCleartextLogging=300
print(myString9) // $ hasCleartextLogging=307
myString10.write(harmless)
myString10.write(password)
myString10.write(harmless)
print(myString10) // $ hasCleartextLogging=304
print(myString10) // $ hasCleartextLogging=311
harmless.write(to: &myString11)
print(myString11)
password.write(to: &myString12)
print(myString12) // $ hasCleartextLogging=311
print(myString12) // $ hasCleartextLogging=318
print(password, to: &myString13) // $ safe - only printed to another string
debugPrint(password, to: &myString13) // $ safe - only printed to another string
@@ -324,61 +331,66 @@ func test5(password: String, caseNum: Int) {
switch caseNum {
case 0:
assert(false, password) // $ hasCleartextLogging=327
assert(false, password) // $ hasCleartextLogging=334
case 1:
assertionFailure(password) // $ hasCleartextLogging=329
assertionFailure(password) // $ hasCleartextLogging=336
case 2:
precondition(false, password) // $ hasCleartextLogging=331
precondition(false, password) // $ hasCleartextLogging=338
case 3:
preconditionFailure(password) // $ hasCleartextLogging=333
preconditionFailure(password) // $ hasCleartextLogging=340
default:
fatalError(password) // $ hasCleartextLogging=335
fatalError(password) // $ hasCleartextLogging=342
}
}
func test6(passwordString: String) {
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ hasCleartextLogging=340
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ hasCleartextLogging=347
e.raise()
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ hasCleartextLogging=343
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ hasCleartextLogging=344
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ hasCleartextLogging=350
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ hasCleartextLogging=351
_ = dprintf(0, "\(passwordString) is incorrect!") // $ hasCleartextLogging=346
_ = dprintf(0, "%s is incorrect!", passwordString) // $ hasCleartextLogging=347
_ = dprintf(0, "%s: %s is incorrect!", "foo", passwordString) // $ hasCleartextLogging=348
_ = vprintf("\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=349
_ = vprintf("%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=350
_ = vfprintf(nil, "\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=351
_ = vfprintf(nil, "%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=352
_ = dprintf(0, "\(passwordString) is incorrect!") // $ hasCleartextLogging=353
_ = dprintf(0, "%s is incorrect!", passwordString) // $ hasCleartextLogging=354
_ = dprintf(0, "%s: %s is incorrect!", "foo", passwordString) // $ hasCleartextLogging=355
_ = vprintf("\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=356
_ = vprintf("%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=357
_ = vfprintf(nil, "\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=358
_ = vfprintf(nil, "%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=359
_ = vasprintf_l(nil, nil, "\(passwordString) is incorrect!", getVaList([])) // good (`sprintf` is not logging)
_ = vasprintf_l(nil, nil, "%s is incorrect!", getVaList([passwordString])) // good (`sprintf` is not logging)
}
func test7(authKey: String, authKey2: Int, authKey3: Float) {
log(message: authKey) // $ hasCleartextLogging=358
log(message: String(authKey2)) // $ hasCleartextLogging=359
logging(message: authKey) // $ hasCleartextLogging=360
logfile(file: 0, message: authKey) // $ hasCleartextLogging=361
logMessage(NSString(string: authKey)) // $ hasCleartextLogging=362
logInfo(authKey) // $ MISSING: hasCleartextLogging=363
logError(errorMsg: authKey) // $ hasCleartextLogging=364
func test7(authKey: String, authKey2: Int, authKey3: Float, password: String, secret: String) {
log(message: authKey) // $ hasCleartextLogging=365
log(message: String(authKey2)) // $ hasCleartextLogging=366
logging(message: authKey) // $ hasCleartextLogging=367
logfile(file: 0, message: authKey) // $ hasCleartextLogging=368
logMessage(NSString(string: authKey)) // $ hasCleartextLogging=369
logInfo(authKey) // $ MISSING: hasCleartextLogging=370
logError(errorMsg: authKey) // $ hasCleartextLogging=371
harmless(authKey) // GOOD: not logging
_ = logarithm(authKey3) // GOOD: not logging
doLogin(login: authKey) // GOOD: not logging
let logger = LogFile()
let msg = "authKey: " + authKey
logger.log(msg) // $ hasCleartextLogging=370
logger.trace(msg) // $ hasCleartextLogging=370
logger.debug(msg) // $ hasCleartextLogging=370
logger.info(NSString(string: msg)) // $ hasCleartextLogging=370
logger.notice(msg) // $ hasCleartextLogging=370
logger.warning(msg) // $ hasCleartextLogging=370
logger.error(msg) // $ hasCleartextLogging=370
logger.critical(msg) // $ hasCleartextLogging=370
logger.fatal(msg) // $ hasCleartextLogging=370
logger.log(msg) // $ hasCleartextLogging=377
logger.trace(msg) // $ hasCleartextLogging=377
logger.debug(msg) // $ hasCleartextLogging=377
logger.info(NSString(string: msg)) // $ hasCleartextLogging=377
logger.notice(msg) // $ hasCleartextLogging=377
logger.warning(msg) // $ hasCleartextLogging=377
logger.error(msg) // $ hasCleartextLogging=377
logger.critical(msg) // $ hasCleartextLogging=377
logger.fatal(msg) // $ hasCleartextLogging=377
let logic = Logic()
logic.addInt(authKey2) // GOOD: not logging
logic.addString(authKey) // $ SPURIOUS: hasCleartextLogging=383 (not logging)
logic.addString(authKey) // $ SPURIOUS: hasCleartextLogging=390 (not logging)
let rlogger = MyRemoteLogger()
rlogger.setPassword(password: password) // $ SPURIOUS: hasCleartextLogging=393 (not logging)
rlogger.login(password: password) // $ SPURIOUS: hasCleartextLogging=394 (not logging)
rlogger.logout(secret: secret) // $ SPURIOUS: hasCleartextLogging=395 (not logging)
}