hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 21:44:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Model RNCryptor.

Browse Source
This commit is contained in:
Geoffrey White
2023-01-17 09:08:11 +00:00
parent 449ebb8a12
commit 74a37475db
3 changed files with 89 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
View File

@@ -38,6 +38,21 @@ class ConstantPasswordSink extends Expr {
call.getStaticTarget() = f and
call.getArgumentWithLabel("password").getExpr() = this
)
or
// RNCryptor (labelled arguments)
exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
c.getAMember() = f and
call.getStaticTarget() = f and
call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() = this
)
or
// RNCryptor (unlabelled arguments)
exists(MethodDecl f, CallExpr call |
f.hasQualifiedName("RNCryptor", "keyForPassword(_:salt:settings:)") and
call.getStaticTarget() = f and
call.getArgument(0).getExpr() = this
)
}
}

57
swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected
View File

@@ -1,9 +1,46 @@
edges
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:77:89:77:89 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:78:56:78:56 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:80:89:80:89 | myMaybePassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:81:56:81:56 | myMaybePassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:91:39:91:39 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:92:37:92:37 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:93:39:93:39 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:94:37:94:37 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:96:68:96:68 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:97:68:97:68 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:98:68:98:68 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:100:89:100:89 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:101:97:101:97 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:102:89:102:89 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:103:97:103:97 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:105:32:105:32 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:107:61:107:61 | myConstPassword |
| rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:108:97:108:97 | myConstPassword |
| test.swift:43:39:43:134 | [...] : | test.swift:51:30:51:30 | constantPassword |
| test.swift:43:39:43:134 | [...] : | test.swift:56:40:56:40 | constantPassword |
| test.swift:43:39:43:134 | [...] : | test.swift:62:40:62:40 | constantPassword |
| test.swift:43:39:43:134 | [...] : | test.swift:67:34:67:34 | constantPassword |
nodes
| rncryptor.swift:69:24:69:24 | abc123 : | semmle.label | abc123 : |
| rncryptor.swift:77:89:77:89 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:78:56:78:56 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:80:89:80:89 | myMaybePassword | semmle.label | myMaybePassword |
| rncryptor.swift:81:56:81:56 | myMaybePassword | semmle.label | myMaybePassword |
| rncryptor.swift:91:39:91:39 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:92:37:92:37 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:93:39:93:39 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:94:37:94:37 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:96:68:96:68 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:97:68:97:68 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:98:68:98:68 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:100:89:100:89 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:101:97:101:97 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:102:89:102:89 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:103:97:103:97 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:105:32:105:32 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:107:61:107:61 | myConstPassword | semmle.label | myConstPassword |
| rncryptor.swift:108:97:108:97 | myConstPassword | semmle.label | myConstPassword |
| test.swift:43:39:43:134 | [...] : | semmle.label | [...] : |
| test.swift:51:30:51:30 | constantPassword | semmle.label | constantPassword |
| test.swift:56:40:56:40 | constantPassword | semmle.label | constantPassword |
@@ -11,7 +48,25 @@ nodes
| test.swift:67:34:67:34 | constantPassword | semmle.label | constantPassword |
subpaths
#select
| rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:78:56:78:56 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:78:56:78:56 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:80:89:80:89 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:80:89:80:89 | myMaybePassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:81:56:81:56 | myMaybePassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:81:56:81:56 | myMaybePassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:91:39:91:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:91:39:91:39 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:92:37:92:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:92:37:92:37 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:93:39:93:39 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:93:39:93:39 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:94:37:94:37 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:94:37:94:37 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:96:68:96:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:96:68:96:68 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:97:68:97:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:97:68:97:68 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:98:68:98:68 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:98:68:98:68 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:100:89:100:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:100:89:100:89 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:101:97:101:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:101:97:101:97 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:102:89:102:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:102:89:102:89 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:103:97:103:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:103:97:103:97 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:105:32:105:32 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:105:32:105:32 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. |
| rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 : | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. |
| test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] : | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. |
| test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] : | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. |
| test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] : | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. |
| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] : | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. |
| test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] : | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. |

36
swift/ql/test/query-tests/Security/CWE-259/rncryptor.swift
View File

@@ -74,11 +74,11 @@ func test(cond: Bool) {
let a = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myRandomPassword) // GOOD
let _ = try? myDecryptor.decryptData(a, withPassword: myRandomPassword) // GOOD
let b = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD [NOT DETECTED]
let _ = try? myDecryptor.decryptData(b, withPassword: myConstPassword) // BAD [NOT DETECTED]
let b = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD
let _ = try? myDecryptor.decryptData(b, withPassword: myConstPassword) // BAD
let c = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myMaybePassword) // BAD [NOT DETECTED]
let _ = try? myDecryptor.decryptData(c, withPassword: myMaybePassword) // BAD [NOT DETECTED]
let c = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myMaybePassword) // BAD
let _ = try? myDecryptor.decryptData(c, withPassword: myMaybePassword) // BAD
// all methods
@@ -88,22 +88,22 @@ func test(cond: Bool) {
let mySalt = Data(0)
let mySalt2 = Data(0)
let _ = myEncryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
let _ = myEncryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
let _ = myDecryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
let _ = myDecryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
let _ = myEncryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BADx
let _ = myEncryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD
let _ = myDecryptor.key(forPassword: myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD
let _ = myDecryptor.keyForPassword(myConstPassword, salt: mySalt, settings: myKeyDerivationSettings) // BAD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, handler: myHandler) // BAD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword) // BAD
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myConstPassword, iv: myIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword, IV: myIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD
let _ = RNDecryptor(password: myConstPassword, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNDecryptor(password: myConstPassword, handler: myHandler) // BAD
let _ = try? myDecryptor.decryptData(myData, withPassword: myConstPassword) // BAD [NOT DETECTED]
let _ = try? myDecryptor.decryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD [NOT DETECTED]
let _ = try? myDecryptor.decryptData(myData, withPassword: myConstPassword) // BAD
let _ = try? myDecryptor.decryptData(myData, withSettings: kRNCryptorAES256Settings, password: myConstPassword) // BAD
}