hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 15:55:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Recognize more sources.

Browse Source
This commit is contained in:
Geoffrey White
2023-01-20 15:08:02 +00:00
parent 581c478872
commit 7648e8f6a3
3 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
View File

@@ -22,7 +22,8 @@ import DataFlow::PathGraph
class StaticInitializationVectorSource extends Expr {
StaticInitializationVectorSource() {
this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") or
this instanceof StringLiteralExpr
this instanceof StringLiteralExpr or
this instanceof NumberLiteralExpr
}
}

22
swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected
View File

@@ -1,5 +1,13 @@
edges
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : |
| rncryptor.swift:60:19:60:25 | call to Data.init(_:) : | rncryptor.swift:68:104:68:104 | myConstIV1 |
| rncryptor.swift:60:19:60:25 | call to Data.init(_:) : | rncryptor.swift:77:125:77:125 | myConstIV1 |
| rncryptor.swift:60:24:60:24 | 0 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : |
| rncryptor.swift:60:24:60:24 | 0 : | rncryptor.swift:60:19:60:25 | call to Data.init(_:) : |
| rncryptor.swift:61:19:61:27 | call to Data.init(_:) : | rncryptor.swift:70:104:70:104 | myConstIV2 |
| rncryptor.swift:61:19:61:27 | call to Data.init(_:) : | rncryptor.swift:79:133:79:133 | myConstIV2 |
| rncryptor.swift:61:24:61:24 | 123 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : |
| rncryptor.swift:61:24:61:24 | 123 : | rncryptor.swift:61:19:61:27 | call to Data.init(_:) : |
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | rncryptor.swift:74:84:74:84 | myConstIV4 |
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | rncryptor.swift:83:113:83:113 | myConstIV4 |
| rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : |
@@ -30,9 +38,17 @@ edges
nodes
| file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | semmle.label | [summary] to write: return (return) in Data.init(_:) : |
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | semmle.label | [summary param] 0 in Data.init(_:) : |
| rncryptor.swift:60:19:60:25 | call to Data.init(_:) : | semmle.label | call to Data.init(_:) : |
| rncryptor.swift:60:24:60:24 | 0 : | semmle.label | 0 : |
| rncryptor.swift:61:19:61:27 | call to Data.init(_:) : | semmle.label | call to Data.init(_:) : |
| rncryptor.swift:61:24:61:24 | 123 : | semmle.label | 123 : |
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | semmle.label | call to Data.init(_:) : |
| rncryptor.swift:63:24:63:24 | iv : | semmle.label | iv : |
| rncryptor.swift:68:104:68:104 | myConstIV1 | semmle.label | myConstIV1 |
| rncryptor.swift:70:104:70:104 | myConstIV2 | semmle.label | myConstIV2 |
| rncryptor.swift:74:84:74:84 | myConstIV4 | semmle.label | myConstIV4 |
| rncryptor.swift:77:125:77:125 | myConstIV1 | semmle.label | myConstIV1 |
| rncryptor.swift:79:133:79:133 | myConstIV2 | semmle.label | myConstIV2 |
| rncryptor.swift:83:113:83:113 | myConstIV4 | semmle.label | myConstIV4 |
| test.swift:53:19:53:34 | iv : | semmle.label | iv : |
| test.swift:54:17:54:17 | iv | semmle.label | iv |
@@ -60,9 +76,15 @@ nodes
| test.swift:167:22:167:22 | iv | semmle.label | iv |
| test.swift:168:22:168:22 | iv | semmle.label | iv |
subpaths
| rncryptor.swift:60:24:60:24 | 0 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | rncryptor.swift:60:19:60:25 | call to Data.init(_:) : |
| rncryptor.swift:61:24:61:24 | 123 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | rncryptor.swift:61:19:61:27 | call to Data.init(_:) : |
| rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | rncryptor.swift:63:19:63:28 | call to Data.init(_:) : |
#select
| rncryptor.swift:68:104:68:104 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 : | rncryptor.swift:68:104:68:104 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. |
| rncryptor.swift:70:104:70:104 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 : | rncryptor.swift:70:104:70:104 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. |
| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. |
| rncryptor.swift:77:125:77:125 | myConstIV1 | rncryptor.swift:60:24:60:24 | 0 : | rncryptor.swift:77:125:77:125 | myConstIV1 | The static value '0' is used as an initialization vector for encryption. |
| rncryptor.swift:79:133:79:133 | myConstIV2 | rncryptor.swift:61:24:61:24 | 123 : | rncryptor.swift:79:133:79:133 | myConstIV2 | The static value '123' is used as an initialization vector for encryption. |
| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. |
| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] : | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. |
| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant : | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |

8
swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift
View File

@@ -65,18 +65,18 @@ func test(myPassword: String) {
let mySalt2 = Data(0)
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myRandomIV, handler: myHandler) // GOOD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1, handler: myHandler) // BAD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myRandomIV, handler: myHandler) // GOOD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2, handler: myHandler) // BAD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // GOOD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD [NOT DETECTED]
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // GOOD
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myRandomIV) // GOOD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1) // BAD
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myRandomIV) // GOOD
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myKey, HMACKey: myHMACKey, IV: myConstIV2) // BAD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // GOOD
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD [NOT DETECTED]
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // GOOD