hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-19 05:54:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Add sinks for algorithms that are OK for sensitive data hashing but not for password hashing.

Browse Source
This commit is contained in:
Geoffrey White
2023-12-12 17:37:52 +00:00
parent c2d49c0fff
commit 7ba18e64a0
4 changed files with 125 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
View File

@@ -43,11 +43,62 @@ class WeakPasswordHashingAdditionalFlowStep extends Unit {
* hashing as well.
*/
private class InheritedWeakPasswordHashingSink extends WeakPasswordHashingSink {
InheritedWeakPasswordHashingSink() {
this instanceof WeakSensitiveDataHashingSink
}
InheritedWeakPasswordHashingSink() { this instanceof WeakSensitiveDataHashingSink }
override string getAlgorithm() { result = this.(WeakSensitiveDataHashingSink).getAlgorithm() }
override string getAlgorithm() { result = this.(WeakSensitiveDataHashingSink).getAlgorithm() }
}
private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
// CryptoKit
// (SHA-256, SHA-384 and SHA-512 are all variants of the SHA-2 algorithm)
";SHA256;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA256;true;update(data:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA256;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA384;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA384;true;update(data:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA384;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA512;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA512",
";SHA512;true;update(data:);;;Argument[0];weak-password-hash-input-SHA512",
";SHA512;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
// CryptoSwift
";SHA2;true;calculate(for:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA2;true;callAsFunction(_:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA2;true;process64(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA2;true;process32(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA2;true;update(withBytes:isLast:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA3;true;calculate(for:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA3;true;callAsFunction(_:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA3;true;process(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
";SHA3;true;update(withBytes:isLast:);;;Argument[0];weak-password-hash-input-SHA2",
";Digest;true;sha2(_:variant:);;;Argument[0];weak-password-hash-input-SHA2",
";Digest;true;sha3(_:variant:);;;Argument[0];weak-password-hash-input-SHA3",
";Digest;true;sha224(_:);;;Argument[0];weak-password-hash-input-SHA224",
";Digest;true;sha256(_:);;;Argument[0];weak-password-hash-input-SHA256",
";Digest;true;sha384(_:);;;Argument[0];weak-password-hash-input-SHA384",
";Digest;true;sha512(_:);;;Argument[0];weak-password-hash-input-SHA512",
";Array;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
";Array;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
";Array;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
";Array;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
";Array;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
";Array;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
";Data;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
";Data;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
";Data;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
";Data;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
";Data;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
";Data;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
";String;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
";String;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
";String;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
";String;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
";String;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
";String;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
]
}
}
/**
@@ -56,9 +107,7 @@ private class InheritedWeakPasswordHashingSink extends WeakPasswordHashingSink {
private class DefaultWeakPasswordHashingSink extends WeakPasswordHashingSink {
string algorithm;
DefaultWeakPasswordHashingSink() {
sinkNode(this, "weak-password-hash-input-" + algorithm)
}
DefaultWeakPasswordHashingSink() { sinkNode(this, "weak-password-hash-input-" + algorithm) }
override string getAlgorithm() { result = algorithm }
}

46
swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected
View File

@@ -2,35 +2,81 @@ edges
nodes
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
| testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
| testCryptoKit.swift:69:37:69:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:75:37:75:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:81:37:81:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:108:23:108:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:116:23:116:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:124:23:124:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:150:32:150:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:158:32:158:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:166:32:166:32 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:160:47:160:47 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:163:47:163:47 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:167:20:167:20 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:170:21:170:21 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:173:23:173:23 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:176:21:176:21 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:179:21:179:21 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:183:9:183:9 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:186:9:186:9 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:189:9:189:9 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:192:9:192:9 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:195:9:195:9 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:201:9:201:9 | passwdData | semmle.label | passwdData |
| testCryptoSwift.swift:204:9:204:9 | passwdData | semmle.label | passwdData |
| testCryptoSwift.swift:207:9:207:9 | passwdData | semmle.label | passwdData |
| testCryptoSwift.swift:210:9:210:9 | passwdData | semmle.label | passwdData |
| testCryptoSwift.swift:213:9:213:9 | passwdData | semmle.label | passwdData |
| testCryptoSwift.swift:219:9:219:9 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:222:9:222:9 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:225:9:225:9 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:228:9:228:9 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd |
subpaths
#select
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | password (passwd) |
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | password (passwd) |
| testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:69:37:69:37 | passwd | password (passwd) |
| testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:75:37:75:37 | passwd | password (passwd) |
| testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:81:37:81:37 | passwd | password (passwd) |
| testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | password (passwd) |
| testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | password (passwd) |
| testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:108:23:108:23 | passwd | password (passwd) |
| testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:116:23:116:23 | passwd | password (passwd) |
| testCryptoKit.swift:124:23:124:23 | passwd | testCryptoKit.swift:124:23:124:23 | passwd | testCryptoKit.swift:124:23:124:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:124:23:124:23 | passwd | password (passwd) |
| testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | password (passwd) |
| testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | password (passwd) |
| testCryptoKit.swift:150:32:150:32 | passwd | testCryptoKit.swift:150:32:150:32 | passwd | testCryptoKit.swift:150:32:150:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:150:32:150:32 | passwd | password (passwd) |
| testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:158:32:158:32 | passwd | password (passwd) |
| testCryptoKit.swift:166:32:166:32 | passwd | testCryptoKit.swift:166:32:166:32 | passwd | testCryptoKit.swift:166:32:166:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:166:32:166:32 | passwd | password (passwd) |
| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) |
| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) |
| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) |
| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) |
| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) |
| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) |
| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) |
| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) |
| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) |
| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) |

18
swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
View File

@@ -66,19 +66,19 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD
hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD
hash = Crypto.SHA256.hash(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA256.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA384.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA512.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
@@ -105,7 +105,7 @@ func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : St
func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA256()
hash.update(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: cert) // GOOD
hash.update(data: account_no) // GOOD
hash.update(data: credit_card_no) // GOOD
@@ -113,7 +113,7 @@ func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd :
func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA384()
hash.update(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: cert) // GOOD
hash.update(data: account_no) // GOOD
hash.update(data: credit_card_no) // GOOD
@@ -121,7 +121,7 @@ func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd :
func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA512()
hash.update(data: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: cert) // GOOD
hash.update(data: account_no) // GOOD
hash.update(data: credit_card_no) // GOOD
@@ -147,7 +147,7 @@ func testSHA1UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, c
func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
var hash = Crypto.SHA256()
hash.update(bufferPointer: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash.update(bufferPointer: cert) // GOOD
hash.update(bufferPointer: account_no) // GOOD
hash.update(bufferPointer: credit_card_no) // GOOD
@@ -155,7 +155,7 @@ func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
var hash = Crypto.SHA384()
hash.update(bufferPointer: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash.update(bufferPointer: cert) // GOOD
hash.update(bufferPointer: account_no) // GOOD
hash.update(bufferPointer: credit_card_no) // GOOD
@@ -163,7 +163,7 @@ func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
var hash = Crypto.SHA512()
hash.update(bufferPointer: passwd) // BAD [NOT DETECTED] not a computationally expensive hash
hash.update(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash.update(bufferPointer: cert) // GOOD
hash.update(bufferPointer: account_no) // GOOD
hash.update(bufferPointer: credit_card_no) // GOOD

28
swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift
View File

@@ -157,10 +157,10 @@ func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, pas
_ = SHA1().calculate(for: passwdArray) // BAD
_ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
_ = SHA2(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
_ = SHA2(variant: .sha512).calculate(for: passwdArray) // BAD [NOT DETECTED]
_ = SHA2(variant: .sha512).calculate(for: passwdArray) // BAD
_ = SHA3(variant: .sha512).calculate(for: harmlessArray) // GOOD
_ = SHA3(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
_ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD [NOT DETECTED]
_ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD
_ = Digest.md5(harmlessArray) // GOOD (not sensitive)
_ = Digest.md5(phoneNumberArray) // BAD
@@ -170,13 +170,13 @@ func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, pas
_ = Digest.sha1(passwdArray) // BAD
_ = Digest.sha512(harmlessArray) // GOOD (not sensitive)
_ = Digest.sha512(phoneNumberArray) // GOOD
_ = Digest.sha512(passwdArray) // BAD [NOT DETECTED]
_ = Digest.sha512(passwdArray) // BAD
_ = Digest.sha2(harmlessArray, variant: .sha512) // GOOD (not sensitive)
_ = Digest.sha2(phoneNumberArray, variant: .sha512) // GOOD
_ = Digest.sha2(passwdArray, variant: .sha512) // BAD [NOT DETECTED]
_ = Digest.sha2(passwdArray, variant: .sha512) // BAD
_ = Digest.sha3(harmlessArray, variant: .sha512) // GOOD (not sensitive)
_ = Digest.sha3(phoneNumberArray, variant: .sha512) // GOOD
_ = Digest.sha3(passwdArray, variant: .sha512) // BAD [NOT DETECTED]
_ = Digest.sha3(passwdArray, variant: .sha512) // BAD
_ = harmlessArray.md5() // GOOD (not sensitive)
_ = phoneNumberArray.md5() // BAD
@@ -186,13 +186,13 @@ func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, pas
_ = passwdArray.sha1() // BAD
_ = harmlessArray.sha512() // GOOD
_ = phoneNumberArray.sha512() // GOOD
_ = passwdArray.sha512() // BAD [NOT DETECTED]
_ = passwdArray.sha512() // BAD
_ = harmlessArray.sha2(.sha512) // GOOD
_ = phoneNumberArray.sha2(.sha512) // GOOD
_ = passwdArray.sha2(.sha512) // BAD [NOT DETECTED]
_ = passwdArray.sha2(.sha512) // BAD
_ = harmlessArray.sha3(.sha512) // GOOD
_ = phoneNumberArray.sha3(.sha512) // GOOD
_ = passwdArray.sha3(.sha512) // BAD [NOT DETECTED]
_ = passwdArray.sha3(.sha512) // BAD
}
func testData(harmlessData: Data, medicalData: Data, passwdData: Data) {
@@ -204,13 +204,13 @@ func testData(harmlessData: Data, medicalData: Data, passwdData: Data) {
_ = passwdData.sha1() // BAD
_ = harmlessData.sha512() // GOOD
_ = medicalData.sha512() // GOOD
_ = passwdData.sha512() // BAD [NOT DETECTED]
_ = passwdData.sha512() // BAD
_ = harmlessData.sha2(.sha512) // GOOD
_ = medicalData.sha2(.sha512) // GOOD
_ = passwdData.sha2(.sha512) // BAD [NOT DETECTED]
_ = passwdData.sha2(.sha512) // BAD
_ = harmlessData.sha3(.sha512) // GOOD
_ = medicalData.sha3(.sha512) // GOOD
_ = passwdData.sha3(.sha512) // BAD [NOT DETECTED]
_ = passwdData.sha3(.sha512) // BAD
}
func testStrings(creditCardNumber: String, passwd: String) {
@@ -222,11 +222,11 @@ func testStrings(creditCardNumber: String, passwd: String) {
_ = passwd.sha1() // BAD
_ = "harmless".sha512() // GOOD
_ = creditCardNumber.sha512() // GOOD
_ = passwd.sha512() // BAD [NOT DETECTED]
_ = passwd.sha512() // BAD
_ = "harmless".sha2(.sha512) // GOOD
_ = creditCardNumber.sha2(.sha512) // GOOD
_ = passwd.sha2(.sha512) // BAD [NOT DETECTED]
_ = passwd.sha2(.sha512) // BAD
_ = "harmless".sha3(.sha512) // GOOD
_ = creditCardNumber.sha3(.sha512) // GOOD
_ = passwd.sha3(.sha512) // BAD [NOT DETECTED]
_ = passwd.sha3(.sha512) // BAD
}