hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11876 from geoffw0/coredata

Browse Source 
Swift: Improve Core Data sinks for swift/cleartext-storage-database
This commit is contained in:
Geoffrey White
2023-01-20 11:02:03 +00:00
committed by GitHub
parent 05c80b3f3c 5d6f2436e4
commit 976b0401be
5 changed files with 183 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
View File

@@ -27,7 +27,7 @@ abstract class Stored extends DataFlow::Node { }
*/
class CoreDataStore extends Stored {
CoreDataStore() {
// values written into Core Data objects are a sink
// values written into Core Data objects through `set*Value` methods are a sink.
exists(CallExpr call |
call.getStaticTarget()
.(MethodDecl)
@@ -35,6 +35,17 @@ class CoreDataStore extends Stored {
["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"]) and
call.getArgument(0).getExpr() = this.asExpr()
)
or
// any write into a class derived from `NSManagedObject` is a sink. For
// example in `coreDataObj.data = sensitive` the post-update node corresponding
// with `coreDataObj.data` is a sink.
// (ideally this would be only members with the `@NSManaged` attribute)
exists(ClassOrStructDecl cd, Expr e |
cd.getABaseTypeDecl*().getName() = "NSManagedObject" and
this.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = e and
e.getFullyConverted().getType() = cd.getType() and
not e.(DeclRefExpr).getDecl() instanceof SelfParamDecl
)
}
}
@@ -141,12 +152,13 @@ class CleartextStorageConfig extends TaintTracking::Configuration {
}
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
// flow out from fields of a `RealmSwiftObject` at the sink, for example in
// `realmObj.data = sensitive`.
// flow out from fields of an `NSManagedObject` or `RealmSwiftObject` at the sink,
// for example in `realmObj.data = sensitive`.
isSink(node) and
exists(ClassOrStructDecl cd |
c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cd.getAMember() and
cd.getABaseTypeDecl*().getName() = "RealmSwiftObject"
exists(ClassOrStructDecl cd, IterableDeclContext cx |
cd.getABaseTypeDecl*().getName() = ["NSManagedObject", "RealmSwiftObject"] and
cx.getNominalTypeDecl() = cd and
c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
)
or
// any default implicit reads

68
swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
View File

@@ -1,9 +1,33 @@
edges
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [data] : |
| file://:0:0:0:0 | value : | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : |
| testCoreData2.swift:23:13:23:13 | value : | file://:0:0:0:0 | value : |
| testCoreData2.swift:37:2:37:2 | [post] obj [myValue] : | testCoreData2.swift:37:2:37:2 | [post] obj |
| testCoreData2.swift:37:16:37:16 | bankAccountNo : | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] : |
| testCoreData2.swift:39:2:39:2 | [post] obj [myBankAccountNumber] : | testCoreData2.swift:39:2:39:2 | [post] obj |
| testCoreData2.swift:39:28:39:28 | bankAccountNo : | testCoreData2.swift:39:2:39:2 | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:41:2:41:2 | [post] obj [myBankAccountNumber2] : | testCoreData2.swift:41:2:41:2 | [post] obj |
| testCoreData2.swift:41:29:41:29 | bankAccountNo : | testCoreData2.swift:41:2:41:2 | [post] obj [myBankAccountNumber2] : |
| testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] : | testCoreData2.swift:43:2:43:2 | [post] obj |
| testCoreData2.swift:43:35:43:35 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : |
| testCoreData2.swift:43:35:43:35 | bankAccountNo : | testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] : |
| testCoreData2.swift:46:2:46:10 | [post] ...? [myValue] : | testCoreData2.swift:46:2:46:10 | [post] ...? |
| testCoreData2.swift:46:22:46:22 | bankAccountNo : | testCoreData2.swift:46:2:46:10 | [post] ...? [myValue] : |
| testCoreData2.swift:48:2:48:10 | [post] ...? [myBankAccountNumber] : | testCoreData2.swift:48:2:48:10 | [post] ...? |
| testCoreData2.swift:48:34:48:34 | bankAccountNo : | testCoreData2.swift:48:2:48:10 | [post] ...? [myBankAccountNumber] : |
| testCoreData2.swift:50:2:50:10 | [post] ...? [myBankAccountNumber2] : | testCoreData2.swift:50:2:50:10 | [post] ...? |
| testCoreData2.swift:50:35:50:35 | bankAccountNo : | testCoreData2.swift:50:2:50:10 | [post] ...? [myBankAccountNumber2] : |
| testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] : | testCoreData2.swift:52:2:52:10 | [post] ...? |
| testCoreData2.swift:52:41:52:41 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : |
| testCoreData2.swift:52:41:52:41 | bankAccountNo : | testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] : |
| testCoreData2.swift:57:3:57:3 | [post] obj [myBankAccountNumber] : | testCoreData2.swift:57:3:57:3 | [post] obj |
| testCoreData2.swift:57:29:57:29 | bankAccountNo : | testCoreData2.swift:57:3:57:3 | [post] obj [myBankAccountNumber] : |
| testCoreData.swift:18:19:18:26 | value : | testCoreData.swift:19:12:19:12 | value |
| testCoreData.swift:31:3:31:3 | newValue : | testCoreData.swift:32:13:32:13 | newValue |
| testCoreData.swift:61:25:61:25 | password : | testCoreData.swift:18:19:18:26 | value : |
| testCoreData.swift:64:2:64:2 | [post] obj [myValue] : | testCoreData.swift:64:2:64:2 | [post] obj |
| testCoreData.swift:64:16:64:16 | password : | testCoreData.swift:31:3:31:3 | newValue : |
| testCoreData.swift:64:16:64:16 | password : | testCoreData.swift:64:2:64:2 | [post] obj [myValue] : |
| testCoreData.swift:77:24:77:24 | x : | testCoreData.swift:78:15:78:15 | x |
| testCoreData.swift:80:10:80:22 | call to getPassword() : | testCoreData.swift:81:15:81:15 | y |
| testCoreData.swift:91:10:91:10 | passwd : | testCoreData.swift:95:15:95:15 | x |
@@ -75,7 +99,37 @@ edges
| testRealm.swift:59:11:59:11 | myPassword : | testRealm.swift:59:2:59:2 | [post] g [data] : |
nodes
| file://:0:0:0:0 | [post] self [data] : | semmle.label | [post] self [data] : |
| file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | semmle.label | [post] self [notStoredBankAccountNumber] : |
| file://:0:0:0:0 | value : | semmle.label | value : |
| file://:0:0:0:0 | value : | semmle.label | value : |
| testCoreData2.swift:23:13:23:13 | value : | semmle.label | value : |
| testCoreData2.swift:37:2:37:2 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:37:2:37:2 | [post] obj [myValue] : | semmle.label | [post] obj [myValue] : |
| testCoreData2.swift:37:16:37:16 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:39:2:39:2 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:39:2:39:2 | [post] obj [myBankAccountNumber] : | semmle.label | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:39:28:39:28 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:41:2:41:2 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:41:2:41:2 | [post] obj [myBankAccountNumber2] : | semmle.label | [post] obj [myBankAccountNumber2] : |
| testCoreData2.swift:41:29:41:29 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:43:2:43:2 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] : | semmle.label | [post] obj [notStoredBankAccountNumber] : |
| testCoreData2.swift:43:35:43:35 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:46:2:46:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:46:2:46:10 | [post] ...? [myValue] : | semmle.label | [post] ...? [myValue] : |
| testCoreData2.swift:46:22:46:22 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:48:2:48:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:48:2:48:10 | [post] ...? [myBankAccountNumber] : | semmle.label | [post] ...? [myBankAccountNumber] : |
| testCoreData2.swift:48:34:48:34 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:50:2:50:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:50:2:50:10 | [post] ...? [myBankAccountNumber2] : | semmle.label | [post] ...? [myBankAccountNumber2] : |
| testCoreData2.swift:50:35:50:35 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:52:2:52:10 | [post] ...? | semmle.label | [post] ...? |
| testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] : | semmle.label | [post] ...? [notStoredBankAccountNumber] : |
| testCoreData2.swift:52:41:52:41 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData2.swift:57:3:57:3 | [post] obj | semmle.label | [post] obj |
| testCoreData2.swift:57:3:57:3 | [post] obj [myBankAccountNumber] : | semmle.label | [post] obj [myBankAccountNumber] : |
| testCoreData2.swift:57:29:57:29 | bankAccountNo : | semmle.label | bankAccountNo : |
| testCoreData.swift:18:19:18:26 | value : | semmle.label | value : |
| testCoreData.swift:19:12:19:12 | value | semmle.label | value |
| testCoreData.swift:31:3:31:3 | newValue : | semmle.label | newValue : |
@@ -84,6 +138,8 @@ nodes
| testCoreData.swift:51:24:51:24 | password | semmle.label | password |
| testCoreData.swift:58:15:58:15 | password | semmle.label | password |
| testCoreData.swift:61:25:61:25 | password : | semmle.label | password : |
| testCoreData.swift:64:2:64:2 | [post] obj | semmle.label | [post] obj |
| testCoreData.swift:64:2:64:2 | [post] obj [myValue] : | semmle.label | [post] obj [myValue] : |
| testCoreData.swift:64:16:64:16 | password : | semmle.label | password : |
| testCoreData.swift:77:24:77:24 | x : | semmle.label | x : |
| testCoreData.swift:78:15:78:15 | x | semmle.label | x |
@@ -212,16 +268,28 @@ nodes
| testRealm.swift:59:2:59:2 | [post] g [data] : | semmle.label | [post] g [data] : |
| testRealm.swift:59:11:59:11 | myPassword : | semmle.label | myPassword : |
subpaths
| testCoreData2.swift:43:35:43:35 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | testCoreData2.swift:43:2:43:2 | [post] obj [notStoredBankAccountNumber] : |
| testCoreData2.swift:52:41:52:41 | bankAccountNo : | testCoreData2.swift:23:13:23:13 | value : | file://:0:0:0:0 | [post] self [notStoredBankAccountNumber] : | testCoreData2.swift:52:2:52:10 | [post] ...? [notStoredBankAccountNumber] : |
| testRealm.swift:34:11:34:11 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:34:2:34:2 | [post] a [data] : |
| testRealm.swift:42:11:42:11 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:42:2:42:2 | [post] c [data] : |
| testRealm.swift:52:12:52:12 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:52:2:52:3 | [post] ...! [data] : |
| testRealm.swift:59:11:59:11 | myPassword : | testRealm.swift:16:6:16:6 | value : | file://:0:0:0:0 | [post] self [data] : | testRealm.swift:59:2:59:2 | [post] g [data] : |
#select
| testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo : | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo : | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:41:2:41:2 | obj | testCoreData2.swift:41:29:41:29 | bankAccountNo : | testCoreData2.swift:41:2:41:2 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:41:29:41:29 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:43:2:43:2 | obj | testCoreData2.swift:43:35:43:35 | bankAccountNo : | testCoreData2.swift:43:2:43:2 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:43:35:43:35 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:46:2:46:10 | ...? | testCoreData2.swift:46:22:46:22 | bankAccountNo : | testCoreData2.swift:46:2:46:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:46:22:46:22 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:48:2:48:10 | ...? | testCoreData2.swift:48:34:48:34 | bankAccountNo : | testCoreData2.swift:48:2:48:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:48:34:48:34 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:50:2:50:10 | ...? | testCoreData2.swift:50:35:50:35 | bankAccountNo : | testCoreData2.swift:50:2:50:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:50:35:50:35 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:52:2:52:10 | ...? | testCoreData2.swift:52:41:52:41 | bankAccountNo : | testCoreData2.swift:52:2:52:10 | [post] ...? | This operation stores '[post] ...?' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:52:41:52:41 | bankAccountNo : | bankAccountNo |
| testCoreData2.swift:57:3:57:3 | obj | testCoreData2.swift:57:29:57:29 | bankAccountNo : | testCoreData2.swift:57:3:57:3 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:57:29:57:29 | bankAccountNo : | bankAccountNo |
| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password : | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password : | password |
| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password : | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password : | password |
| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password |
| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password |
| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password |
| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password : | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores '[post] obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password : | password |
| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x : | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x : | x |
| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() : | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() : | call to getPassword() |
| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password |

28
swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
View File

@@ -8,6 +8,34 @@
| testAlamofire.swift:195:64:195:64 | password | label:password, type:credential |
| testAlamofire.swift:205:62:205:62 | password | label:password, type:credential |
| testAlamofire.swift:213:65:213:65 | password | label:password, type:credential |
| testCoreData2.swift:37:16:37:16 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:38:2:38:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:39:2:39:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:39:28:39:28 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:40:2:40:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
| testCoreData2.swift:41:2:41:6 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
| testCoreData2.swift:41:29:41:29 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:42:2:42:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
| testCoreData2.swift:43:2:43:6 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
| testCoreData2.swift:43:35:43:35 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:46:22:46:22 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:47:2:47:12 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:48:2:48:12 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:48:34:48:34 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:49:2:49:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
| testCoreData2.swift:50:2:50:12 | .myBankAccountNumber2 | label:myBankAccountNumber2, type:private information |
| testCoreData2.swift:50:35:50:35 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:51:2:51:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
| testCoreData2.swift:52:2:52:12 | .notStoredBankAccountNumber | label:notStoredBankAccountNumber, type:private information |
| testCoreData2.swift:52:41:52:41 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:57:3:57:7 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:57:29:57:29 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:60:4:60:8 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:60:30:60:30 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:62:4:62:8 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:62:30:62:30 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData2.swift:65:3:65:7 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
| testCoreData2.swift:65:29:65:29 | bankAccountNo | label:bankAccountNo, type:private information |
| testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
| testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
| testCoreData.swift:58:15:58:15 | password | label:password, type:credential |

4
swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift
View File

@@ -29,7 +29,7 @@ class MyManagedObject : NSManagedObject
}
}
set {
setValue(newValue, forKey: "myKey")
setValue(newValue, forKey: "myKey") // [additional result reported here]
}
}
}
@@ -61,7 +61,7 @@ func test2(obj : MyManagedObject, password : String, password_file : String) {
obj.setIndirect(value: password) // BAD [reported on line 19]
obj.setIndirect(value: password_file) // GOOD (not sensitive)
obj.myValue = password // BAD [reported on line 32]
obj.myValue = password // BAD [also reported on line 32]
obj.myValue = password_file // GOOD (not sensitive)
}

67
swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift Normal file
View File

@@ -0,0 +1,67 @@
// --- stubs ---
class NSObject
{
}
@propertyWrapper
struct NSManaged { // note: this may not be an accurate stub for `NSManaged`.
var wrappedValue: Any {
didSet {}
}
}
class NSManagedObject : NSObject
{
}
class MyManagedObject2 : NSManagedObject
{
@NSManaged public var myValue: Int
@NSManaged public var myBankAccountNumber : Int
public var notStoredBankAccountNumber: Int = 0
}
extension MyManagedObject2
{
@NSManaged public var myBankAccountNumber2 : Int
}
// --- tests ---
func testCoreData2_1(obj: MyManagedObject2, maybeObj: MyManagedObject2?, value: Int, bankAccountNo: Int)
{
// @NSManaged fields of an NSManagedObject...
obj.myValue = value // GOOD (not sensitive)
obj.myValue = bankAccountNo // BAD
obj.myBankAccountNumber = value // BAD [NOT DETECTED]
obj.myBankAccountNumber = bankAccountNo // BAD
obj.myBankAccountNumber2 = value // BAD [NOT DETECTED]
obj.myBankAccountNumber2 = bankAccountNo // BAD
obj.notStoredBankAccountNumber = value // GOOD (not stored in the database)
obj.notStoredBankAccountNumber = bankAccountNo // GOOD (not stored in the datbase) [FALSE POSITIVE]
maybeObj?.myValue = value // GOOD (not sensitive)
maybeObj?.myValue = bankAccountNo // BAD
maybeObj?.myBankAccountNumber = value // BAD [NOT DETECTED]
maybeObj?.myBankAccountNumber = bankAccountNo // BAD
maybeObj?.myBankAccountNumber2 = value // BAD [NOT DETECTED]
maybeObj?.myBankAccountNumber2 = bankAccountNo // BAD
maybeObj?.notStoredBankAccountNumber = value // GOOD (not stored in the database)
maybeObj?.notStoredBankAccountNumber = bankAccountNo // GOOD (not stored in the datbase) [FALSE POSITIVE]
}
class testCoreData2_2 {
func myFunc(obj: MyManagedObject2, bankAccountNo: Int) {
obj.myBankAccountNumber = bankAccountNo // BAD
if #available(iOS 10.0, *) {
obj.myBankAccountNumber = bankAccountNo // BAD [NOT DETECTED]
} else {
obj.myBankAccountNumber = bankAccountNo // BAD [NOT DETECTED]
}
obj.myBankAccountNumber = bankAccountNo // BAD [NOT DETECTED]
}
}