Merge pull request #13177 from MathiasVP/recommend-secure-randomness

Swift: Recommend a proper source of randomness in `swift/hardcoded-key`
2025-12-17 01:03:14 +01:00 · 2023-05-16 18:04:13 +01:00
parent 3bd16fa1d8 9def3dd440
commit 99545420d5
1 changed files with 10 additions and 7 deletions
--- a/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.swift
+++ b/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.swift
@@ -13,13 +13,16 @@ func encrypt(padding : Padding) {


 	// GOOD: Using randomly generated keys for encryption
-	let key = (0..<10).map({ _ in UInt8.random(in: 0...UInt8.max) })
-	let keyString = String(cString: key)
-	let ivString = getRandomIV()
-	_ = try AES(key: key, blockMode: CBC(), padding: padding)
-	_ = try AES(key: keyString, iv: ivString)
-	_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
-	_ = try Blowfish(key: keyString, iv: ivString)
+	var key = [Int8](repeating: 0, count: 10)
+	let status = SecRandomCopyBytes(kSecRandomDefault, key.count - 1, &key)
+	if status == errSecSuccess {
+		let keyString = String(cString: key)
+		let ivString = getRandomIV()
+		_ = try AES(key: key, blockMode: CBC(), padding: padding)
+		_ = try AES(key: keyString, iv: ivString)
+		_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
+		_ = try Blowfish(key: keyString, iv: ivString)
+	}

 	// ...
 }