hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-28 18:11:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Add HashFunction protocol and other realism to the CryptoKit test stubs (this is needed for new cases to work as intended).

Browse Source
This commit is contained in:
Geoffrey White
2026-05-19 16:50:24 +01:00
parent 5a219d1527
commit b44bca9ea7
3 changed files with 105 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected
View File

@@ -1,27 +1,10 @@
edges
| testCryptoKit.swift:199:38:199:38 | passwordString | testCryptoKit.swift:199:38:199:53 | .utf8 | provenance | |
| testCryptoKit.swift:199:38:199:53 | .utf8 | testCryptoKit.swift:199:33:199:57 | call to Data.init(_:) | provenance | |
nodes
| testCryptoKit.swift:65:47:65:47 | passwd | semmle.label | passwd |
| testCryptoKit.swift:71:36:71:36 | passwd | semmle.label | passwd |
| testCryptoKit.swift:77:44:77:44 | passwd | semmle.label | passwd |
| testCryptoKit.swift:83:37:83:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:89:37:89:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:95:37:95:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:104:23:104:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:113:23:113:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:122:23:122:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:131:23:131:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:140:23:140:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:149:32:149:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:158:32:158:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:167:32:167:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:176:32:176:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:185:32:185:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:195:49:195:49 | passwordData | semmle.label | passwordData |
| testCryptoKit.swift:199:33:199:57 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
| testCryptoKit.swift:199:38:199:38 | passwordString | semmle.label | passwordString |
| testCryptoKit.swift:199:38:199:53 | .utf8 | semmle.label | .utf8 |
| testCryptoKit.swift:168:32:168:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:177:32:177:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:186:32:186:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:195:32:195:32 | passwd | semmle.label | passwd |
| testCryptoKit.swift:204:32:204:32 | passwd | semmle.label | passwd |
| testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
| testCryptoSwift.swift:160:47:160:47 | passwdArray | semmle.label | passwdArray |
@@ -48,24 +31,11 @@ nodes
| testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd |
subpaths
#select
| testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:65:47:65:47 | passwd | password (passwd) |
| testCryptoKit.swift:71:36:71:36 | passwd | testCryptoKit.swift:71:36:71:36 | passwd | testCryptoKit.swift:71:36:71:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:71:36:71:36 | passwd | password (passwd) |
| testCryptoKit.swift:77:44:77:44 | passwd | testCryptoKit.swift:77:44:77:44 | passwd | testCryptoKit.swift:77:44:77:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:77:44:77:44 | passwd | password (passwd) |
| testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:83:37:83:37 | passwd | password (passwd) |
| testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:89:37:89:37 | passwd | password (passwd) |
| testCryptoKit.swift:95:37:95:37 | passwd | testCryptoKit.swift:95:37:95:37 | passwd | testCryptoKit.swift:95:37:95:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:95:37:95:37 | passwd | password (passwd) |
| testCryptoKit.swift:104:23:104:23 | passwd | testCryptoKit.swift:104:23:104:23 | passwd | testCryptoKit.swift:104:23:104:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:104:23:104:23 | passwd | password (passwd) |
| testCryptoKit.swift:113:23:113:23 | passwd | testCryptoKit.swift:113:23:113:23 | passwd | testCryptoKit.swift:113:23:113:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:113:23:113:23 | passwd | password (passwd) |
| testCryptoKit.swift:122:23:122:23 | passwd | testCryptoKit.swift:122:23:122:23 | passwd | testCryptoKit.swift:122:23:122:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:122:23:122:23 | passwd | password (passwd) |
| testCryptoKit.swift:131:23:131:23 | passwd | testCryptoKit.swift:131:23:131:23 | passwd | testCryptoKit.swift:131:23:131:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:131:23:131:23 | passwd | password (passwd) |
| testCryptoKit.swift:140:23:140:23 | passwd | testCryptoKit.swift:140:23:140:23 | passwd | testCryptoKit.swift:140:23:140:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:140:23:140:23 | passwd | password (passwd) |
| testCryptoKit.swift:149:32:149:32 | passwd | testCryptoKit.swift:149:32:149:32 | passwd | testCryptoKit.swift:149:32:149:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:149:32:149:32 | passwd | password (passwd) |
| testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:158:32:158:32 | passwd | password (passwd) |
| testCryptoKit.swift:167:32:167:32 | passwd | testCryptoKit.swift:167:32:167:32 | passwd | testCryptoKit.swift:167:32:167:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:167:32:167:32 | passwd | password (passwd) |
| testCryptoKit.swift:176:32:176:32 | passwd | testCryptoKit.swift:176:32:176:32 | passwd | testCryptoKit.swift:176:32:176:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:176:32:176:32 | passwd | password (passwd) |
| testCryptoKit.swift:185:32:185:32 | passwd | testCryptoKit.swift:185:32:185:32 | passwd | testCryptoKit.swift:185:32:185:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:185:32:185:32 | passwd | password (passwd) |
| testCryptoKit.swift:195:49:195:49 | passwordData | testCryptoKit.swift:195:49:195:49 | passwordData | testCryptoKit.swift:195:49:195:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:195:49:195:49 | passwordData | password (passwordData) |
| testCryptoKit.swift:199:33:199:57 | call to Data.init(_:) | testCryptoKit.swift:199:38:199:38 | passwordString | testCryptoKit.swift:199:33:199:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:199:38:199:38 | passwordString | password (passwordString) |
| testCryptoKit.swift:168:32:168:32 | passwd | testCryptoKit.swift:168:32:168:32 | passwd | testCryptoKit.swift:168:32:168:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:168:32:168:32 | passwd | password (passwd) |
| testCryptoKit.swift:177:32:177:32 | passwd | testCryptoKit.swift:177:32:177:32 | passwd | testCryptoKit.swift:177:32:177:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:177:32:177:32 | passwd | password (passwd) |
| testCryptoKit.swift:186:32:186:32 | passwd | testCryptoKit.swift:186:32:186:32 | passwd | testCryptoKit.swift:186:32:186:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:186:32:186:32 | passwd | password (passwd) |
| testCryptoKit.swift:195:32:195:32 | passwd | testCryptoKit.swift:195:32:195:32 | passwd | testCryptoKit.swift:195:32:195:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:195:32:195:32 | passwd | password (passwd) |
| testCryptoKit.swift:204:32:204:32 | passwd | testCryptoKit.swift:204:32:204:32 | passwd | testCryptoKit.swift:204:32:204:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:204:32:204:32 | passwd | password (passwd) |
| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) |

54
swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
View File

@@ -1,26 +1,11 @@
edges
nodes
| testCryptoKit.swift:66:43:66:43 | cert | semmle.label | cert |
| testCryptoKit.swift:68:43:68:43 | account_no | semmle.label | account_no |
| testCryptoKit.swift:69:43:69:43 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:72:36:72:36 | cert | semmle.label | cert |
| testCryptoKit.swift:74:36:74:36 | account_no | semmle.label | account_no |
| testCryptoKit.swift:75:36:75:36 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:78:44:78:44 | cert | semmle.label | cert |
| testCryptoKit.swift:80:44:80:44 | account_no | semmle.label | account_no |
| testCryptoKit.swift:81:44:81:44 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:105:23:105:23 | cert | semmle.label | cert |
| testCryptoKit.swift:107:23:107:23 | account_no | semmle.label | account_no |
| testCryptoKit.swift:108:23:108:23 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:114:23:114:23 | cert | semmle.label | cert |
| testCryptoKit.swift:116:23:116:23 | account_no | semmle.label | account_no |
| testCryptoKit.swift:117:23:117:23 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:150:32:150:32 | cert | semmle.label | cert |
| testCryptoKit.swift:152:32:152:32 | account_no | semmle.label | account_no |
| testCryptoKit.swift:153:32:153:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:159:32:159:32 | cert | semmle.label | cert |
| testCryptoKit.swift:161:32:161:32 | account_no | semmle.label | account_no |
| testCryptoKit.swift:162:32:162:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:169:32:169:32 | cert | semmle.label | cert |
| testCryptoKit.swift:171:32:171:32 | account_no | semmle.label | account_no |
| testCryptoKit.swift:172:32:172:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoKit.swift:178:32:178:32 | cert | semmle.label | cert |
| testCryptoKit.swift:180:32:180:32 | account_no | semmle.label | account_no |
| testCryptoKit.swift:181:32:181:32 | credit_card_no | semmle.label | credit_card_no |
| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | semmle.label | phoneNumberArray |
| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | semmle.label | phoneNumberArray |
| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | semmle.label | phoneNumberArray |
@@ -33,27 +18,12 @@ nodes
| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | semmle.label | creditCardNumber |
subpaths
#select
| testCryptoKit.swift:66:43:66:43 | cert | testCryptoKit.swift:66:43:66:43 | cert | testCryptoKit.swift:66:43:66:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:66:43:66:43 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:68:43:68:43 | account_no | testCryptoKit.swift:68:43:68:43 | account_no | testCryptoKit.swift:68:43:68:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:68:43:68:43 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:69:43:69:43 | credit_card_no | testCryptoKit.swift:69:43:69:43 | credit_card_no | testCryptoKit.swift:69:43:69:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:69:43:69:43 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:72:36:72:36 | cert | testCryptoKit.swift:72:36:72:36 | cert | testCryptoKit.swift:72:36:72:36 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:72:36:72:36 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:74:36:74:36 | account_no | testCryptoKit.swift:74:36:74:36 | account_no | testCryptoKit.swift:74:36:74:36 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:74:36:74:36 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:75:36:75:36 | credit_card_no | testCryptoKit.swift:75:36:75:36 | credit_card_no | testCryptoKit.swift:75:36:75:36 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:75:36:75:36 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:78:44:78:44 | cert | testCryptoKit.swift:78:44:78:44 | cert | testCryptoKit.swift:78:44:78:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:78:44:78:44 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:80:44:80:44 | account_no | testCryptoKit.swift:80:44:80:44 | account_no | testCryptoKit.swift:80:44:80:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:80:44:80:44 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:81:44:81:44 | credit_card_no | testCryptoKit.swift:81:44:81:44 | credit_card_no | testCryptoKit.swift:81:44:81:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:81:44:81:44 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:105:23:105:23 | cert | testCryptoKit.swift:105:23:105:23 | cert | testCryptoKit.swift:105:23:105:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:105:23:105:23 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:107:23:107:23 | account_no | testCryptoKit.swift:107:23:107:23 | account_no | testCryptoKit.swift:107:23:107:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:107:23:107:23 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:108:23:108:23 | credit_card_no | testCryptoKit.swift:108:23:108:23 | credit_card_no | testCryptoKit.swift:108:23:108:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:108:23:108:23 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:114:23:114:23 | cert | testCryptoKit.swift:114:23:114:23 | cert | testCryptoKit.swift:114:23:114:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:114:23:114:23 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:116:23:116:23 | account_no | testCryptoKit.swift:116:23:116:23 | account_no | testCryptoKit.swift:116:23:116:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:116:23:116:23 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:117:23:117:23 | credit_card_no | testCryptoKit.swift:117:23:117:23 | credit_card_no | testCryptoKit.swift:117:23:117:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:117:23:117:23 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:150:32:150:32 | cert | testCryptoKit.swift:150:32:150:32 | cert | testCryptoKit.swift:150:32:150:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:150:32:150:32 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:152:32:152:32 | account_no | testCryptoKit.swift:152:32:152:32 | account_no | testCryptoKit.swift:152:32:152:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:152:32:152:32 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:153:32:153:32 | credit_card_no | testCryptoKit.swift:153:32:153:32 | credit_card_no | testCryptoKit.swift:153:32:153:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:153:32:153:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:159:32:159:32 | cert | testCryptoKit.swift:159:32:159:32 | cert | testCryptoKit.swift:159:32:159:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:159:32:159:32 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:161:32:161:32 | account_no | testCryptoKit.swift:161:32:161:32 | account_no | testCryptoKit.swift:161:32:161:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:161:32:161:32 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:162:32:162:32 | credit_card_no | testCryptoKit.swift:162:32:162:32 | credit_card_no | testCryptoKit.swift:162:32:162:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:162:32:162:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:169:32:169:32 | cert | testCryptoKit.swift:169:32:169:32 | cert | testCryptoKit.swift:169:32:169:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:169:32:169:32 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:171:32:171:32 | account_no | testCryptoKit.swift:171:32:171:32 | account_no | testCryptoKit.swift:171:32:171:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:171:32:171:32 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:172:32:172:32 | credit_card_no | testCryptoKit.swift:172:32:172:32 | credit_card_no | testCryptoKit.swift:172:32:172:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:172:32:172:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoKit.swift:178:32:178:32 | cert | testCryptoKit.swift:178:32:178:32 | cert | testCryptoKit.swift:178:32:178:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:178:32:178:32 | cert | sensitive data (credential cert) |
| testCryptoKit.swift:180:32:180:32 | account_no | testCryptoKit.swift:180:32:180:32 | account_no | testCryptoKit.swift:180:32:180:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:180:32:180:32 | account_no | sensitive data (private information account_no) |
| testCryptoKit.swift:181:32:181:32 | credit_card_no | testCryptoKit.swift:181:32:181:32 | credit_card_no | testCryptoKit.swift:181:32:181:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:181:32:181:32 | credit_card_no | sensitive data (private information credit_card_no) |
| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) |

147
swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
View File

@@ -7,92 +7,111 @@ class Data
init<S>(_ elements: S) {}
}
struct SHA256 {
static func hash<D>(data: D) -> [UInt8] {
return []
}
public protocol HashFunction {
associatedtype Digest
func update<D>(data: D) {}
func update(bufferPointer: UnsafeRawBufferPointer) {}
func finalize() -> [UInt8] { return [] }
init()
mutating func update(bufferPointer: UnsafeRawBufferPointer)
func finalize() -> Digest
}
struct SHA384 {
static func hash<D>(data: D) -> [UInt8] {
return []
extension HashFunction {
@inlinable
public static func hash(bufferPointer: UnsafeRawBufferPointer) -> Digest {
var hasher = Self()
hasher.update(bufferPointer: bufferPointer)
return hasher.finalize()
}
func update<D>(data: D) {}
func update(bufferPointer: UnsafeRawBufferPointer) {}
func finalize() -> [UInt8] { return [] }
}
struct SHA512 {
static func hash<D>(data: D) -> [UInt8] {
return []
@inlinable
public static func hash<D>(data: D) -> Self.Digest {
var hasher = Self()
hasher.update(data: data)
return hasher.finalize()
}
func update<D>(data: D) {}
func update(bufferPointer: UnsafeRawBufferPointer) {}
func finalize() -> [UInt8] { return [] }
@inlinable
public mutating func update<D>(data: D) {
// ...
}
}
public struct SHA256: HashFunction {
public typealias Digest = [UInt8]
public init() {}
public mutating func update(bufferPointer: UnsafeRawBufferPointer) {}
public func finalize() -> Digest { return [] }
}
public struct SHA384: HashFunction {
public typealias Digest = [UInt8]
public init() {}
public mutating func update(bufferPointer: UnsafeRawBufferPointer) {}
public func finalize() -> Digest { return [] }
}
public struct SHA512: HashFunction {
public typealias Digest = [UInt8]
public init() {}
public mutating func update(bufferPointer: UnsafeRawBufferPointer) {}
public func finalize() -> Digest { return [] }
}
enum Insecure {
struct MD5 {
static func hash<D>(data: D) -> [UInt8] {
return []
}
public struct MD5: HashFunction {
public typealias Digest = [UInt8]
func update<D>(data: D) {}
func update(bufferPointer: UnsafeRawBufferPointer) {}
func finalize() -> [UInt8] { return [] }
public init() {}
public mutating func update(bufferPointer: UnsafeRawBufferPointer) {}
public func finalize() -> Digest { return [] }
}
struct SHA1 {
static func hash<D>(data: D) -> [UInt8] {
return []
}
func update<D>(data: D) {}
func update(bufferPointer: UnsafeRawBufferPointer) {}
func finalize() -> [UInt8] { return [] }
public struct SHA1: HashFunction {
public typealias Digest = [UInt8]
public init() {}
public mutating func update(bufferPointer: UnsafeRawBufferPointer) {}
public func finalize() -> Digest { return [] }
}
}
// --- tests ---
func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD
hash = Crypto.Insecure.MD5.hash(data: cert) // BAD
var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD [NOT DETECTED]
hash = Crypto.Insecure.MD5.hash(data: cert) // BAD [NOT DETECTED]
hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD
hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD
hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD [NOT DETECTED]
hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD [NOT DETECTED]
hash = Insecure.MD5.hash(data: passwd) // BAD
hash = Insecure.MD5.hash(data: cert) // BAD
hash = Insecure.MD5.hash(data: passwd) // BAD [NOT DETECTED]
hash = Insecure.MD5.hash(data: cert) // BAD [NOT DETECTED]
hash = Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Insecure.MD5.hash(data: account_no) // BAD
hash = Insecure.MD5.hash(data: credit_card_no) // BAD
hash = Insecure.MD5.hash(data: account_no) // BAD [NOT DETECTED]
hash = Insecure.MD5.hash(data: credit_card_no) // BAD [NOT DETECTED]
hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD
hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD
hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD [NOT DETECTED]
hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD [NOT DETECTED]
hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD
hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD
hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD [NOT DETECTED]
hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD [NOT DETECTED]
hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA256.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA256.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA384.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA384.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA512.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA512.hash(data: account_no) // GOOD, computationally expensive hash not required
@@ -101,25 +120,25 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.Insecure.MD5()
hash.update(data: passwd) // BAD
hash.update(data: cert) // BAD
hash.update(data: passwd) // BAD [NOT DETECTED]
hash.update(data: cert) // BAD [NOT DETECTED]
hash.update(data: encrypted_passwd) // GOOD (not sensitive)
hash.update(data: account_no) // BAD
hash.update(data: credit_card_no) // BAD
hash.update(data: account_no) // BAD [NOT DETECTED]
hash.update(data: credit_card_no) // BAD [NOT DETECTED]
}
func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.Insecure.SHA1()
hash.update(data: passwd) // BAD
hash.update(data: cert) // BAD
hash.update(data: passwd) // BAD [NOT DETECTED]
hash.update(data: cert) // BAD [NOT DETECTED]
hash.update(data: encrypted_passwd) // GOOD (not sensitive)
hash.update(data: account_no) // BAD
hash.update(data: credit_card_no) // BAD
hash.update(data: account_no) // BAD [NOT DETECTED]
hash.update(data: credit_card_no) // BAD [NOT DETECTED]
}
func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA256()
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash.update(data: cert) // GOOD
hash.update(data: encrypted_passwd) // GOOD (not sensitive)
hash.update(data: account_no) // GOOD
@@ -128,7 +147,7 @@ func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd :
func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA384()
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash.update(data: cert) // GOOD
hash.update(data: encrypted_passwd) // GOOD (not sensitive)
hash.update(data: account_no) // GOOD
@@ -137,7 +156,7 @@ func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd :
func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.SHA512()
hash.update(data: passwd) // BAD, not a computationally expensive hash
hash.update(data: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash.update(data: cert) // GOOD
hash.update(data: encrypted_passwd) // GOOD (not sensitive)
hash.update(data: account_no) // GOOD
@@ -189,14 +208,14 @@ func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer,
hash.update(bufferPointer: credit_card_no) // GOOD
}
func tesBadExample(passwordString: String) {
func testBadExample(passwordString: String) {
// this is the "bad" example from the .qhelp
let passwordData = Data(passwordString.utf8)
let passwordHash = Crypto.SHA512.hash(data: passwordData) // BAD, not a computationally expensive hash
let passwordHash = Crypto.SHA512.hash(data: passwordData) // BAD, not a computationally expensive hash [NOT DETECTED]
// ...
if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // BAD, not a computationally expensive hash
if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash { // BAD, not a computationally expensive hash [NOT DETECTED]
// ...
}
}