hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Add some more test cases.

Browse Source
This commit is contained in:
Geoffrey White
2023-05-30 16:06:57 +01:00
parent edfdddb24a
commit bc57e464e5
5 changed files with 81 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
View File

@@ -7,14 +7,14 @@ edges
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) |
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:33:14:33:32 | call to Data.init(_:) |
| testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data |
| testSend.swift:52:13:52:13 | password | testSend.swift:59:27:59:27 | str1 |
| testSend.swift:53:13:53:13 | password | testSend.swift:60:27:60:27 | str2 |
| testSend.swift:54:13:54:25 | call to pad(_:) | testSend.swift:61:27:61:27 | str3 |
| testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data |
| testSend.swift:54:17:54:17 | password | testSend.swift:54:13:54:25 | call to pad(_:) |
| testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
| testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... |
| testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
| testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 |
| testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 |
| testSend.swift:60:13:60:25 | call to pad(_:) | testSend.swift:67:27:67:27 | str3 |
| testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data |
| testSend.swift:60:17:60:17 | password | testSend.swift:60:13:60:25 | call to pad(_:) |
| testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... |
| testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... |
| testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... |
nodes
| file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | semmle.label | [summary] to write: return (return) in Data.init(_:) |
| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
@@ -30,37 +30,39 @@ nodes
| testSend.swift:37:19:37:19 | data2 | semmle.label | data2 |
| testSend.swift:41:10:41:18 | data | semmle.label | data |
| testSend.swift:41:45:41:45 | data | semmle.label | data |
| testSend.swift:52:13:52:13 | password | semmle.label | password |
| testSend.swift:53:13:53:13 | password | semmle.label | password |
| testSend.swift:54:13:54:25 | call to pad(_:) | semmle.label | call to pad(_:) |
| testSend.swift:54:17:54:17 | password | semmle.label | password |
| testSend.swift:59:27:59:27 | str1 | semmle.label | str1 |
| testSend.swift:60:27:60:27 | str2 | semmle.label | str2 |
| testSend.swift:61:27:61:27 | str3 | semmle.label | str3 |
| testSend.swift:65:27:65:27 | license_key | semmle.label | license_key |
| testSend.swift:66:27:66:30 | .mobileNumber | semmle.label | .mobileNumber |
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:13:54:13:54 | passwd | semmle.label | passwd |
| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:15:55:15:55 | account_no | semmle.label | account_no |
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:16:55:16:55 | credit_card_no | semmle.label | credit_card_no |
| testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
| testSend.swift:58:13:58:13 | password | semmle.label | password |
| testSend.swift:59:13:59:13 | password | semmle.label | password |
| testSend.swift:60:13:60:25 | call to pad(_:) | semmle.label | call to pad(_:) |
| testSend.swift:60:17:60:17 | password | semmle.label | password |
| testSend.swift:65:27:65:27 | str1 | semmle.label | str1 |
| testSend.swift:66:27:66:27 | str2 | semmle.label | str2 |
| testSend.swift:67:27:67:27 | str3 | semmle.label | str3 |
| testSend.swift:71:27:71:27 | license_key | semmle.label | license_key |
| testSend.swift:72:27:72:30 | .mobileNumber | semmle.label | .mobileNumber |
| testSend.swift:76:27:76:30 | .Telephone | semmle.label | .Telephone |
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:17:54:17:54 | passwd | semmle.label | passwd |
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:19:55:19:55 | account_no | semmle.label | account_no |
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:20:55:20:55 | credit_card_no | semmle.label | credit_card_no |
| testURL.swift:24:22:24:22 | passwd | semmle.label | passwd |
subpaths
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | testSend.swift:33:14:33:32 | call to Data.init(_:) |
| testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:54:13:54:25 | call to pad(_:) |
| testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
#select
| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password |
| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password |
| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email |
| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain |
| testSend.swift:59:27:59:27 | str1 | testSend.swift:52:13:52:13 | password | testSend.swift:59:27:59:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:52:13:52:13 | password | password |
| testSend.swift:60:27:60:27 | str2 | testSend.swift:53:13:53:13 | password | testSend.swift:60:27:60:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:53:13:53:13 | password | password |
| testSend.swift:61:27:61:27 | str3 | testSend.swift:54:17:54:17 | password | testSend.swift:61:27:61:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:54:17:54:17 | password | password |
| testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:65:27:65:27 | license_key | license_key |
| testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:66:27:66:30 | .mobileNumber | .mobileNumber |
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:13:54:13:54 | passwd | passwd |
| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:15:55:15:55 | account_no | account_no |
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:16:55:16:55 | credit_card_no | credit_card_no |
| testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:20:22:20:22 | passwd | passwd |
| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password |
| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password |
| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password |
| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key |
| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber |
| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone |
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:17:54:17:54 | passwd | passwd |
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:19:55:19:55 | account_no | account_no |
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:20:55:20:55 | credit_card_no | credit_card_no |
| testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:24:22:24:22 | passwd | passwd |

27
swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
View File

@@ -119,16 +119,17 @@
| testRealm.swift:73:15:73:15 | myPassword | label:myPassword, type:credential |
| testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:credential |
| testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
| testSend.swift:52:13:52:13 | password | label:password, type:credential |
| testSend.swift:53:13:53:13 | password | label:password, type:credential |
| testSend.swift:54:17:54:17 | password | label:password, type:credential |
| testSend.swift:55:23:55:23 | password | label:password, type:credential |
| testSend.swift:56:27:56:27 | password | label:password, type:credential |
| testSend.swift:57:27:57:27 | password | label:password, type:credential |
| testSend.swift:65:27:65:27 | license_key | label:license_key, type:credential |
| testSend.swift:66:27:66:30 | .mobileNumber | label:mobileNumber, type:private information |
| testSend.swift:69:27:69:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
| testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
| testURL.swift:15:55:15:55 | account_no | label:account_no, type:private information |
| testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
| testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |
| testSend.swift:58:13:58:13 | password | label:password, type:credential |
| testSend.swift:59:13:59:13 | password | label:password, type:credential |
| testSend.swift:60:17:60:17 | password | label:password, type:credential |
| testSend.swift:61:23:61:23 | password | label:password, type:credential |
| testSend.swift:62:27:62:27 | password | label:password, type:credential |
| testSend.swift:63:27:63:27 | password | label:password, type:credential |
| testSend.swift:71:27:71:27 | license_key | label:license_key, type:credential |
| testSend.swift:72:27:72:30 | .mobileNumber | label:mobileNumber, type:private information |
| testSend.swift:75:27:75:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
| testSend.swift:76:27:76:30 | .Telephone | label:Telephone, type:private information |
| testURL.swift:17:54:17:54 | passwd | label:passwd, type:credential |
| testURL.swift:19:55:19:55 | account_no | label:account_no, type:private information |
| testURL.swift:20:55:20:55 | credit_card_no | label:credit_card_no, type:private information |
| testURL.swift:24:22:24:22 | passwd | label:passwd, type:credential |

12
swift/ql/test/query-tests/Security/CWE-311/testSend.swift
View File

@@ -46,6 +46,12 @@ struct MyStruct {
var mobileUrl: String
var mobilePlayer: String
var passwordFeatureEnabled: Bool
var Telephone: String
var birth_day: String
var CarePlanID: String
var BankCardNo: String
var MyCreditRating: String
var OneTimeCode: String
}
func test2(password : String, license_key: String, ms: MyStruct, connection : NWConnection) {
@@ -67,4 +73,10 @@ func test2(password : String, license_key: String, ms: MyStruct, connection : NW
connection.send(content: ms.mobileUrl, completion: .idempotent) // GOOD (not sensitive)
connection.send(content: ms.mobilePlayer, completion: .idempotent) // GOOD (not sensitive)
connection.send(content: ms.passwordFeatureEnabled, completion: .idempotent) // GOOD (not sensitive)
connection.send(content: ms.Telephone, completion: .idempotent) // BAD
connection.send(content: ms.birth_day, completion: .idempotent) // BAD [NOT DETECTED]
connection.send(content: ms.CarePlanID, completion: .idempotent) // BAD [NOT DETECTED]
connection.send(content: ms.BankCardNo, completion: .idempotent) // BAD [NOT DETECTED]
connection.send(content: ms.MyCreditRating, completion: .idempotent) // BAD [NOT DETECTED]
connection.send(content: ms.OneTimeCode, completion: .idempotent) // BAD [NOT DETECTED]
}

11
swift/ql/test/query-tests/Security/CWE-311/testURL.swift
View File

@@ -9,6 +9,10 @@ struct URL
// --- tests ---
var myString = ""
func setMyString(str: String) { myString = str }
func getMyString() -> String { return myString }
func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
@@ -19,4 +23,11 @@ func test1(passwd : String, encrypted_passwd : String, account_no : String, cred
let e = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
let f = URL(string: passwd, relativeTo: base); // BAD
let g = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
let e_mail = myString
let h = URL(string: "http://example.com/login?em=" + e_mail); // BAD [NOT DETECTED]
var a_homeaddr_z = getMyString()
let i = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD [NOT DETECTED]
var resident_ID = getMyString()
let j = URL(string: "http://example.com/login?id=" + resident_ID); // BAD [NOT DETECTED]
}

13
swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift
View File

@@ -83,7 +83,7 @@ struct Logger {
// --- tests ---
func test1(password: String, passwordHash : String) {
func test1(password: String, passwordHash : String, passphrase: String, pass_phrase: String) {
print(password) // $ MISSING: hasCleartextLogging=87
print(password, separator: "") // $ MISSING: $ hasCleartextLogging=88
print("", separator: password) // $ hasCleartextLogging=89
@@ -132,6 +132,9 @@ func test1(password: String, passwordHash : String) {
log.critical("\(passwordHash, privacy: .public)") // Safe
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=133
log.fault("\(passwordHash, privacy: .public)") // Safe
NSLog(passphrase) // $ hasCleartextLogging=136
NSLog(pass_phrase) // $ MISSING: hasCleartextLogging=137
}
class MyClass {
@@ -145,14 +148,14 @@ func doSomething(password: String) { }
func test3(x: String) {
// alternative evidence of sensitivity...
NSLog(x) // $ MISSING: hasCleartextLogging=148
NSLog(x) // $ MISSING: hasCleartextLogging=152
doSomething(password: x);
NSLog(x) // $ hasCleartextLogging=149
NSLog(x) // $ hasCleartextLogging=152
let y = getPassword();
NSLog(y) // $ hasCleartextLogging=152
NSLog(y) // $ hasCleartextLogging=155
let z = MyClass()
NSLog(z.harmless) // Safe
NSLog(z.password) // $ hasCleartextLogging=157
NSLog(z.password) // $ hasCleartextLogging=160
}