Swift: Minor fixes for the existing weak sensitive data hashing query (naming consistency, remove unused import).

2026-04-25 00:35:20 +02:00 · 2023-12-06 10:49:05 +00:00
parent 063f69c10e
commit be7d0acfea
3 changed files with 13 additions and 10 deletions
--- a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
@@ -4,7 +4,6 @@
 */

 import swift
-import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.ExternalFlow

@@ -35,7 +34,7 @@ class WeakSensitiveDataHashingAdditionalFlowStep extends Unit {
  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
 }

-private class WeakHashingSinks extends SinkModelCsv {
+private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
  override predicate row(string row) {
    row =
      [
@@ -68,10 +67,10 @@ private class WeakHashingSinks extends SinkModelCsv {
 /**
 * A sink defined in a CSV model.
 */
-private class DefaultWeakHashingSink extends WeakSensitiveDataHashingSink {
+private class DefaultWeakSenitiveDataHashingSink extends WeakSensitiveDataHashingSink {
  string algorithm;

-  DefaultWeakHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }
+  DefaultWeakSenitiveDataHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }

  override string getAlgorithm() { result = algorithm }
 }
--- a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.WeakSensitiveDataHashingExtensions
 * A taint tracking configuration from sensitive expressions to broken or weak
 * hashing sinks.
 */
-module WeakHashingConfig implements DataFlow::ConfigSig {
+module WeakSensitiveDataHashingConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }

  predicate isSink(DataFlow::Node node) { node instanceof WeakSensitiveDataHashingSink }
@@ -35,4 +35,8 @@ module WeakHashingConfig implements DataFlow::ConfigSig {
  }
 }

-module WeakHashingFlow = TaintTracking::Global<WeakHashingConfig>;
+deprecated module WeakHashingConfig = WeakSensitiveDataHashingConfig;
+
+module WeakSensitiveDataHashingFlow = TaintTracking::Global<WeakSensitiveDataHashingConfig>;
+
+deprecated module WeakHashingFlow = WeakSensitiveDataHashingFlow;
--- a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
+++ b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
@@ -13,13 +13,13 @@

 import swift
 import codeql.swift.security.WeakSensitiveDataHashingQuery
-import WeakHashingFlow::PathGraph
+import WeakSensitiveDataHashingFlow::PathGraph

 from
-  WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm,
-  SensitiveExpr expr
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink,
+  string algorithm, SensitiveExpr expr
 where
-  WeakHashingFlow::flowPath(source, sink) and
+  WeakSensitiveDataHashingFlow::flowPath(source, sink) and
  algorithm = sink.getNode().(WeakSensitiveDataHashingSink).getAlgorithm() and
  expr = source.getNode().asExpr()
 select sink.getNode(), source, sink,