hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: SensitiveDataHeuristics.qll expects function names without an (argument:list:).

Browse Source
This commit is contained in:
Geoffrey White
2023-05-11 17:52:47 +01:00
parent 35e2e5d785
commit e2080c5d00
5 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
View File

@@ -91,11 +91,15 @@ private class SensitiveVarDecl extends VarDecl {
*/
private class SensitiveFunction extends Function {
SensitiveDataType sensitiveType;
string name; // name of the function, not including the argument list.
SensitiveFunction() { this.getName().toLowerCase().regexpMatch(sensitiveType.getRegexp()) }
SensitiveFunction() {
name = this.getName().splitAt("(", 0) and
name.toLowerCase().regexpMatch(sensitiveType.getRegexp())
}
predicate hasInfo(string label, SensitiveDataType type) {
label = this.getName() and
label = name and
sensitiveType = type
}
}

4
swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
View File

@@ -118,6 +118,7 @@ edges
| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:31:3:31:3 | newValue |
| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj [myValue] |
| testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x |
| testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y |
| testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x |
| testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y |
| testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z |
@@ -325,6 +326,8 @@ nodes
| testCoreData.swift:65:16:65:16 | password_file | semmle.label | password_file |
| testCoreData.swift:77:24:77:24 | x | semmle.label | x |
| testCoreData.swift:78:15:78:15 | x | semmle.label | x |
| testCoreData.swift:80:10:80:22 | call to getPassword() | semmle.label | call to getPassword() |
| testCoreData.swift:81:15:81:15 | y | semmle.label | y |
| testCoreData.swift:85:15:85:17 | .password | semmle.label | .password |
| testCoreData.swift:91:10:91:10 | passwd | semmle.label | passwd |
| testCoreData.swift:92:10:92:10 | passwd | semmle.label | passwd |
@@ -508,6 +511,7 @@ subpaths
| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password |
| testCoreData.swift:65:2:65:2 | obj | testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:65:16:65:16 | password_file | password_file |
| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x |
| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() |
| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password |
| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd |
| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd |

1
swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
View File

@@ -57,6 +57,7 @@
| testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
| testCoreData.swift:65:16:65:16 | password_file | label:password_file, type:credential |
| testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
| testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword, type:credential |
| testCoreData.swift:85:15:85:17 | .password | label:password, type:credential |
| testCoreData.swift:91:10:91:10 | passwd | label:passwd, type:credential |
| testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |

1
swift/ql/test/query-tests/Security/CWE-312/CleartextLoggingTest.expected
View File

@@ -1 +0,0 @@
| cleartextLoggingTest.swift:153:11:154:1 | // $ hasCleartextLogging=152\n | Missing result:hasCleartextLogging=152 |

8
swift/ql/test/query-tests/Security/CWE-312/CleartextStoragePreferences.expected
View File

@@ -1,9 +1,11 @@
edges
| testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x |
| testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y |
| testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x |
| testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y |
| testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z |
| testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x |
| testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y |
| testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x |
| testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y |
| testUserDefaults.swift:57:10:57:10 | passwd | testUserDefaults.swift:61:28:61:28 | z |
@@ -11,6 +13,8 @@ nodes
| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | semmle.label | password |
| testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | semmle.label | x |
| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | semmle.label | x |
| testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | semmle.label | call to getPassword() |
| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | semmle.label | y |
| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | semmle.label | .password |
| testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | semmle.label | passwd |
| testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | semmle.label | passwd |
@@ -21,6 +25,8 @@ nodes
| testUserDefaults.swift:28:15:28:15 | password | semmle.label | password |
| testUserDefaults.swift:41:24:41:24 | x | semmle.label | x |
| testUserDefaults.swift:42:28:42:28 | x | semmle.label | x |
| testUserDefaults.swift:44:10:44:22 | call to getPassword() | semmle.label | call to getPassword() |
| testUserDefaults.swift:45:28:45:28 | y | semmle.label | y |
| testUserDefaults.swift:49:28:49:30 | .password | semmle.label | .password |
| testUserDefaults.swift:55:10:55:10 | passwd | semmle.label | passwd |
| testUserDefaults.swift:56:10:56:10 | passwd | semmle.label | passwd |
@@ -32,12 +38,14 @@ subpaths
#select
| testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | This operation stores 'password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:28:12:28:12 | password | password |
| testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | testNSUbiquitousKeyValueStore.swift:42:40:42:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:41:24:41:24 | x | x |
| testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | testNSUbiquitousKeyValueStore.swift:45:40:45:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:44:10:44:22 | call to getPassword() | call to getPassword() |
| testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | This operation stores '.password' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:49:40:49:42 | .password | .password |
| testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | testNSUbiquitousKeyValueStore.swift:59:40:59:40 | x | This operation stores 'x' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:55:10:55:10 | passwd | passwd |
| testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | testNSUbiquitousKeyValueStore.swift:60:40:60:40 | y | This operation stores 'y' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:56:10:56:10 | passwd | passwd |
| testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | testNSUbiquitousKeyValueStore.swift:61:40:61:40 | z | This operation stores 'z' in iCloud. It may contain unencrypted sensitive data from $@. | testNSUbiquitousKeyValueStore.swift:57:10:57:10 | passwd | passwd |
| testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | testUserDefaults.swift:28:15:28:15 | password | This operation stores 'password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:28:15:28:15 | password | password |
| testUserDefaults.swift:42:28:42:28 | x | testUserDefaults.swift:41:24:41:24 | x | testUserDefaults.swift:42:28:42:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:41:24:41:24 | x | x |
| testUserDefaults.swift:45:28:45:28 | y | testUserDefaults.swift:44:10:44:22 | call to getPassword() | testUserDefaults.swift:45:28:45:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:44:10:44:22 | call to getPassword() | call to getPassword() |
| testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | testUserDefaults.swift:49:28:49:30 | .password | This operation stores '.password' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:49:28:49:30 | .password | .password |
| testUserDefaults.swift:59:28:59:28 | x | testUserDefaults.swift:55:10:55:10 | passwd | testUserDefaults.swift:59:28:59:28 | x | This operation stores 'x' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:55:10:55:10 | passwd | passwd |
| testUserDefaults.swift:60:28:60:28 | y | testUserDefaults.swift:56:10:56:10 | passwd | testUserDefaults.swift:60:28:60:28 | y | This operation stores 'y' in the user defaults database. It may contain unencrypted sensitive data from $@. | testUserDefaults.swift:56:10:56:10 | passwd | passwd |