Swift: Split off WeakPasswordHashingExtensions.qll as we normally do.

2026-04-25 16:55:19 +02:00 · 2023-12-06 11:15:43 +00:00
parent db1508d108
commit e5bf929cdb
2 changed files with 37 additions and 28 deletions
--- a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
+++ b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
@@ -0,0 +1,36 @@
+/**
+ * Provides classes and predicates for reasoning about use of inappropriate
+ * cryptographic hashing algorithms on passwords.
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+
+class WeakPasswordHashingSink extends DataFlow::Node {
+  string algorithm;
+
+  WeakPasswordHashingSink() {
+    // a call to System.Security.Cryptography.MD5/SHA*.ComputeHash/ComputeHashAsync/HashData/HashDataAsync
+    exists(MethodCall call, string name |
+      (
+        call.getTarget().getName() = name
+        and name in ["ComputeHash", "ComputeHashAsync", "HashData", "HashDataAsync"]
+      )
+      // with this as the first argument - not arg 0, since arg 0 is 'this' for methods
+      and call.getArgument(0) = this.asExpr()
+      and
+      // the call is to a method in the System.Security.Cryptography.MD* class
+      // or the System.Security.Cryptography.SHA* classes
+      (
+        call.getQualifier().getType().getName() = algorithm
+        and algorithm.matches(["MD%","SHA%"])
+      )
+    )
+  }
+
+  string getAlgorithm() {
+    result = algorithm
+  }
+}
--- a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
@@ -7,6 +7,7 @@ import swift
 import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.WeakPasswordHashingExtensions

 /**
 * A taint tracking configuration from password expressions to inappropriate
@@ -29,31 +30,3 @@ module WeakHashingPasswordConfig implements DataFlow::ConfigSig {
 }

 module WeakHashingFlow = TaintTracking::Global<WeakHashingPasswordConfig>;
-
-// TODO: rewrite with data extensions in mind, ref the Swift implementation
-class WeakPasswordHashingSink extends DataFlow::Node {
-  string algorithm;
-
-  WeakPasswordHashingSink() {
-    // a call to System.Security.Cryptography.MD5/SHA*.ComputeHash/ComputeHashAsync/HashData/HashDataAsync
-    exists(MethodCall call, string name |
-      (
-        call.getTarget().getName() = name
-        and name in ["ComputeHash", "ComputeHashAsync", "HashData", "HashDataAsync"]
-      )
-      // with this as the first argument - not arg 0, since arg 0 is 'this' for methods
-      and call.getArgument(0) = this.asExpr()
-      and
-      // the call is to a method in the System.Security.Cryptography.MD* class
-      // or the System.Security.Cryptography.SHA* classes
-      (
-        call.getQualifier().getType().getName() = algorithm
-        and algorithm.matches(["MD%","SHA%"])
-      )
-    )
-  }
-
-  string getAlgorithm() {
-    result = algorithm
-  }
-}