hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-29 18:41:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Fill the simple gaps in modelling.

Browse Source
This commit is contained in:
Geoffrey White
2026-05-26 17:54:51 +01:00
parent c6c3e1474c
commit f962eac914
4 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
View File

@@ -54,12 +54,15 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
// CryptoKit
// (SHA-256, SHA-384 and SHA-512 are all variants of the SHA-2 algorithm)
";SHA256;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA256;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA256;true;update(data:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA256;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
";SHA384;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA384;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA384;true;update(data:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA384;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
";SHA512;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA512",
";SHA512;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
";SHA512;true;update(data:);;;Argument[0];weak-password-hash-input-SHA512",
";SHA512;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
// CryptoSwift
@@ -122,7 +125,7 @@ private class WeakPasswordHashingMetatypeSink extends WeakPasswordHashingSink {
c.getAnArgument().getExpr() = this.asExpr() and
algorithm = ["SHA256", "SHA384", "SHA512"] and
c.getQualifier().getType().getFullName() = algorithm + ["", ".Type"] and
c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
c.getStaticTarget().getName() = ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
)
}

4
swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
View File

@@ -40,9 +40,11 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
[
// CryptoKit
";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",
";Insecure.MD5;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",
";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
";Insecure.SHA1;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
// CryptoSwift
@@ -88,7 +90,7 @@ private class WeakSenitiveDataHashingMetatypeSink extends WeakSensitiveDataHashi
c.getAnArgument().getExpr() = this.asExpr() and
algorithm = ["MD5", "SHA1"] and
c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and
c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
c.getStaticTarget().getName() = ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
)
}

12
swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected
View File

@@ -3,11 +3,17 @@ edges
| testCryptoKit.swift:224:38:224:53 | .utf8 | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | provenance | |
nodes
| testCryptoKit.swift:84:47:84:47 | passwd | semmle.label | passwd |
| testCryptoKit.swift:85:52:85:52 | passwd | semmle.label | passwd |
| testCryptoKit.swift:91:36:91:36 | passwd | semmle.label | passwd |
| testCryptoKit.swift:92:45:92:45 | passwd | semmle.label | passwd |
| testCryptoKit.swift:98:44:98:44 | passwd | semmle.label | passwd |
| testCryptoKit.swift:99:53:99:53 | passwd | semmle.label | passwd |
| testCryptoKit.swift:105:37:105:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:106:46:106:46 | passwd | semmle.label | passwd |
| testCryptoKit.swift:112:37:112:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:113:46:113:46 | passwd | semmle.label | passwd |
| testCryptoKit.swift:119:37:119:37 | passwd | semmle.label | passwd |
| testCryptoKit.swift:120:46:120:46 | passwd | semmle.label | passwd |
| testCryptoKit.swift:129:23:129:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:138:23:138:23 | passwd | semmle.label | passwd |
| testCryptoKit.swift:147:23:147:23 | passwd | semmle.label | passwd |
@@ -49,11 +55,17 @@ nodes
subpaths
#select
| testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) |
| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) |
| testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) |
| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) |
| testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) |
| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) |
| testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) |
| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) |
| testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) |
| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) |
| testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) |
| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) |
| testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) |
| testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) |
| testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) |

12
swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
View File

@@ -82,42 +82,42 @@ enum Insecure {
func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
var hash = Crypto.Insecure.MD5.hash(data: passwd) // BAD
hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // BAD [NOT DETECTED]
hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd) // BAD
hash = Crypto.Insecure.MD5.hash(data: cert) // BAD
hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Crypto.Insecure.MD5.hash(data: account_no) // BAD
hash = Crypto.Insecure.MD5.hash(data: credit_card_no) // BAD
hash = Insecure.MD5.hash(data: passwd) // BAD
hash = Insecure.MD5.hash(bufferPointer: passwd) // BAD [NOT DETECTED]
hash = Insecure.MD5.hash(bufferPointer: passwd) // BAD
hash = Insecure.MD5.hash(data: cert) // BAD
hash = Insecure.MD5.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Insecure.MD5.hash(data: account_no) // BAD
hash = Insecure.MD5.hash(data: credit_card_no) // BAD
hash = Crypto.Insecure.SHA1.hash(data: passwd) // BAD
hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // BAD [NOT DETECTED]
hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd) // BAD
hash = Crypto.Insecure.SHA1.hash(data: cert) // BAD
hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd) // GOOD (not sensitive)
hash = Crypto.Insecure.SHA1.hash(data: account_no) // BAD
hash = Crypto.Insecure.SHA1.hash(data: credit_card_no) // BAD
hash = Crypto.SHA256.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA256.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA256.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA256.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA256.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA256.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA384.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA384.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA384.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA384.hash(data: account_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA384.hash(data: credit_card_no) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA512.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash [NOT DETECTED]
hash = Crypto.SHA512.hash(bufferPointer: passwd) // BAD, not a computationally expensive hash
hash = Crypto.SHA512.hash(data: cert) // GOOD, computationally expensive hash not required
hash = Crypto.SHA512.hash(data: encrypted_passwd) // GOOD, not sensitive
hash = Crypto.SHA512.hash(data: account_no) // GOOD, computationally expensive hash not required