hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea4c2e432100cb15e4ad5448d02c36153a6f9f95
codeql/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift
Alex Denisov d18ad665b6 Swift: CWE-757: Insecure TLS configuration
2022-09-08 09:34:04 +02:00

174 lines
4.5 KiB
Swift
Raw Blame History

// Stubs
enum tls_protocol_version_t : UInt16 {
case TLSv10
case TLSv11
case TLSv12
case TLSv13
}
enum SSLProtocol {
case tlsProtocol10
case tlsProtocol11
case tlsProtocol12
case tlsProtocol13
}
class URLSessionConfiguration {
init() {}
var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
var tlsMaximumSupportedProtocolVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv13
var tlsMinimumSupportedProtocol: SSLProtocol = SSLProtocol.tlsProtocol12
var tlsMaximumSupportedProtocol: SSLProtocol = SSLProtocol.tlsProtocol13
}
/// tlsMinimumSupportedProtocolVersion
func case_0() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv12 // GOOD
}
func case_1() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13 // GOOD
}
func case_2() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
}
func case_3() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv11 // BAD
}
/// tlsMaximumSupportedProtocolVersion
func case_4() {
let config = URLSessionConfiguration()
config.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv12 // GOOD
}
func case_5() {
let config = URLSessionConfiguration()
config.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
}
/// tlsMinimumSupportedProtocol
func case_6() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocol = SSLProtocol.tlsProtocol10 // BAD
}
func case_7() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocol = SSLProtocol.tlsProtocol12 // GOOD
}
/// tlsMaximumSupportedProtocol
func case_8() {
let config = URLSessionConfiguration()
config.tlsMaximumSupportedProtocol = SSLProtocol.tlsProtocol10 // BAD
}
func case_9() {
let config = URLSessionConfiguration()
config.tlsMaximumSupportedProtocol = SSLProtocol.tlsProtocol12 // GOOD
}
/// Indirect assignment (global vars)
let badGlobalVersion = tls_protocol_version_t.TLSv10
let goodGlobalVersion = tls_protocol_version_t.TLSv12
func case_10() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = badGlobalVersion // BAD [not detected]
}
func case_11() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = goodGlobalVersion // GOOD
}
/// Indirect assignment (function calls)
func getBadTLSVersion() -> tls_protocol_version_t {
return tls_protocol_version_t.TLSv10
}
func getGoodTLSVersion() -> tls_protocol_version_t {
return tls_protocol_version_t.TLSv13
}
func case_12() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = getBadTLSVersion() // BAD
}
func case_13() {
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = getGoodTLSVersion() // GOOD
}
/// Indirect assignment (via call arguments)
func setTLSVersion(_ config: URLSessionConfiguration, _ version: tls_protocol_version_t) {
config.tlsMinimumSupportedProtocolVersion = version
}
func case_14() {
let config = URLSessionConfiguration()
setTLSVersion(config, tls_protocol_version_t.TLSv11) // BAD
}
func case_15() {
let config = URLSessionConfiguration()
setTLSVersion(config, tls_protocol_version_t.TLSv13) // GOOD
}
/// Indirect assignment (via external entity)
struct BadDefault {
let TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv11
}
func case_16() {
let def = BadDefault()
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // BAD [not detected]
}
struct GoodDefault {
let TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
}
func case_17() {
let def = GoodDefault()
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
}
struct VarDefault {
var TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
}
func case_18() {
var def = VarDefault()
def.TLSVersion = tls_protocol_version_t.TLSv10
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // BAD
}
func case_19() {
var def = VarDefault()
def.TLSVersion = tls_protocol_version_t.TLSv13
let config = URLSessionConfiguration()
config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
}
Reference in New Issue View Git Blame Copy Permalink