Merge pull request github#12764 from geoffw0/modernsec

Swift: Modernize the encryption queries

Author: geoffw0

swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll

@@ -0,0 +1,67 @@
+/**
+ * Provides classes and predicates for reasoning about constant password
+ * vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for constant password vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as a password.
+ */
+abstract class ConstantPasswordSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for constant password vulnerabilities.
+ */
+abstract class ConstantPasswordSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class ConstantPasswordAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to constant password vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A password sink for the CryptoSwift library.
+ */
+private class DefaultConstantPasswordSink extends ConstantPasswordSink {
+  DefaultConstantPasswordSink() {
+    // `password` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("password").getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A password sink for the RNCryptor library.
+ */
+private class RnCryptorPasswordSink extends ConstantPasswordSink {
+  RnCryptorPasswordSink() {
+    // RNCryptor (labelled arguments)
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() =
+        this.asExpr()
+    )
+    or
+    // RNCryptor (unlabelled arguments)
+    exists(MethodDecl f, CallExpr call |
+      f.hasQualifiedName("RNCryptor", "keyForPassword(_:salt:settings:)") and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides a taint tracking configuration to find constant password
+ * vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSteps
+import codeql.swift.security.ConstantPasswordExtensions
+
+/**
+ * A constant password is created through either a byte array or string literals.
+ */
+class ConstantPasswordSource extends Expr {
+  ConstantPasswordSource() {
+    this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") or
+    this instanceof StringLiteralExpr
+  }
+}
+
+/**
+ * A taint configuration from the source of constants passwords to expressions that use
+ * them to initialize password-based encryption keys.
+ */
+module ConstantPasswordConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantPasswordSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof ConstantPasswordSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantPasswordSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(ConstantPasswordAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -0,0 +1,59 @@
+/**
+ * Provides classes and predicates for reasoning about use of constant salts
+ * for password hashing.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for constant salt vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as a salt.
+ */
+abstract class ConstantSaltSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for constant salt vulnerabilities.
+ */
+abstract class ConstantSaltSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class ConstantSaltAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to constant salt vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A sink for the CryptoSwift library.
+ */
+private class CryptoSwiftSaltSink extends ConstantSaltSink {
+  CryptoSwiftSaltSink() {
+    // `salt` arg in `init` is a sink
+    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("salt").getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A sink for the RNCryptor library.
+ */
+private class RnCryptorSaltSink extends ConstantSaltSink {
+  RnCryptorSaltSink() {
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() =
+        this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll

@@ -0,0 +1,39 @@
+/**
+ * Provides a taint tracking configuration to find use of constant salts
+ * for password hashing.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSteps
+import codeql.swift.security.ConstantSaltExtensions
+
+/**
+ * A constant salt is created through either a byte array or string literals.
+ */
+class ConstantSaltSource extends Expr {
+  ConstantSaltSource() {
+    this = any(ArrayExpr arr | arr.getType().getName() = "Array<UInt8>") or
+    this instanceof StringLiteralExpr or
+    this instanceof NumberLiteralExpr
+  }
+}
+
+/**
+ * A taint configuration from the source of constants salts to expressions that use
+ * them to initialize password-based encryption keys.
+ */
+module ConstantSaltConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof ConstantSaltSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof ConstantSaltSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof ConstantSaltSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(ConstantSaltAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;

swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll

@@ -0,0 +1,79 @@
+/**
+ * Provides classes and predicates for reasoning about encryption using the
+ * ECB encryption mode.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow source for ECB encryption vulnerabilities. That is,
+ * a `DataFlow::Node` of something that specifies a block mode
+ * cipher.
+ */
+abstract class EcbEncryptionSource extends DataFlow::Node { }
+
+/**
+ * A dataflow sink for ECB encryption vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as the block mode
+ * of a cipher.
+ */
+abstract class EcbEncryptionSink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for ECB encryption vulnerabilities.
+ */
+abstract class EcbEncryptionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class EcbEncryptionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to ECB encryption vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A block mode for the CryptoSwift library.
+ */
+private class CryptoSwiftEcb extends EcbEncryptionSource {
+  CryptoSwiftEcb() {
+    exists(CallExpr call |
+      call.getStaticTarget().(MethodDecl).hasQualifiedName("ECB", "init()") and
+      this.asExpr() = call
+    )
+  }
+}
+
+/**
+ * A block mode being used to form a CryptoSwift `AES` cipher.
+ */
+private class AES extends EcbEncryptionSink {
+  AES() {
+    // `blockMode` arg in `AES.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A block mode being used to form a CryptoSwift `Blowfish` cipher.
+ */
+private class Blowfish extends EcbEncryptionSink {
+  Blowfish() {
+    // `blockMode` arg in `Blowfish.init` is a sink
+    exists(CallExpr call |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
+      call.getArgument(1).getExpr() = this.asExpr()
+    )
+  }
+}

swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides a taint tracking configuration to find encryption using the
+ * ECB encryption mode.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.security.ECBEncryptionExtensions
+
+/**
+ * A taint configuration from the constructor of ECB mode to expressions that use
+ * it to initialize a cipher.
+ */
+module EcbEncryptionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof EcbEncryptionSource }
+
+  predicate isSink(DataFlow::Node node) { node instanceof EcbEncryptionSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof EcbEncryptionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(EcbEncryptionAdditionalTaintStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -0,0 +1,61 @@
+/**
+ * Provides classes and predicates for reasoning about hard-coded encryption
+ * key vulnerabilities.
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+
+/**
+ * A dataflow sink for hard-coded encryption key vulnerabilities. That is,
+ * a `DataFlow::Node` of something that is used as a key.
+ */
+abstract class HardcodedEncryptionKeySink extends DataFlow::Node { }
+
+/**
+ * A sanitizer for hard-coded encryption key vulnerabilities.
+ */
+abstract class HardcodedEncryptionKeySanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ */
+class HardcodedEncryptionKeyAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for paths related to hard-coded encryption key vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+}
+
+/**
+ * A sink for the CryptoSwift library.
+ */
+private class CryptoSwiftEncryptionKeySink extends HardcodedEncryptionKeySink {
+  CryptoSwiftEncryptionKeySink() {
+    // `key` arg in `init` is a sink
+    exists(CallExpr call, string fName |
+      call.getStaticTarget()
+          .(MethodDecl)
+          .hasQualifiedName([
+              "AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"
+            ], fName) and
+      fName.matches("init(key:%") and
+      call.getArgument(0).getExpr() = this.asExpr()
+    )
+  }
+}
+
+/**
+ * A sink for the RNCryptor library.
+ */
+private class RnCryptorEncryptionKeySink extends HardcodedEncryptionKeySink {
+  RnCryptorEncryptionKeySink() {
+    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel(["encryptionKey", "withEncryptionKey"]).getExpr() = this.asExpr()
+    )
+  }
+}