Skip to content

Commit 4995f13

Browse files
geoffw0geoffw0
committed
Swift: Add tests for swift/weak-sensitive-data-hashing on CryptoSwift.
1 parent 03a4084 commit 4995f13

File tree

3 files changed

+188
-38
lines changed

3 files changed

+188
-38
lines changed

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

Lines changed: 38 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -1,42 +1,42 @@
11
edges
2-
| testCrypto.swift:56:47:56:47 | passwd : | testCrypto.swift:63:44:63:44 | passwd |
3-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no |
4-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no : |
5-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no |
6-
| testCrypto.swift:61:43:61:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no |
2+
| testCryptoKit.swift:56:47:56:47 | passwd : | testCryptoKit.swift:63:44:63:44 | passwd |
3+
| testCryptoKit.swift:60:43:60:43 | credit_card_no : | testCryptoKit.swift:61:43:61:43 | credit_card_no |
4+
| testCryptoKit.swift:60:43:60:43 | credit_card_no : | testCryptoKit.swift:61:43:61:43 | credit_card_no : |
5+
| testCryptoKit.swift:60:43:60:43 | credit_card_no : | testCryptoKit.swift:67:44:67:44 | credit_card_no |
6+
| testCryptoKit.swift:61:43:61:43 | credit_card_no : | testCryptoKit.swift:67:44:67:44 | credit_card_no |
77
nodes
8-
| testCrypto.swift:56:47:56:47 | passwd | semmle.label | passwd |
9-
| testCrypto.swift:56:47:56:47 | passwd : | semmle.label | passwd : |
10-
| testCrypto.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
11-
| testCrypto.swift:60:43:60:43 | credit_card_no : | semmle.label | credit_card_no : |
12-
| testCrypto.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
13-
| testCrypto.swift:61:43:61:43 | credit_card_no : | semmle.label | credit_card_no : |
14-
| testCrypto.swift:63:44:63:44 | passwd | semmle.label | passwd |
15-
| testCrypto.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
16-
| testCrypto.swift:90:23:90:23 | passwd | semmle.label | passwd |
17-
| testCrypto.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
18-
| testCrypto.swift:99:23:99:23 | passwd | semmle.label | passwd |
19-
| testCrypto.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
20-
| testCrypto.swift:132:32:132:32 | passwd | semmle.label | passwd |
21-
| testCrypto.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
22-
| testCrypto.swift:141:32:141:32 | passwd | semmle.label | passwd |
23-
| testCrypto.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
8+
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
9+
| testCryptoKit.swift:56:47:56:47 | passwd : | semmle.label | passwd : |
10+
| testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
11+
| testCryptoKit.swift:60:43:60:43 | credit_card_no : | semmle.label | credit_card_no : |
12+
| testCryptoKit.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
13+
| testCryptoKit.swift:61:43:61:43 | credit_card_no : | semmle.label | credit_card_no : |
14+
| testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
15+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
16+
| testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
17+
| testCryptoKit.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
18+
| testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
19+
| testCryptoKit.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
20+
| testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
21+
| testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
22+
| testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
23+
| testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
2424
subpaths
2525
#select
26-
| testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
27-
| testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
28-
| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
29-
| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
30-
| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:56:47:56:47 | passwd : | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
31-
| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
32-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
33-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
34-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
35-
| testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
36-
| testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
37-
| testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
38-
| testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
39-
| testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
40-
| testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
41-
| testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
42-
| testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
26+
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
27+
| testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
28+
| testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no : | testCryptoKit.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
29+
| testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
30+
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:56:47:56:47 | passwd : | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
31+
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
32+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no : | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
33+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no : | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
34+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
35+
| testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
36+
| testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
37+
| testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
38+
| testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
39+
| testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
40+
| testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
41+
| testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
42+
| testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |

swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift renamed to swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift

File renamed without changes.

swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift

Lines changed: 150 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
2+
// --- stubs ---
3+
4+
class Data
5+
{
6+
init<S>(_ elements: S) {}
7+
}
8+
9+
protocol DigestType {
10+
func calculate(for bytes: Array<UInt8>) -> Array<UInt8>
11+
}
12+
13+
class MD5 : DigestType {
14+
public func calculate(for bytes: Array<UInt8>) -> Array<UInt8> {
15+
return Array<UInt8>()
16+
}
17+
}
18+
19+
class SHA1 : DigestType {
20+
public func calculate(for bytes: Array<UInt8>) -> Array<UInt8> {
21+
return Array<UInt8>()
22+
}
23+
}
24+
25+
class SHA2 : DigestType {
26+
public enum Variant {
27+
case sha512
28+
}
29+
30+
public init(variant: SHA2.Variant) {}
31+
32+
public func calculate(for bytes: Array<UInt8>) -> Array<UInt8> {
33+
return Array<UInt8>()
34+
}
35+
}
36+
37+
struct Digest {
38+
static func md5(_ bytes: Array<UInt8>) -> Array<UInt8> {
39+
return MD5().calculate(for: bytes)
40+
}
41+
42+
static func sha1(_ bytes: Array<UInt8>) -> Array<UInt8> {
43+
return SHA1().calculate(for: bytes)
44+
}
45+
46+
static func sha512(_ bytes: Array<UInt8>) -> Array<UInt8> {
47+
return self.sha2(bytes, variant: .sha512)
48+
}
49+
50+
static func sha2(_ bytes: Array<UInt8>, variant: SHA2.Variant) -> Array<UInt8> {
51+
return SHA2(variant: variant).calculate(for: bytes)
52+
}
53+
}
54+
55+
extension Array where Element == UInt8 {
56+
func toHexString() -> String {
57+
return ""
58+
}
59+
60+
func md5() -> [Element] {
61+
return Digest.md5(self)
62+
}
63+
64+
func sha1() -> [Element] {
65+
return Digest.sha1(self)
66+
}
67+
68+
func sha512() -> [Element] {
69+
return Digest.sha512(self)
70+
}
71+
}
72+
73+
extension Data {
74+
var bytes: Array<UInt8> {
75+
return Array<UInt8>()
76+
}
77+
78+
func md5() -> Data {
79+
return Data(Digest.md5(bytes))
80+
}
81+
82+
func sha1() -> Data {
83+
return Data(Digest.sha1(bytes))
84+
}
85+
86+
func sha512() -> Data {
87+
return Data(Digest.sha512(bytes))
88+
}
89+
}
90+
91+
extension String {
92+
var bytes: Array<UInt8> {
93+
return Array<UInt8>()
94+
}
95+
96+
func md5() -> String {
97+
return self.bytes.md5().toHexString()
98+
}
99+
100+
func sha1() -> String {
101+
return self.bytes.sha1().toHexString()
102+
}
103+
104+
func sha512() -> String {
105+
return self.bytes.sha512().toHexString()
106+
}
107+
}
108+
109+
// --- tests ---
110+
111+
func testArrays(harmlessArray: Array<UInt8>, passwdArray: Array<UInt8>) {
112+
_ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
113+
_ = MD5().calculate(for: passwdArray) // BAD [NOT DETECTED]
114+
_ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
115+
_ = SHA1().calculate(for: passwdArray) // BAD [NOT DETECTED]
116+
_ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
117+
_ = SHA2(variant: .sha512).calculate(for: passwdArray) // GOOD
118+
119+
_ = Digest.md5(harmlessArray) // GOOD (not sensitive)
120+
_ = Digest.md5(passwdArray) // BAD [NOT DETECTED]
121+
_ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
122+
_ = Digest.sha1(passwdArray) // BAD [NOT DETECTED]
123+
_ = Digest.sha512(harmlessArray) // GOOD
124+
_ = Digest.sha512(passwdArray) // GOOD
125+
126+
_ = harmlessArray.md5() // GOOD (not sensitive)
127+
_ = passwdArray.md5() // BAD [NOT DETECTED]
128+
_ = harmlessArray.sha1() // GOOD (not sensitive)
129+
_ = passwdArray.sha1() // BAD [NOT DETECTED]
130+
_ = harmlessArray.sha512() // GOOD
131+
_ = passwdArray.sha512() // GOOD
132+
}
133+
134+
func testData(harmlessData: Data, passwdData: Data) {
135+
_ = harmlessData.md5() // GOOD (not sensitive)
136+
_ = passwdData.md5() // BAD [NOT DETECTED]
137+
_ = harmlessData.sha1() // GOOD (not sensitive)
138+
_ = passwdData.sha1() // BAD [NOT DETECTED]
139+
_ = harmlessData.sha512() // GOOD
140+
_ = passwdData.sha512() // GOOD
141+
}
142+
143+
func testStrings(passwd: String) {
144+
_ = "harmless".md5() // GOOD (not sensitive)
145+
_ = passwd.md5() // BAD [NOT DETECTED]
146+
_ = "harmless".sha1() // GOOD (not sensitive)
147+
_ = passwd.sha1() // BAD [NOT DETECTED]
148+
_ = "harmless".sha512() // GOOD
149+
_ = passwd.sha512() // GOOD
150+
}

0 commit comments

Comments
 (0)