Swift: Add low-level CryptoSwift sinks.

Author: geoffw0

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

@@ -46,6 +46,13 @@ private class WeakHashingSinks extends SinkModelCsv {
         ";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
+        // CryptoSwift
+        ";MD5;true;calculate(for:);;;Argument[0];weak-hash-input-MD5",
+        ";MD5;true;callAsFunction(_:);;;Argument[0];weak-hash-input-MD5",
+        ";MD5;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-MD5",
+        ";SHA1;true;calculate(for:);;;Argument[0];weak-hash-input-SHA1",
+        ";SHA1;true;callAsFunction(_:);;;Argument[0];weak-hash-input-SHA1",
+        ";SHA1;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-SHA1",
       ]
   }
 }

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -1,4 +1,14 @@
 edges
+| testCryptoSwift.swift:38:21:38:41 | bytes :  | testCryptoSwift.swift:39:37:39:37 | bytes |
+| testCryptoSwift.swift:42:22:42:42 | bytes :  | testCryptoSwift.swift:43:38:43:38 | bytes |
+| testCryptoSwift.swift:60:10:60:10 | self :  | testCryptoSwift.swift:61:27:61:27 | self :  |
+| testCryptoSwift.swift:61:27:61:27 | self :  | testCryptoSwift.swift:38:21:38:41 | bytes :  |
+| testCryptoSwift.swift:64:10:64:10 | self :  | testCryptoSwift.swift:65:28:65:28 | self :  |
+| testCryptoSwift.swift:65:28:65:28 | self :  | testCryptoSwift.swift:42:22:42:42 | bytes :  |
+| testCryptoSwift.swift:120:20:120:20 | passwdArray :  | testCryptoSwift.swift:38:21:38:41 | bytes :  |
+| testCryptoSwift.swift:122:21:122:21 | passwdArray :  | testCryptoSwift.swift:42:22:42:42 | bytes :  |
+| testCryptoSwift.swift:127:9:127:9 | passwdArray :  | testCryptoSwift.swift:60:10:60:10 | self :  |
+| testCryptoSwift.swift:129:9:129:9 | passwdArray :  | testCryptoSwift.swift:64:10:64:10 | self :  |
 nodes
 | testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
@@ -13,6 +23,20 @@ nodes
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
+| testCryptoSwift.swift:38:21:38:41 | bytes :  | semmle.label | bytes :  |
+| testCryptoSwift.swift:39:37:39:37 | bytes | semmle.label | bytes |
+| testCryptoSwift.swift:42:22:42:42 | bytes :  | semmle.label | bytes :  |
+| testCryptoSwift.swift:43:38:43:38 | bytes | semmle.label | bytes |
+| testCryptoSwift.swift:60:10:60:10 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:61:27:61:27 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:64:10:64:10 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:65:28:65:28 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:120:20:120:20 | passwdArray :  | semmle.label | passwdArray :  |
+| testCryptoSwift.swift:122:21:122:21 | passwdArray :  | semmle.label | passwdArray :  |
+| testCryptoSwift.swift:127:9:127:9 | passwdArray :  | semmle.label | passwdArray :  |
+| testCryptoSwift.swift:129:9:129:9 | passwdArray :  | semmle.label | passwdArray :  |
 subpaths
 #select
 | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
@@ -28,3 +52,9 @@ subpaths
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:120:20:120:20 | passwdArray :  | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:127:9:127:9 | passwdArray :  | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:122:21:122:21 | passwdArray :  | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:129:9:129:9 | passwdArray :  | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift

@@ -110,23 +110,23 @@ extension String {
 
 func testArrays(harmlessArray: Array<UInt8>, passwdArray: Array<UInt8>) {
     _ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = MD5().calculate(for: passwdArray) // BAD [NOT DETECTED]
+    _ = MD5().calculate(for: passwdArray) // BAD
     _ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = SHA1().calculate(for: passwdArray) // BAD [NOT DETECTED]
+    _ = SHA1().calculate(for: passwdArray) // BAD
     _ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
     _ = SHA2(variant: .sha512).calculate(for: passwdArray) // GOOD
 
     _ = Digest.md5(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.md5(passwdArray) // BAD [NOT DETECTED]
+    _ = Digest.md5(passwdArray) // BAD
     _ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.sha1(passwdArray) // BAD [NOT DETECTED]
+    _ = Digest.sha1(passwdArray) // BAD
     _ = Digest.sha512(harmlessArray) // GOOD
     _ = Digest.sha512(passwdArray) // GOOD
 
     _ = harmlessArray.md5() // GOOD (not sensitive)
-    _ = passwdArray.md5() // BAD [NOT DETECTED]
+    _ = passwdArray.md5() // BAD
     _ = harmlessArray.sha1() // GOOD (not sensitive)
-    _ = passwdArray.sha1() // BAD [NOT DETECTED]
+    _ = passwdArray.sha1() // BAD
     _ = harmlessArray.sha512() // GOOD
     _ = passwdArray.sha512() // GOOD
 }