Swift: Add mid-level CryptoSwift sinks and prevent duplication that results. Overall this doesn't give us any new results in tests, but makes paths shorter, and in the real world I expect it to add reliability.

Author: geoffw0

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

@@ -53,6 +53,8 @@ private class WeakHashingSinks extends SinkModelCsv {
         ";SHA1;true;calculate(for:);;;Argument[0];weak-hash-input-SHA1",
         ";SHA1;true;callAsFunction(_:);;;Argument[0];weak-hash-input-SHA1",
         ";SHA1;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-SHA1",
+        ";Digest;true;md5(_:);;;Argument[0];weak-hash-input-MD5",
+        ";Digest;true;sha1(_:);;;Argument[0];weak-hash-input-SHA1",
       ]
   }
 }

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll

@@ -25,6 +25,11 @@ module WeakHashingConfig implements DataFlow::ConfigSig {
     isSource(node)
   }
 
+  predicate isBarrierOut(DataFlow::Node node) {
+    // make sinks barriers so that we only report the closest instance
+    isSink(node)
+  }
+
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(WeakSensitiveDataHashingAdditionalTaintStep s).step(nodeFrom, nodeTo)
   }

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -1,12 +1,6 @@
 edges
-| testCryptoSwift.swift:38:21:38:41 | bytes :  | testCryptoSwift.swift:39:37:39:37 | bytes |
-| testCryptoSwift.swift:42:22:42:42 | bytes :  | testCryptoSwift.swift:43:38:43:38 | bytes |
-| testCryptoSwift.swift:60:10:60:10 | self :  | testCryptoSwift.swift:61:27:61:27 | self :  |
-| testCryptoSwift.swift:61:27:61:27 | self :  | testCryptoSwift.swift:38:21:38:41 | bytes :  |
-| testCryptoSwift.swift:64:10:64:10 | self :  | testCryptoSwift.swift:65:28:65:28 | self :  |
-| testCryptoSwift.swift:65:28:65:28 | self :  | testCryptoSwift.swift:42:22:42:42 | bytes :  |
-| testCryptoSwift.swift:120:20:120:20 | passwdArray :  | testCryptoSwift.swift:38:21:38:41 | bytes :  |
-| testCryptoSwift.swift:122:21:122:21 | passwdArray :  | testCryptoSwift.swift:42:22:42:42 | bytes :  |
+| testCryptoSwift.swift:60:10:60:10 | self :  | testCryptoSwift.swift:61:27:61:27 | self |
+| testCryptoSwift.swift:64:10:64:10 | self :  | testCryptoSwift.swift:65:28:65:28 | self |
 | testCryptoSwift.swift:127:9:127:9 | passwdArray :  | testCryptoSwift.swift:60:10:60:10 | self :  |
 | testCryptoSwift.swift:129:9:129:9 | passwdArray :  | testCryptoSwift.swift:64:10:64:10 | self :  |
 nodes
@@ -23,18 +17,14 @@ nodes
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
-| testCryptoSwift.swift:38:21:38:41 | bytes :  | semmle.label | bytes :  |
-| testCryptoSwift.swift:39:37:39:37 | bytes | semmle.label | bytes |
-| testCryptoSwift.swift:42:22:42:42 | bytes :  | semmle.label | bytes :  |
-| testCryptoSwift.swift:43:38:43:38 | bytes | semmle.label | bytes |
 | testCryptoSwift.swift:60:10:60:10 | self :  | semmle.label | self :  |
-| testCryptoSwift.swift:61:27:61:27 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:61:27:61:27 | self | semmle.label | self |
 | testCryptoSwift.swift:64:10:64:10 | self :  | semmle.label | self :  |
-| testCryptoSwift.swift:65:28:65:28 | self :  | semmle.label | self :  |
+| testCryptoSwift.swift:65:28:65:28 | self | semmle.label | self |
 | testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:120:20:120:20 | passwdArray :  | semmle.label | passwdArray :  |
-| testCryptoSwift.swift:122:21:122:21 | passwdArray :  | semmle.label | passwdArray :  |
+| testCryptoSwift.swift:120:20:120:20 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:122:21:122:21 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:127:9:127:9 | passwdArray :  | semmle.label | passwdArray :  |
 | testCryptoSwift.swift:129:9:129:9 | passwdArray :  | semmle.label | passwdArray :  |
 subpaths
@@ -52,9 +42,9 @@ subpaths
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:120:20:120:20 | passwdArray :  | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
-| testCryptoSwift.swift:39:37:39:37 | bytes | testCryptoSwift.swift:127:9:127:9 | passwdArray :  | testCryptoSwift.swift:39:37:39:37 | bytes | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
-| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:122:21:122:21 | passwdArray :  | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |
-| testCryptoSwift.swift:43:38:43:38 | bytes | testCryptoSwift.swift:129:9:129:9 | passwdArray :  | testCryptoSwift.swift:43:38:43:38 | bytes | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:61:27:61:27 | self | testCryptoSwift.swift:127:9:127:9 | passwdArray :  | testCryptoSwift.swift:61:27:61:27 | self | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:65:28:65:28 | self | testCryptoSwift.swift:129:9:129:9 | passwdArray :  | testCryptoSwift.swift:65:28:65:28 | self | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
 | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
 | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
+| testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |