Swift: Add a few more test cases.

geoffw0 · geoffw0 · commit 9683a951628d · 2022-09-06T13:37:48.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -1,16 +1,70 @@
 edges
+| testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  |
+| testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  |
+| testSend.swift:45:13:45:13 | password :  | testSend.swift:52:27:52:27 | str1 |
+| testSend.swift:46:13:46:13 | password :  | testSend.swift:53:27:53:27 | str2 |
+| testSend.swift:47:13:47:25 | call to pad(_:) :  | testSend.swift:54:27:54:27 | str3 |
+| testSend.swift:47:17:47:17 | password :  | testSend.swift:41:10:41:18 | data :  |
+| testSend.swift:47:17:47:17 | password :  | testSend.swift:47:13:47:25 | call to pad(_:) :  |
+| testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  | testSend.swift:55:27:55:27 | str4 |
+| testSend.swift:48:23:48:23 | password :  | testSend.swift:42:16:42:24 | data :  |
+| testSend.swift:48:23:48:23 | password :  | testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  |
+| testSend.swift:49:13:49:36 | call to pad(_:) :  | testSend.swift:56:27:56:27 | str5 |
+| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:41:10:41:18 | data :  |
+| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:49:13:49:36 | call to pad(_:) :  |
+| testSend.swift:49:27:49:27 | password :  | testSend.swift:42:16:42:24 | data :  |
+| testSend.swift:49:27:49:27 | password :  | testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  |
+| testSend.swift:50:13:50:36 | call to aes_crypt(_:) :  | testSend.swift:57:27:57:27 | str6 |
+| testSend.swift:50:23:50:35 | call to pad(_:) :  | testSend.swift:42:16:42:24 | data :  |
+| testSend.swift:50:23:50:35 | call to pad(_:) :  | testSend.swift:50:13:50:36 | call to aes_crypt(_:) :  |
+| testSend.swift:50:27:50:27 | password :  | testSend.swift:41:10:41:18 | data :  |
+| testSend.swift:50:27:50:27 | password :  | testSend.swift:50:23:50:35 | call to pad(_:) :  |
 | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
 nodes
 | testSend.swift:29:19:29:19 | passwordPlain | semmle.label | passwordPlain |
+| testSend.swift:41:10:41:18 | data :  | semmle.label | data :  |
+| testSend.swift:41:45:41:45 | data :  | semmle.label | data :  |
+| testSend.swift:42:16:42:24 | data :  | semmle.label | data :  |
+| testSend.swift:42:51:42:51 | data :  | semmle.label | data :  |
+| testSend.swift:45:13:45:13 | password :  | semmle.label | password :  |
+| testSend.swift:46:13:46:13 | password :  | semmle.label | password :  |
+| testSend.swift:47:13:47:25 | call to pad(_:) :  | semmle.label | call to pad(_:) :  |
+| testSend.swift:47:17:47:17 | password :  | semmle.label | password :  |
+| testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  | semmle.label | call to aes_crypt(_:) :  |
+| testSend.swift:48:23:48:23 | password :  | semmle.label | password :  |
+| testSend.swift:49:13:49:36 | call to pad(_:) :  | semmle.label | call to pad(_:) :  |
+| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | semmle.label | call to aes_crypt(_:) :  |
+| testSend.swift:49:27:49:27 | password :  | semmle.label | password :  |
+| testSend.swift:50:13:50:36 | call to aes_crypt(_:) :  | semmle.label | call to aes_crypt(_:) :  |
+| testSend.swift:50:23:50:35 | call to pad(_:) :  | semmle.label | call to pad(_:) :  |
+| testSend.swift:50:27:50:27 | password :  | semmle.label | password :  |
+| testSend.swift:52:27:52:27 | str1 | semmle.label | str1 |
+| testSend.swift:53:27:53:27 | str2 | semmle.label | str2 |
+| testSend.swift:54:27:54:27 | str3 | semmle.label | str3 |
+| testSend.swift:55:27:55:27 | str4 | semmle.label | str4 |
+| testSend.swift:56:27:56:27 | str5 | semmle.label | str5 |
+| testSend.swift:57:27:57:27 | str6 | semmle.label | str6 |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:13:54:13:54 | passwd :  | semmle.label | passwd :  |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no :  | semmle.label | credit_card_no :  |
 | testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
 subpaths
+| testSend.swift:47:17:47:17 | password :  | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  | testSend.swift:47:13:47:25 | call to pad(_:) :  |
+| testSend.swift:48:23:48:23 | password :  | testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  | testSend.swift:48:13:48:31 | call to aes_crypt(_:) :  |
+| testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  | testSend.swift:49:13:49:36 | call to pad(_:) :  |
+| testSend.swift:49:27:49:27 | password :  | testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  | testSend.swift:49:17:49:35 | call to aes_crypt(_:) :  |
+| testSend.swift:50:23:50:35 | call to pad(_:) :  | testSend.swift:42:16:42:24 | data :  | testSend.swift:42:51:42:51 | data :  | testSend.swift:50:13:50:36 | call to aes_crypt(_:) :  |
+| testSend.swift:50:27:50:27 | password :  | testSend.swift:41:10:41:18 | data :  | testSend.swift:41:45:41:45 | data :  | testSend.swift:50:23:50:35 | call to pad(_:) :  |
 #select
 | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@ | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
+| testSend.swift:52:27:52:27 | str1 | testSend.swift:45:13:45:13 | password :  | testSend.swift:52:27:52:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@ | testSend.swift:45:13:45:13 | password :  | password |
+| testSend.swift:53:27:53:27 | str2 | testSend.swift:46:13:46:13 | password :  | testSend.swift:53:27:53:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@ | testSend.swift:46:13:46:13 | password :  | password |
+| testSend.swift:54:27:54:27 | str3 | testSend.swift:47:17:47:17 | password :  | testSend.swift:54:27:54:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@ | testSend.swift:47:17:47:17 | password :  | password |
+| testSend.swift:55:27:55:27 | str4 | testSend.swift:48:23:48:23 | password :  | testSend.swift:55:27:55:27 | str4 | This operation transmits 'str4', which may contain unencrypted sensitive data from $@ | testSend.swift:48:23:48:23 | password :  | password |
+| testSend.swift:56:27:56:27 | str5 | testSend.swift:49:27:49:27 | password :  | testSend.swift:56:27:56:27 | str5 | This operation transmits 'str5', which may contain unencrypted sensitive data from $@ | testSend.swift:49:27:49:27 | password :  | password |
+| testSend.swift:57:27:57:27 | str6 | testSend.swift:50:27:50:27 | password :  | testSend.swift:57:27:57:27 | str6 | This operation transmits 'str6', which may contain unencrypted sensitive data from $@ | testSend.swift:50:27:50:27 | password :  | password |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd :  | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:13:54:13:54 | passwd :  | passwd |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no :  | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@ | testURL.swift:16:55:16:55 | credit_card_no :  | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@ | testURL.swift:20:22:20:22 | passwd | passwd |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -25,6 +25,12 @@
 | testSend.swift:30:19:30:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
 | testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
 | testSend.swift:34:19:34:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
+| testSend.swift:45:13:45:13 | password | label:password, type:credential |
+| testSend.swift:46:13:46:13 | password | label:password, type:credential |
+| testSend.swift:47:17:47:17 | password | label:password, type:credential |
+| testSend.swift:48:23:48:23 | password | label:password, type:credential |
+| testSend.swift:49:27:49:27 | password | label:password, type:credential |
+| testSend.swift:50:27:50:27 | password | label:password, type:credential |
 | testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
 | testURL.swift:14:54:14:54 | encrypted_passwd | isProbablySafe, label:encrypted_passwd, type:credential |
 | testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testSend.swift b/swift/ql/test/query-tests/Security/CWE-311/testSend.swift
@@ -37,3 +37,22 @@ func test1(passwordPlain : String, passwordHash : String) {
 	nw.send(content: data2, completion: .idempotent) // BAD [NOT DETECTED]
 	nw.send(content: data3, completion: .idempotent) // GOOD (not sensitive)
 }
+
+func pad(_ data: String) -> String { return data }
+func aes_crypt(_ data: String) -> String { return data }
+
+func test2(password : String, connection : NWConnection) {
+	let str1 = password
+	let str2 = password + " "
+	let str3 = pad(password)
+	let str4 = aes_crypt(password)
+	let str5 = pad(aes_crypt(password))
+	let str6 = aes_crypt(pad(password))
+
+	connection.send(content: str1, completion: .idempotent) // BAD
+	connection.send(content: str2, completion: .idempotent) // BAD
+	connection.send(content: str3, completion: .idempotent) // BAD
+	connection.send(content: str4, completion: .idempotent) // GOOD (encrypted) [FALSE POSITIVE]
+	connection.send(content: str5, completion: .idempotent) // GOOD (encrypted) [FALSE POSITIVE]
+	connection.send(content: str6, completion: .idempotent) // GOOD (encrypted) [FALSE POSITIVE]
+}
