Merge pull request github#12833 from geoffw0/addmodels

Swift: Add some sink models

Author: geoffw0

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -97,9 +97,12 @@ private module Frameworks {
   private import codeql.swift.frameworks.Alamofire.Alamofire
   private import codeql.swift.security.CleartextLoggingExtensions
   private import codeql.swift.security.CleartextStorageDatabaseExtensions
+  private import codeql.swift.security.ECBEncryptionExtensions
+  private import codeql.swift.security.HardcodedEncryptionKeyExtensions
   private import codeql.swift.security.PathInjectionExtensions
   private import codeql.swift.security.PredicateInjectionExtensions
   private import codeql.swift.security.StringLengthConflationExtensions
+  private import codeql.swift.security.WeakSensitiveDataHashingExtensions
 }
 
 /**

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -57,11 +57,24 @@ private class RnCryptorEncryptionKeySink extends HardcodedEncryptionKeySink {
         ] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
-      call.getArgumentWithLabel(["encryptionKey", "withEncryptionKey"]).getExpr() = this.asExpr()
+      call.getArgumentWithLabel(["encryptionKey", "withEncryptionKey", "hmacKey"]).getExpr() =
+        this.asExpr()
     )
   }
 }
 
+private class EncryptionKeySinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // Realm database library.
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[3];encryption-key",
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[3];encryption-key",
+        ";Realm.Configuration;true;encryptionKey;;;;encryption-key",
+      ]
+  }
+}
+
 /**
  * A sink defined in a CSV model.
  */

swift/ql/lib/codeql/swift/security/PathInjectionExtensions.qll

@@ -127,7 +127,13 @@ private class PathInjectionSinks extends SinkModelCsv {
         ";DatabasePool;true;init(path:configuration:);;;Argument[0];path-injection",
         ";DatabaseQueue;true;init(path:configuration:);;;Argument[0];path-injection",
         ";DatabaseSnapshotPool;true;init(path:configuration:);;;Argument[0];path-injection",
-        ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection"
+        ";SerializedDatabase;true;init(path:configuration:defaultLabel:purpose:);;;Argument[0];path-injection",
+        // Realm
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:);;;Argument[0];path-injection",
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[0];path-injection",
+        ";Realm.Configuration;true;init(fileURL:inMemoryIdentifier:syncConfiguration:encryptionKey:readOnly:schemaVersion:migrationBlock:deleteRealmIfMigrationNeeded:shouldCompactOnLaunch:objectTypes:seedFilePath:);;;Argument[10];path-injection",
+        ";Realm.Configuration;true;fileURL;;;;path-injection",
+        ";Realm.Configuration;true;seedFilePath;;;;path-injection",
       ]
   }
 }

swift/ql/test/query-tests/Security/CWE-022/testPathInjection.swift

@@ -0,0 +1,46 @@
+
+// --- stubs ---
+
+class Data {
+    init<S>(_ elements: S) {}
+}
+
+struct URL {
+    init(fileURLWithPath path: String, isDirectory: Bool) {}
+}
+
+class Realm {
+}
+
+extension Realm {
+	struct Configuration {
+		init(
+			fileURL: URL? = URL(fileURLWithPath: "defaultFile", isDirectory: false),
+			inMemoryIdentifier: String? = nil,
+			syncConfiguration: Int = 0,
+			encryptionKey: Data? = nil,
+			readOnly: Bool = false,
+			schemaVersion: UInt64 = 0,
+			migrationBlock: Int = 0,
+			deleteRealmIfMigrationNeeded: Bool = false,
+			shouldCompactOnLaunch: Bool = false,
+			objectTypes: Int = 0,
+			seedFilePath: URL? = nil) { }
+
+		var encryptionKey: Data?
+	}
+}
+
+// --- tests ---
+
+func test(myVarStr: String) {
+	let myVarKey = Data(myVarStr)
+	let myConstKey = Data("abcdef123456")
+
+	_ = Realm.Configuration(encryptionKey: myVarKey) // GOOD
+	_ = Realm.Configuration(encryptionKey: myConstKey) // BAD
+
+	var config = Realm.Configuration() // GOOD
+	config.encryptionKey = myVarKey // GOOD
+	config.encryptionKey = myConstKey // BAD [NOT DETECTED]
+}

swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected

@@ -52,16 +52,16 @@ class RNDecryptor : RNCryptor
 
 // --- tests ---
 
-func test() {
+func test(var myVarKey: Data, var myHMACKey: Data) {
 	// RNCryptor
 	let myEncryptor = RNEncryptor()
 	let myDecryptor = RNDecryptor()
 	let myData = Data(0)
 	let myConstKey = Data("abcdef123456")
-	let myHMACKey = Data(0)
 	let myHandler = {}
 	let myIV = Data(0)
 
+	let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myVarKey, hmacKey: myHMACKey, handler: myHandler) // GOOD
 	let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myConstKey, hmacKey: myHMACKey, handler: myHandler) // BAD
 	let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myConstKey, HMACKey: myHMACKey, handler: myHandler) // BAD
 	let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myConstKey, hmacKey: myHMACKey, iv: myIV, handler: myHandler) // BAD
@@ -79,4 +79,6 @@ func test() {
 	let _ = try? myDecryptor.decryptData(myData, withEncryptionKey: myConstKey, HMACKey: myHMACKey) // BAD
 	let _ = try? myDecryptor.decryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myConstKey, hmacKey: myHMACKey) // BAD
 	let _ = try? myDecryptor.decryptData(myData, withSettings: kRNCryptorAES256Settings, encryptionKey: myConstKey, HMACKey: myHMACKey) // BAD
+
+	let _ = RNEncryptor(settings: kRNCryptorAES256Settings, encryptionKey: myVarKey, hmacKey: myConstKey, handler: myHandler) // BAD
 }