Skip to content

Commit cdcee5c

Browse files
geoffw0geoffw0
committed
Swift: Add high-level CryptoSwift sinks.
1 parent 539f8f0 commit cdcee5c

File tree

3 files changed

+22
-16
lines changed

3 files changed

+22
-16
lines changed

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,12 @@ private class WeakHashingSinks extends SinkModelCsv {
5555
";SHA1;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-SHA1",
5656
";Digest;true;md5(_:);;;Argument[0];weak-hash-input-MD5",
5757
";Digest;true;sha1(_:);;;Argument[0];weak-hash-input-SHA1",
58+
";Array;true;md5();;;Argument[-1];weak-hash-input-MD5",
59+
";Array;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
60+
";Data;true;md5();;;Argument[-1];weak-hash-input-MD5",
61+
";Data;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
62+
";String;true;md5();;;Argument[-1];weak-hash-input-MD5",
63+
";String;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
5864
]
5965
}
6066
}

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,4 @@
11
edges
2-
| testCryptoSwift.swift:60:10:60:10 | self : | testCryptoSwift.swift:61:27:61:27 | self |
3-
| testCryptoSwift.swift:64:10:64:10 | self : | testCryptoSwift.swift:65:28:65:28 | self |
4-
| testCryptoSwift.swift:127:9:127:9 | passwdArray : | testCryptoSwift.swift:60:10:60:10 | self : |
5-
| testCryptoSwift.swift:129:9:129:9 | passwdArray : | testCryptoSwift.swift:64:10:64:10 | self : |
62
nodes
73
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
84
| testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
@@ -17,16 +13,16 @@ nodes
1713
| testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
1814
| testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
1915
| testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
20-
| testCryptoSwift.swift:60:10:60:10 | self : | semmle.label | self : |
21-
| testCryptoSwift.swift:61:27:61:27 | self | semmle.label | self |
22-
| testCryptoSwift.swift:64:10:64:10 | self : | semmle.label | self : |
23-
| testCryptoSwift.swift:65:28:65:28 | self | semmle.label | self |
2416
| testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
2517
| testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
2618
| testCryptoSwift.swift:120:20:120:20 | passwdArray | semmle.label | passwdArray |
2719
| testCryptoSwift.swift:122:21:122:21 | passwdArray | semmle.label | passwdArray |
28-
| testCryptoSwift.swift:127:9:127:9 | passwdArray : | semmle.label | passwdArray : |
29-
| testCryptoSwift.swift:129:9:129:9 | passwdArray : | semmle.label | passwdArray : |
20+
| testCryptoSwift.swift:127:9:127:9 | passwdArray | semmle.label | passwdArray |
21+
| testCryptoSwift.swift:129:9:129:9 | passwdArray | semmle.label | passwdArray |
22+
| testCryptoSwift.swift:136:9:136:9 | passwdData | semmle.label | passwdData |
23+
| testCryptoSwift.swift:138:9:138:9 | passwdData | semmle.label | passwdData |
24+
| testCryptoSwift.swift:145:9:145:9 | passwd | semmle.label | passwd |
25+
| testCryptoSwift.swift:147:9:147:9 | passwd | semmle.label | passwd |
3026
subpaths
3127
#select
3228
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
@@ -42,9 +38,13 @@ subpaths
4238
| testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
4339
| testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
4440
| testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
45-
| testCryptoSwift.swift:61:27:61:27 | self | testCryptoSwift.swift:127:9:127:9 | passwdArray : | testCryptoSwift.swift:61:27:61:27 | self | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
46-
| testCryptoSwift.swift:65:28:65:28 | self | testCryptoSwift.swift:129:9:129:9 | passwdArray : | testCryptoSwift.swift:65:28:65:28 | self | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
4741
| testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
4842
| testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |
4943
| testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
5044
| testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |
45+
| testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
46+
| testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
47+
| testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:136:9:136:9 | passwdData | sensitive data (credential passwdData) |
48+
| testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:138:9:138:9 | passwdData | sensitive data (credential passwdData) |
49+
| testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:145:9:145:9 | passwd | sensitive data (credential passwd) |
50+
| testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:147:9:147:9 | passwd | sensitive data (credential passwd) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,18 +133,18 @@ func testArrays(harmlessArray: Array<UInt8>, passwdArray: Array<UInt8>) {
133133

134134
func testData(harmlessData: Data, passwdData: Data) {
135135
_ = harmlessData.md5() // GOOD (not sensitive)
136-
_ = passwdData.md5() // BAD [NOT DETECTED]
136+
_ = passwdData.md5() // BAD
137137
_ = harmlessData.sha1() // GOOD (not sensitive)
138-
_ = passwdData.sha1() // BAD [NOT DETECTED]
138+
_ = passwdData.sha1() // BAD
139139
_ = harmlessData.sha512() // GOOD
140140
_ = passwdData.sha512() // GOOD
141141
}
142142

143143
func testStrings(passwd: String) {
144144
_ = "harmless".md5() // GOOD (not sensitive)
145-
_ = passwd.md5() // BAD [NOT DETECTED]
145+
_ = passwd.md5() // BAD
146146
_ = "harmless".sha1() // GOOD (not sensitive)
147-
_ = passwd.sha1() // BAD [NOT DETECTED]
147+
_ = passwd.sha1() // BAD
148148
_ = "harmless".sha512() // GOOD
149149
_ = passwd.sha512() // GOOD
150150
}

0 commit comments

Comments
 (0)