Skip to content

Commit d94ed1b

Browse files
geoffw0geoffw0
authored
Merge pull request github#12824 from geoffw0/modernsec4
Swift: Add CryptoSwift sinks in swift/weak-sensitive-data-hashing
2 parents 38826c9 + cdcee5c commit d94ed1b

File tree

5 files changed

+221
-38
lines changed

5 files changed

+221
-38
lines changed

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,21 @@ private class WeakHashingSinks extends SinkModelCsv {
4646
";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
4747
";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
4848
";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
49+
// CryptoSwift
50+
";MD5;true;calculate(for:);;;Argument[0];weak-hash-input-MD5",
51+
";MD5;true;callAsFunction(_:);;;Argument[0];weak-hash-input-MD5",
52+
";MD5;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-MD5",
53+
";SHA1;true;calculate(for:);;;Argument[0];weak-hash-input-SHA1",
54+
";SHA1;true;callAsFunction(_:);;;Argument[0];weak-hash-input-SHA1",
55+
";SHA1;true;update(withBytes:isLast:);;;Argument[0];weak-hash-input-SHA1",
56+
";Digest;true;md5(_:);;;Argument[0];weak-hash-input-MD5",
57+
";Digest;true;sha1(_:);;;Argument[0];weak-hash-input-SHA1",
58+
";Array;true;md5();;;Argument[-1];weak-hash-input-MD5",
59+
";Array;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
60+
";Data;true;md5();;;Argument[-1];weak-hash-input-MD5",
61+
";Data;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
62+
";String;true;md5();;;Argument[-1];weak-hash-input-MD5",
63+
";String;true;sha1();;;Argument[-1];weak-hash-input-SHA1",
4964
]
5065
}
5166
}

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,16 @@ module WeakHashingConfig implements DataFlow::ConfigSig {
2020

2121
predicate isBarrier(DataFlow::Node node) { node instanceof WeakSensitiveDataHashingSanitizer }
2222

23+
predicate isBarrierIn(DataFlow::Node node) {
24+
// make sources barriers so that we only report the closest instance
25+
isSource(node)
26+
}
27+
28+
predicate isBarrierOut(DataFlow::Node node) {
29+
// make sinks barriers so that we only report the closest instance
30+
isSink(node)
31+
}
32+
2333
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
2434
any(WeakSensitiveDataHashingAdditionalTaintStep s).step(nodeFrom, nodeTo)
2535
}

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

Lines changed: 46 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -1,42 +1,50 @@
11
edges
2-
| testCrypto.swift:56:47:56:47 | passwd : | testCrypto.swift:63:44:63:44 | passwd |
3-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no |
4-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no : |
5-
| testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no |
6-
| testCrypto.swift:61:43:61:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no |
72
nodes
8-
| testCrypto.swift:56:47:56:47 | passwd | semmle.label | passwd |
9-
| testCrypto.swift:56:47:56:47 | passwd : | semmle.label | passwd : |
10-
| testCrypto.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
11-
| testCrypto.swift:60:43:60:43 | credit_card_no : | semmle.label | credit_card_no : |
12-
| testCrypto.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
13-
| testCrypto.swift:61:43:61:43 | credit_card_no : | semmle.label | credit_card_no : |
14-
| testCrypto.swift:63:44:63:44 | passwd | semmle.label | passwd |
15-
| testCrypto.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
16-
| testCrypto.swift:90:23:90:23 | passwd | semmle.label | passwd |
17-
| testCrypto.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
18-
| testCrypto.swift:99:23:99:23 | passwd | semmle.label | passwd |
19-
| testCrypto.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
20-
| testCrypto.swift:132:32:132:32 | passwd | semmle.label | passwd |
21-
| testCrypto.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
22-
| testCrypto.swift:141:32:141:32 | passwd | semmle.label | passwd |
23-
| testCrypto.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
3+
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
4+
| testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
5+
| testCryptoKit.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
6+
| testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
7+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
8+
| testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
9+
| testCryptoKit.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
10+
| testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
11+
| testCryptoKit.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
12+
| testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
13+
| testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
14+
| testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
15+
| testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
16+
| testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
17+
| testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
18+
| testCryptoSwift.swift:120:20:120:20 | passwdArray | semmle.label | passwdArray |
19+
| testCryptoSwift.swift:122:21:122:21 | passwdArray | semmle.label | passwdArray |
20+
| testCryptoSwift.swift:127:9:127:9 | passwdArray | semmle.label | passwdArray |
21+
| testCryptoSwift.swift:129:9:129:9 | passwdArray | semmle.label | passwdArray |
22+
| testCryptoSwift.swift:136:9:136:9 | passwdData | semmle.label | passwdData |
23+
| testCryptoSwift.swift:138:9:138:9 | passwdData | semmle.label | passwdData |
24+
| testCryptoSwift.swift:145:9:145:9 | passwd | semmle.label | passwd |
25+
| testCryptoSwift.swift:147:9:147:9 | passwd | semmle.label | passwd |
2426
subpaths
2527
#select
26-
| testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
27-
| testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
28-
| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
29-
| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
30-
| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:56:47:56:47 | passwd : | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
31-
| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
32-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
33-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no : | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
34-
| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
35-
| testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
36-
| testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
37-
| testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
38-
| testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
39-
| testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
40-
| testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
41-
| testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
42-
| testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
28+
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
29+
| testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
30+
| testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
31+
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
32+
| testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
33+
| testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
34+
| testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
35+
| testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
36+
| testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
37+
| testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
38+
| testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
39+
| testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
40+
| testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
41+
| testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
42+
| testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |
43+
| testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | sensitive data (credential passwdArray) |
44+
| testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | sensitive data (credential passwdArray) |
45+
| testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | sensitive data (credential passwdArray) |
46+
| testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | sensitive data (credential passwdArray) |
47+
| testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:136:9:136:9 | passwdData | sensitive data (credential passwdData) |
48+
| testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:138:9:138:9 | passwdData | sensitive data (credential passwdData) |
49+
| testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:145:9:145:9 | passwd | sensitive data (credential passwd) |
50+
| testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:147:9:147:9 | passwd | sensitive data (credential passwd) |

swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift renamed to swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift

File renamed without changes.

0 commit comments

Comments
 (0)