Swift: Make append methods and string interpolation barriers for swift/constant-salt.

Author: geoffw0

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -79,7 +79,14 @@ private class DefaultSaltSink extends ConstantSaltSink {
  */
 private class AppendConstantSaltBarrier extends ConstantSaltBarrier {
   AppendConstantSaltBarrier() {
-    this.asExpr() = any(AddExpr ae).getAnOperand() or
+    this.asExpr() = any(AddExpr ae).getAnOperand()
+    or
     this.asExpr() = any(AssignAddExpr aae).getAnOperand()
+    or
+    exists(CallExpr ce |
+      ce.getStaticTarget().getName() =
+        ["append(_:)", "appending(_:)", "appendLiteral(_:)", "appendInterpolation(_:)"] and
+      this.asExpr() = ce.getAnArgument().getExpr()
+    )
   }
 }

swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected

@@ -11,19 +11,8 @@ edges
 | rncryptor.swift:60:24:60:30 | call to Data.init(_:) | rncryptor.swift:76:152:76:152 | myConstantSalt2 | provenance |  |
 | rncryptor.swift:60:24:60:30 | call to Data.init(_:) | rncryptor.swift:79:160:79:160 | myConstantSalt2 | provenance |  |
 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:60:24:60:30 | call to Data.init(_:) | provenance |  |
-| rncryptor.swift:86:62:86:62 | 123 | rncryptor.swift:86:62:86:62 | "..." | provenance |  |
-| rncryptor.swift:86:62:86:62 | "..." | rncryptor.swift:86:57:86:91 | call to Data.init(_:) | provenance |  |
-| rncryptor.swift:86:87:86:87 | abc | rncryptor.swift:86:62:86:62 | "..." | provenance |  |
-| rncryptor.swift:87:62:87:62 | 123 | rncryptor.swift:87:62:87:62 | "..." | provenance |  |
-| rncryptor.swift:87:62:87:62 | "..." | rncryptor.swift:87:57:87:81 | call to Data.init(_:) | provenance |  |
-| rncryptor.swift:87:68:87:68 | const | rncryptor.swift:87:62:87:62 | "..." | provenance |  |
-| rncryptor.swift:87:76:87:76 | )abc | rncryptor.swift:87:62:87:62 | "..." | provenance |  |
 | rncryptor.swift:89:25:89:25 | 123 | rncryptor.swift:91:62:91:62 | myMutableString1 | provenance |  |
 | rncryptor.swift:91:62:91:62 | myMutableString1 | rncryptor.swift:91:57:91:78 | call to Data.init(_:) | provenance |  |
-| rncryptor.swift:94:2:94:2 | [post] myMutableString2 | rncryptor.swift:95:62:95:62 | myMutableString2 | provenance |  |
-| rncryptor.swift:94:26:94:26 | abc | rncryptor.swift:94:2:94:2 | [post] myMutableString2 | provenance |  |
-| rncryptor.swift:94:26:94:26 | abc | rncryptor.swift:95:62:95:62 | myMutableString2 | provenance | AdditionalTaintStep |
-| rncryptor.swift:95:62:95:62 | myMutableString2 | rncryptor.swift:95:57:95:78 | call to Data.init(_:) | provenance |  |
 | test.swift:29:3:29:3 | this string is constant | test.swift:33:10:33:28 | call to getConstantString() | provenance |  |
 | test.swift:33:2:33:34 | call to Array<Element>.init(_:) [Collection element] | test.swift:44:27:44:44 | call to getConstantArray() [Collection element] | provenance |  |
 | test.swift:33:10:33:28 | call to getConstantString() | test.swift:33:10:33:30 | .utf8 | provenance |  |
@@ -51,22 +40,9 @@ nodes
 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | semmle.label | myConstantSalt2 |
 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | semmle.label | myConstantSalt1 |
 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | semmle.label | myConstantSalt2 |
-| rncryptor.swift:86:57:86:91 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
-| rncryptor.swift:86:62:86:62 | 123 | semmle.label | 123 |
-| rncryptor.swift:86:62:86:62 | "..." | semmle.label | "..." |
-| rncryptor.swift:86:87:86:87 | abc | semmle.label | abc |
-| rncryptor.swift:87:57:87:81 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
-| rncryptor.swift:87:62:87:62 | 123 | semmle.label | 123 |
-| rncryptor.swift:87:62:87:62 | "..." | semmle.label | "..." |
-| rncryptor.swift:87:68:87:68 | const | semmle.label | const |
-| rncryptor.swift:87:76:87:76 | )abc | semmle.label | )abc |
 | rncryptor.swift:89:25:89:25 | 123 | semmle.label | 123 |
 | rncryptor.swift:91:57:91:78 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
 | rncryptor.swift:91:62:91:62 | myMutableString1 | semmle.label | myMutableString1 |
-| rncryptor.swift:94:2:94:2 | [post] myMutableString2 | semmle.label | [post] myMutableString2 |
-| rncryptor.swift:94:26:94:26 | abc | semmle.label | abc |
-| rncryptor.swift:95:57:95:78 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
-| rncryptor.swift:95:62:95:62 | myMutableString2 | semmle.label | myMutableString2 |
 | test.swift:29:3:29:3 | this string is constant | semmle.label | this string is constant |
 | test.swift:33:2:33:34 | call to Array<Element>.init(_:) [Collection element] | semmle.label | call to Array<Element>.init(_:) [Collection element] |
 | test.swift:33:10:33:28 | call to getConstantString() | semmle.label | call to getConstantString() |
@@ -93,13 +69,7 @@ subpaths
 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:76:152:76:152 | myConstantSalt2 | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 |
 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:59:29:59:29 | abcdef123456 | abcdef123456 |
 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | rncryptor.swift:60:29:60:29 | 0 | rncryptor.swift:79:160:79:160 | myConstantSalt2 | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:60:29:60:29 | 0 | 0 |
-| rncryptor.swift:86:57:86:91 | call to Data.init(_:) | rncryptor.swift:86:62:86:62 | 123 | rncryptor.swift:86:57:86:91 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:86:62:86:62 | 123 | 123 |
-| rncryptor.swift:86:57:86:91 | call to Data.init(_:) | rncryptor.swift:86:87:86:87 | abc | rncryptor.swift:86:57:86:91 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:86:87:86:87 | abc | abc |
-| rncryptor.swift:87:57:87:81 | call to Data.init(_:) | rncryptor.swift:87:62:87:62 | 123 | rncryptor.swift:87:57:87:81 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:87:62:87:62 | 123 | 123 |
-| rncryptor.swift:87:57:87:81 | call to Data.init(_:) | rncryptor.swift:87:68:87:68 | const | rncryptor.swift:87:57:87:81 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:87:68:87:68 | const | const |
-| rncryptor.swift:87:57:87:81 | call to Data.init(_:) | rncryptor.swift:87:76:87:76 | )abc | rncryptor.swift:87:57:87:81 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:87:76:87:76 | )abc | )abc |
 | rncryptor.swift:91:57:91:78 | call to Data.init(_:) | rncryptor.swift:89:25:89:25 | 123 | rncryptor.swift:91:57:91:78 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:89:25:89:25 | 123 | 123 |
-| rncryptor.swift:95:57:95:78 | call to Data.init(_:) | rncryptor.swift:94:26:94:26 | abc | rncryptor.swift:95:57:95:78 | call to Data.init(_:) | The value '$@' is used as a constant, which is insecure for hashing passwords. | rncryptor.swift:94:26:94:26 | abc | abc |
 | test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:51:49:51:49 | constantSalt | The value '$@' is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] |
 | test.swift:52:49:52:49 | constantStringSalt | test.swift:29:3:29:3 | this string is constant | test.swift:52:49:52:49 | constantStringSalt | The value '$@' is used as a constant, which is insecure for hashing passwords. | test.swift:29:3:29:3 | this string is constant | this string is constant |
 | test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] | test.swift:56:59:56:59 | constantSalt | The value '$@' is used as a constant, which is insecure for hashing passwords. | test.swift:43:35:43:130 | [...] | [...] |

swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift

@@ -83,16 +83,16 @@ func test(myPassword: String) {
 	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123" + getARandomString()), settings: myKeyDerivationSettings) // GOOD
 	let _ = myEncryptor.key(forPassword: myPassword, salt: Data(getARandomString() + "abc"), settings: myKeyDerivationSettings) // GOOD
 	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123" + "abc"), settings: myKeyDerivationSettings) // BAD (constant salt) [NOT DETECTED]
-	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123\(getARandomString())abc"), settings: myKeyDerivationSettings) // GOOD [FALSE POSITIVE]
-	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123\("const"))abc"), settings: myKeyDerivationSettings) // BAD (constant salt)
+	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123\(getARandomString())abc"), settings: myKeyDerivationSettings) // GOOD
+	let _ = myEncryptor.key(forPassword: myPassword, salt: Data("123\("const"))abc"), settings: myKeyDerivationSettings) // BAD (constant salt) [NOT DETECTED]
 
 	var myMutableString1 = "123"
 	myMutableString1.append(getARandomString())
 	let _ = myEncryptor.key(forPassword: myPassword, salt: Data(myMutableString1), settings: myKeyDerivationSettings) // GOOD [FALSE POSITIVE]
 
 	var myMutableString2 = getARandomString()
 	myMutableString2.append("abc")
-	let _ = myEncryptor.key(forPassword: myPassword, salt: Data(myMutableString2), settings: myKeyDerivationSettings) // GOOD [FALSE POSITIVE]
+	let _ = myEncryptor.key(forPassword: myPassword, salt: Data(myMutableString2), settings: myKeyDerivationSettings) // GOOD
 
 	var myMutableString3 = "123"
 	myMutableString3 += getARandomString()