Skip to content

Commit 0ff84b4

Browse files
geoffw0geoffw0
committed
Swift: Create examples for the .qhelp in Swift, and test them.
1 parent 363ec0a commit 0ff84b4

File tree

6 files changed

+158
-116
lines changed

6 files changed

+158
-116
lines changed

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashingBad.swift

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1-
using var sha512 = System.Security.Cryptography.SHA512.Create();
1+
let passwordData = Data(passwordString.utf8)
2+
let passwordHash = Crypto.SHA512.hash(data: passwordData)
23

3-
var data = sha512.ComputeHash(Encoding.UTF8.GetBytes(content)); // BAD
4+
// ...
5+
6+
if Crypto.SHA512.hash(data: Data(passwordString.utf8)) == passwordHash {
7+
// ...
8+
}

swift/ql/src/queries/Security/CWE-328/WeakPasswordHashingGood.swift

Lines changed: 7 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -1,51 +1,11 @@
1-
using System.Security.Cryptography;
2-
using Konscious.Security.Cryptography; // use NuGet package Konscious.Security.Cryptography.Argon2
1+
import Argon2Swift
32

4-
// See https://github.com/kmaragon/Konscious.Security.Cryptography#konscioussecuritycryptographyargon2
3+
let salt = Salt.newSalt()
4+
let result = try! Argon2Swift.hashPasswordString(password: passwordString, salt: salt)
5+
let passwordHash = result.encodedString()
56

6-
public class Argon2Hasher
7-
{
8-
public byte[] ComputeHash(byte[] password, byte[] salt)
9-
{
10-
// choose Argon2i, Argon2id or Argon2d as appropriate
11-
using var argon2 = new Argon2id(password);
12-
argon2.Salt = salt;
7+
// ...
138

14-
// read the Argon2 documentation to understand these parameters, and reference:
15-
// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
16-
argon2.DegreeOfParallelism = 4; // number of threads you can spawn on your system - the higher, the better
17-
argon2.Iterations = 5; // set as high as your system can manage, within time constraints
18-
argon2.MemorySize = 1024 * 2048; // 2GB RAM, for example - set this as high as you can, within memory limits on your system
19-
20-
return argon2.GetBytes(32);
21-
}
22-
23-
// use a fixed-time comparison to avoid timing attacks
24-
public bool Equals(byte[] hash1, byte[] hash2) => CryptographicOperations.FixedTimeEquals(hash1, hash2);
25-
26-
// generate a salt securely with a cryptographic random number generator
27-
public static byte[] GenerateSalt()
28-
{
29-
var buffer = new byte[32];
30-
using var rng = new RNGCryptoServiceProvider();
31-
rng.GetBytes(buffer);
32-
return buffer;
33-
}
34-
}
35-
36-
var argon2 = new Argon2Hasher();
37-
38-
// Create the hash
39-
var bytes = Encoding.UTF8.GetBytes("this is a password"); // it should not be hardcoded in reality, but this is just a demo
40-
var salt = Argon2Hasher.GenerateSalt(); // salt is kept with hash; it is not secret, just unique per hash
41-
var hash = argon2.ComputeHash(bytes, salt);
42-
43-
// Check the hash - this will trivially always pass, but in reality you would have to retrieve the hash for the comparison
44-
if(argon2id.Equals(argon2.ComputeHash(bytes, salt), hash))
45-
{
46-
Console.WriteLine("PASS");
47-
}
48-
else
49-
{
50-
Console.WriteLine("FAIL");
9+
if try! Argon2Swift.verifyHashString(password: passwordString, hash: passwordHash) {
10+
// ...
5111
}

swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected

Lines changed: 38 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,26 @@
11
edges
2+
| testCryptoKit.swift:193:38:193:38 | passwordString | testCryptoKit.swift:193:38:193:53 | .utf8 |
3+
| testCryptoKit.swift:193:38:193:53 | .utf8 | testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) |
24
nodes
3-
| testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
4-
| testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
5-
| testCryptoKit.swift:69:37:69:37 | passwd | semmle.label | passwd |
6-
| testCryptoKit.swift:75:37:75:37 | passwd | semmle.label | passwd |
7-
| testCryptoKit.swift:81:37:81:37 | passwd | semmle.label | passwd |
8-
| testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
9-
| testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
10-
| testCryptoKit.swift:108:23:108:23 | passwd | semmle.label | passwd |
11-
| testCryptoKit.swift:117:23:117:23 | passwd | semmle.label | passwd |
12-
| testCryptoKit.swift:126:23:126:23 | passwd | semmle.label | passwd |
13-
| testCryptoKit.swift:135:32:135:32 | passwd | semmle.label | passwd |
14-
| testCryptoKit.swift:144:32:144:32 | passwd | semmle.label | passwd |
15-
| testCryptoKit.swift:153:32:153:32 | passwd | semmle.label | passwd |
16-
| testCryptoKit.swift:162:32:162:32 | passwd | semmle.label | passwd |
17-
| testCryptoKit.swift:171:32:171:32 | passwd | semmle.label | passwd |
5+
| testCryptoKit.swift:65:47:65:47 | passwd | semmle.label | passwd |
6+
| testCryptoKit.swift:71:44:71:44 | passwd | semmle.label | passwd |
7+
| testCryptoKit.swift:77:37:77:37 | passwd | semmle.label | passwd |
8+
| testCryptoKit.swift:83:37:83:37 | passwd | semmle.label | passwd |
9+
| testCryptoKit.swift:89:37:89:37 | passwd | semmle.label | passwd |
10+
| testCryptoKit.swift:98:23:98:23 | passwd | semmle.label | passwd |
11+
| testCryptoKit.swift:107:23:107:23 | passwd | semmle.label | passwd |
12+
| testCryptoKit.swift:116:23:116:23 | passwd | semmle.label | passwd |
13+
| testCryptoKit.swift:125:23:125:23 | passwd | semmle.label | passwd |
14+
| testCryptoKit.swift:134:23:134:23 | passwd | semmle.label | passwd |
15+
| testCryptoKit.swift:143:32:143:32 | passwd | semmle.label | passwd |
16+
| testCryptoKit.swift:152:32:152:32 | passwd | semmle.label | passwd |
17+
| testCryptoKit.swift:161:32:161:32 | passwd | semmle.label | passwd |
18+
| testCryptoKit.swift:170:32:170:32 | passwd | semmle.label | passwd |
19+
| testCryptoKit.swift:179:32:179:32 | passwd | semmle.label | passwd |
20+
| testCryptoKit.swift:189:49:189:49 | passwordData | semmle.label | passwordData |
21+
| testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | semmle.label | call to Data.init(_:) |
22+
| testCryptoKit.swift:193:38:193:38 | passwordString | semmle.label | passwordString |
23+
| testCryptoKit.swift:193:38:193:53 | .utf8 | semmle.label | .utf8 |
1824
| testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
1925
| testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
2026
| testCryptoSwift.swift:160:47:160:47 | passwdArray | semmle.label | passwdArray |
@@ -41,21 +47,23 @@ nodes
4147
| testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd |
4248
subpaths
4349
#select
44-
| testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | password (passwd) |
45-
| testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | password (passwd) |
46-
| testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:69:37:69:37 | passwd | password (passwd) |
47-
| testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:75:37:75:37 | passwd | password (passwd) |
48-
| testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:81:37:81:37 | passwd | password (passwd) |
49-
| testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | password (passwd) |
50-
| testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | password (passwd) |
51-
| testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:108:23:108:23 | passwd | password (passwd) |
52-
| testCryptoKit.swift:117:23:117:23 | passwd | testCryptoKit.swift:117:23:117:23 | passwd | testCryptoKit.swift:117:23:117:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:117:23:117:23 | passwd | password (passwd) |
53-
| testCryptoKit.swift:126:23:126:23 | passwd | testCryptoKit.swift:126:23:126:23 | passwd | testCryptoKit.swift:126:23:126:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:126:23:126:23 | passwd | password (passwd) |
54-
| testCryptoKit.swift:135:32:135:32 | passwd | testCryptoKit.swift:135:32:135:32 | passwd | testCryptoKit.swift:135:32:135:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:135:32:135:32 | passwd | password (passwd) |
55-
| testCryptoKit.swift:144:32:144:32 | passwd | testCryptoKit.swift:144:32:144:32 | passwd | testCryptoKit.swift:144:32:144:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:144:32:144:32 | passwd | password (passwd) |
56-
| testCryptoKit.swift:153:32:153:32 | passwd | testCryptoKit.swift:153:32:153:32 | passwd | testCryptoKit.swift:153:32:153:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:153:32:153:32 | passwd | password (passwd) |
57-
| testCryptoKit.swift:162:32:162:32 | passwd | testCryptoKit.swift:162:32:162:32 | passwd | testCryptoKit.swift:162:32:162:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:162:32:162:32 | passwd | password (passwd) |
58-
| testCryptoKit.swift:171:32:171:32 | passwd | testCryptoKit.swift:171:32:171:32 | passwd | testCryptoKit.swift:171:32:171:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:171:32:171:32 | passwd | password (passwd) |
50+
| testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | testCryptoKit.swift:65:47:65:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:65:47:65:47 | passwd | password (passwd) |
51+
| testCryptoKit.swift:71:44:71:44 | passwd | testCryptoKit.swift:71:44:71:44 | passwd | testCryptoKit.swift:71:44:71:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:71:44:71:44 | passwd | password (passwd) |
52+
| testCryptoKit.swift:77:37:77:37 | passwd | testCryptoKit.swift:77:37:77:37 | passwd | testCryptoKit.swift:77:37:77:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:77:37:77:37 | passwd | password (passwd) |
53+
| testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | testCryptoKit.swift:83:37:83:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:83:37:83:37 | passwd | password (passwd) |
54+
| testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | testCryptoKit.swift:89:37:89:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:89:37:89:37 | passwd | password (passwd) |
55+
| testCryptoKit.swift:98:23:98:23 | passwd | testCryptoKit.swift:98:23:98:23 | passwd | testCryptoKit.swift:98:23:98:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:98:23:98:23 | passwd | password (passwd) |
56+
| testCryptoKit.swift:107:23:107:23 | passwd | testCryptoKit.swift:107:23:107:23 | passwd | testCryptoKit.swift:107:23:107:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:107:23:107:23 | passwd | password (passwd) |
57+
| testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:116:23:116:23 | passwd | password (passwd) |
58+
| testCryptoKit.swift:125:23:125:23 | passwd | testCryptoKit.swift:125:23:125:23 | passwd | testCryptoKit.swift:125:23:125:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:125:23:125:23 | passwd | password (passwd) |
59+
| testCryptoKit.swift:134:23:134:23 | passwd | testCryptoKit.swift:134:23:134:23 | passwd | testCryptoKit.swift:134:23:134:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:134:23:134:23 | passwd | password (passwd) |
60+
| testCryptoKit.swift:143:32:143:32 | passwd | testCryptoKit.swift:143:32:143:32 | passwd | testCryptoKit.swift:143:32:143:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:143:32:143:32 | passwd | password (passwd) |
61+
| testCryptoKit.swift:152:32:152:32 | passwd | testCryptoKit.swift:152:32:152:32 | passwd | testCryptoKit.swift:152:32:152:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:152:32:152:32 | passwd | password (passwd) |
62+
| testCryptoKit.swift:161:32:161:32 | passwd | testCryptoKit.swift:161:32:161:32 | passwd | testCryptoKit.swift:161:32:161:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:161:32:161:32 | passwd | password (passwd) |
63+
| testCryptoKit.swift:170:32:170:32 | passwd | testCryptoKit.swift:170:32:170:32 | passwd | testCryptoKit.swift:170:32:170:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:170:32:170:32 | passwd | password (passwd) |
64+
| testCryptoKit.swift:179:32:179:32 | passwd | testCryptoKit.swift:179:32:179:32 | passwd | testCryptoKit.swift:179:32:179:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:179:32:179:32 | passwd | password (passwd) |
65+
| testCryptoKit.swift:189:49:189:49 | passwordData | testCryptoKit.swift:189:49:189:49 | passwordData | testCryptoKit.swift:189:49:189:49 | passwordData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:189:49:189:49 | passwordData | password (passwordData) |
66+
| testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | testCryptoKit.swift:193:38:193:38 | passwordString | testCryptoKit.swift:193:33:193:57 | call to Data.init(_:) | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:193:38:193:38 | passwordString | password (passwordString) |
5967
| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
6068
| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
6169
| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) |

0 commit comments

Comments
 (0)