Swift: Add a test with SecKeyCopyExternalRepresentation.

geoffw0 · geoffw0 · commit 1d903c56ada2 · 2023-12-05T13:35:44.000Z
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -14,15 +14,15 @@ edges
 | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | self |
 | testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self |
 | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value |
-| testURL.swift:17:50:17:50 | passwd | testURL.swift:17:18:17:50 | ... .+(_:_:) ... |
-| testURL.swift:19:51:19:51 | account_no | testURL.swift:19:18:19:51 | ... .+(_:_:) ... |
-| testURL.swift:20:51:20:51 | credit_card_no | testURL.swift:20:18:20:51 | ... .+(_:_:) ... |
-| testURL.swift:28:51:28:51 | e_mail | testURL.swift:28:18:28:51 | ... .+(_:_:) ... |
-| testURL.swift:30:53:30:53 | a_homeaddr_z | testURL.swift:30:18:30:53 | ... .+(_:_:) ... |
-| testURL.swift:32:51:32:51 | resident_ID | testURL.swift:32:18:32:51 | ... .+(_:_:) ... |
-| testURL.swift:51:52:51:67 | call to get_secret_key() | testURL.swift:51:18:51:67 | ... .+(_:_:) ... |
-| testURL.swift:53:53:53:69 | call to get_cert_string() | testURL.swift:53:18:53:69 | ... .+(_:_:) ... |
-| testURL.swift:74:51:74:51 | certificate | testURL.swift:74:18:74:18 | "..." |
+| testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... |
+| testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... |
+| testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... |
+| testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... |
+| testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... |
+| testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... |
+| testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... |
+| testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... |
+| testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." |
 nodes
 | file://:0:0:0:0 | .value | semmle.label | .value |
 | file://:0:0:0:0 | self | semmle.label | self |
@@ -55,25 +55,25 @@ nodes
 | testSend.swift:86:7:86:7 | self | semmle.label | self |
 | testSend.swift:94:27:94:30 | .password | semmle.label | .password |
 | testSend.swift:94:27:94:39 | .value | semmle.label | .value |
-| testURL.swift:17:18:17:50 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:17:50:17:50 | passwd | semmle.label | passwd |
-| testURL.swift:19:18:19:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:19:51:19:51 | account_no | semmle.label | account_no |
-| testURL.swift:20:18:20:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:20:51:20:51 | credit_card_no | semmle.label | credit_card_no |
-| testURL.swift:24:22:24:22 | passwd | semmle.label | passwd |
-| testURL.swift:28:18:28:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:28:51:28:51 | e_mail | semmle.label | e_mail |
-| testURL.swift:30:18:30:53 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:30:53:30:53 | a_homeaddr_z | semmle.label | a_homeaddr_z |
-| testURL.swift:32:18:32:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:32:51:32:51 | resident_ID | semmle.label | resident_ID |
-| testURL.swift:51:18:51:67 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:51:52:51:67 | call to get_secret_key() | semmle.label | call to get_secret_key() |
-| testURL.swift:53:18:53:69 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
-| testURL.swift:53:53:53:69 | call to get_cert_string() | semmle.label | call to get_cert_string() |
-| testURL.swift:74:18:74:18 | "..." | semmle.label | "..." |
-| testURL.swift:74:51:74:51 | certificate | semmle.label | certificate |
+| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:39:50:39:50 | passwd | semmle.label | passwd |
+| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:41:51:41:51 | account_no | semmle.label | account_no |
+| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:42:51:42:51 | credit_card_no | semmle.label | credit_card_no |
+| testURL.swift:46:22:46:22 | passwd | semmle.label | passwd |
+| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:50:51:50:51 | e_mail | semmle.label | e_mail |
+| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:52:53:52:53 | a_homeaddr_z | semmle.label | a_homeaddr_z |
+| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:54:51:54:51 | resident_ID | semmle.label | resident_ID |
+| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:73:52:73:67 | call to get_secret_key() | semmle.label | call to get_secret_key() |
+| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:75:53:75:69 | call to get_cert_string() | semmle.label | call to get_cert_string() |
+| testURL.swift:96:18:96:18 | "..." | semmle.label | "..." |
+| testURL.swift:96:51:96:51 | certificate | semmle.label | certificate |
 subpaths
 | testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
 | testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | .value | testSend.swift:94:27:94:39 | .value |
@@ -94,13 +94,13 @@ subpaths
 | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo |
 | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating |
 | testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password |
-| testURL.swift:17:18:17:50 | ... .+(_:_:) ... | testURL.swift:17:50:17:50 | passwd | testURL.swift:17:18:17:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:17:50:17:50 | passwd | passwd |
-| testURL.swift:19:18:19:51 | ... .+(_:_:) ... | testURL.swift:19:51:19:51 | account_no | testURL.swift:19:18:19:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:19:51:19:51 | account_no | account_no |
-| testURL.swift:20:18:20:51 | ... .+(_:_:) ... | testURL.swift:20:51:20:51 | credit_card_no | testURL.swift:20:18:20:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:20:51:20:51 | credit_card_no | credit_card_no |
-| testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:24:22:24:22 | passwd | passwd |
-| testURL.swift:28:18:28:51 | ... .+(_:_:) ... | testURL.swift:28:51:28:51 | e_mail | testURL.swift:28:18:28:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:28:51:28:51 | e_mail | e_mail |
-| testURL.swift:30:18:30:53 | ... .+(_:_:) ... | testURL.swift:30:53:30:53 | a_homeaddr_z | testURL.swift:30:18:30:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:30:53:30:53 | a_homeaddr_z | a_homeaddr_z |
-| testURL.swift:32:18:32:51 | ... .+(_:_:) ... | testURL.swift:32:51:32:51 | resident_ID | testURL.swift:32:18:32:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:32:51:32:51 | resident_ID | resident_ID |
-| testURL.swift:51:18:51:67 | ... .+(_:_:) ... | testURL.swift:51:52:51:67 | call to get_secret_key() | testURL.swift:51:18:51:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:51:52:51:67 | call to get_secret_key() | call to get_secret_key() |
-| testURL.swift:53:18:53:69 | ... .+(_:_:) ... | testURL.swift:53:53:53:69 | call to get_cert_string() | testURL.swift:53:18:53:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:53:53:53:69 | call to get_cert_string() | call to get_cert_string() |
-| testURL.swift:74:18:74:18 | "..." | testURL.swift:74:51:74:51 | certificate | testURL.swift:74:18:74:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:74:51:74:51 | certificate | certificate |
+| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd |
+| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no |
+| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no |
+| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd |
+| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail |
+| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z |
+| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID |
+| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() |
+| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() |
+| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -165,13 +165,13 @@
 | testSend.swift:79:27:79:30 | .BankCardNo | label:BankCardNo, type:private information |
 | testSend.swift:80:27:80:30 | .MyCreditRating | label:MyCreditRating, type:private information |
 | testSend.swift:94:27:94:30 | .password | label:password, type:credential |
-| testURL.swift:17:50:17:50 | passwd | label:passwd, type:credential |
-| testURL.swift:19:51:19:51 | account_no | label:account_no, type:private information |
-| testURL.swift:20:51:20:51 | credit_card_no | label:credit_card_no, type:private information |
-| testURL.swift:24:22:24:22 | passwd | label:passwd, type:credential |
-| testURL.swift:28:51:28:51 | e_mail | label:e_mail, type:private information |
-| testURL.swift:30:53:30:53 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
-| testURL.swift:32:51:32:51 | resident_ID | label:resident_ID, type:private information |
-| testURL.swift:51:52:51:67 | call to get_secret_key() | label:get_secret_key, type:credential |
-| testURL.swift:53:53:53:69 | call to get_cert_string() | label:get_cert_string, type:credential |
-| testURL.swift:74:51:74:51 | certificate | label:certificate, type:credential |
+| testURL.swift:39:50:39:50 | passwd | label:passwd, type:credential |
+| testURL.swift:41:51:41:51 | account_no | label:account_no, type:private information |
+| testURL.swift:42:51:42:51 | credit_card_no | label:credit_card_no, type:private information |
+| testURL.swift:46:22:46:22 | passwd | label:passwd, type:credential |
+| testURL.swift:50:51:50:51 | e_mail | label:e_mail, type:private information |
+| testURL.swift:52:53:52:53 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
+| testURL.swift:54:51:54:51 | resident_ID | label:resident_ID, type:private information |
+| testURL.swift:73:52:73:67 | call to get_secret_key() | label:get_secret_key, type:credential |
+| testURL.swift:75:53:75:69 | call to get_cert_string() | label:get_cert_string, type:credential |
+| testURL.swift:96:51:96:51 | certificate | label:certificate, type:credential |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
@@ -7,6 +7,28 @@ struct URL
 	init?(string: String, relativeTo: URL?) {}
 }
 
+class Data {
+}
+
+extension String {
+	struct Encoding {
+		static let utf8 = Encoding()
+	}
+
+	init?(data: Data, encoding: Encoding) { self.init() }
+}
+
+class SecKey {
+}
+
+class CFData {
+}
+
+class CFError {
+}
+
+func SecKeyCopyExternalRepresentation(_ key: SecKey, _ error: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> CFData? { return nil }
+
 // --- tests ---
 
 var myString = ""
@@ -51,7 +73,7 @@ func test2() {
 	_ = URL(string: "http://example.com/login?key=" + get_secret_key()); // BAD
 	_ = URL(string: "http://example.com/login?key=" + get_key_press()); // GOOD (not sensitive)
 	_ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // BAD
-	_ = URL(string: "http://example.com/login?cert=" + get_certain()); // GOOD (not sensitive)
+	_ = URL(string: "http://example.com/login?certain=" + get_certain()); // GOOD (not sensitive)
 }
 
 func get_string() -> String { return "" }
@@ -77,3 +99,11 @@ func test3() {
 	_ = URL(string: "http://example.com/login?tok=\(auth_token)"); // BAD [NOT DETECTED]
 	_ = URL(string: "http://example.com/login?tok=\(next_token)"); // GOOD (not sensitive)
 }
+
+func test4(key: SecKey) {
+	if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data {
+		if let string = String(data: data, encoding: .utf8) {
+			_ = URL(string: "http://example.com/login?tok=\(string)"); // BAD [NOT DETECTED]
+		}
+	}
+}
