Swift: Update swift/summary/query-sinks.

geoffw0 · geoffw0 · commit 363ec0a91787 · 2023-12-14T20:22:36.000Z
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
@@ -13,7 +13,7 @@ import codeql.swift.security.WeakPasswordHashingExtensions
  * A taint tracking configuration from password expressions to inappropriate
  * hashing sinks.
  */
-module WeakHashingPasswordConfig implements DataFlow::ConfigSig {
+module WeakPasswordHashingConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     exists(SensitiveExpr se |
       node.asExpr() = se and
@@ -40,4 +40,4 @@ module WeakHashingPasswordConfig implements DataFlow::ConfigSig {
   }
 }
 
-module WeakHashingFlow = TaintTracking::Global<WeakHashingPasswordConfig>;
+module WeakPasswordHashingFlow = TaintTracking::Global<WeakPasswordHashingConfig>;
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql b/swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql
@@ -14,11 +14,11 @@
 
 import swift
 import codeql.swift.security.WeakPasswordHashingQuery
-import WeakHashingFlow::PathGraph
+import WeakPasswordHashingFlow::PathGraph
 
-from WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm
+from WeakPasswordHashingFlow::PathNode source, WeakPasswordHashingFlow::PathNode sink, string algorithm
 where
-  WeakHashingFlow::flowPath(source, sink) and
+WeakPasswordHashingFlow::flowPath(source, sink) and
   algorithm = sink.getNode().(WeakPasswordHashingSink).getAlgorithm()
 select sink.getNode(), source, sink,
   "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
diff --git a/swift/ql/src/queries/Summary/QuerySinks.ql b/swift/ql/src/queries/Summary/QuerySinks.ql
@@ -30,7 +30,8 @@ import codeql.swift.security.CleartextLoggingQuery
 import codeql.swift.security.CleartextStoragePreferencesQuery
 import codeql.swift.security.HardcodedEncryptionKeyQuery
 import codeql.swift.security.ECBEncryptionQuery
-import codeql.swift.security.WeakSensitiveDataHashingQuery
+import codeql.swift.security.WeakSensitiveDataHashingQuery as WeakSensitiveDataHashingQuery
+import codeql.swift.security.WeakPasswordHashingQuery as WeakPasswordHashingQuery
 import codeql.swift.security.XXEQuery
 import codeql.swift.security.InsecureTLSQuery
 import codeql.swift.security.ConstantSaltQuery
@@ -65,7 +66,9 @@ string queryForSink(DataFlow::Node sink) {
   or
   EcbEncryptionConfig::isSink(sink) and result = "swift/ecb-encryption"
   or
-  WeakHashingConfig::isSink(sink) and result = "swift/weak-sensitive-data-hashing"
+  WeakSensitiveDataHashingQuery::WeakSensitiveDataHashingConfig::isSink(sink) and result = "swift/weak-sensitive-data-hashing"
+  or
+  WeakPasswordHashingQuery::WeakPasswordHashingConfig::isSink(sink) and result = "swift/weak-password-hashing"
   or
   XxeConfig::isSink(sink) and result = "swift/xxe"
   or

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import codeql.swift.security.WeakPasswordHashingExtensions`
`13`	`13`	`* A taint tracking configuration from password expressions to inappropriate`
`14`	`14`	`* hashing sinks.`
`15`	`15`	`*/`
`16`		`-module WeakHashingPasswordConfig implements DataFlow::ConfigSig {`
	`16`	`+module WeakPasswordHashingConfig implements DataFlow::ConfigSig {`
`17`	`17`	`predicate isSource(DataFlow::Node node) {`
`18`	`18`	`exists(SensitiveExpr se \|`
`19`	`19`	`node.asExpr() = se and`
`@@ -40,4 +40,4 @@ module WeakHashingPasswordConfig implements DataFlow::ConfigSig {`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
`43`		`-module WeakHashingFlow = TaintTracking::Global<WeakHashingPasswordConfig>;`
	`43`	`+module WeakPasswordHashingFlow = TaintTracking::Global<WeakPasswordHashingConfig>;`