Merge pull request #17126 from geoffw0/swiftcleartext

Swift: Improve documentation and examples that use encryption

Author: geoffw0

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp

@@ -12,7 +12,7 @@
 </recommendation>
 <example>
 
-<p>The following example shows three cases of storing information using the Core Data library. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+<p>The following example shows three cases of storing information using the Core Data library. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>
 
 <sample src="CleartextStorageDatabase.swift" />
 
@@ -23,6 +23,10 @@
   OWASP Top 10:2021:
   <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
 </li>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
 
 </references>
 </qhelp>

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.swift

@@ -1,5 +1,11 @@
+import CryptoKit
 
-func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCard
 	databaseObject.setValue(creditCardNo, forKey: "myCreditCardNo")
 
 	// GOOD: encrypted sensitive information saved
-	databaseObject.setValue(encrypt(creditCardNo), forKey: "myCreditCardNo")
+	databaseObject.setValue(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")
 
 	// ...
 }

swift/ql/src/queries/Security/CWE-311/CleartextTransmission.qhelp

@@ -12,7 +12,7 @@
 </recommendation>
 <example>
 
-<p>The following example shows three cases of transmitting information. In the 'BAD' case, the data transmitted is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+<p>The following example shows three cases of transmitting information. In the 'BAD' case, the data transmitted is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>
 
 <sample src="CleartextTransmission.swift" />
 
@@ -23,6 +23,10 @@
   OWASP Top 10:2021:
   <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
 </li>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
 
 </references>
 </qhelp>

swift/ql/src/queries/Security/CWE-311/CleartextTransmission.swift

@@ -1,5 +1,11 @@
+import CryptoKit
 
-func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo :
 	connection.send(content: creditCardNo, completion: .idempotent)
 
 	// GOOD: encrypted sensitive information saved
-	connection.send(content: encrypt(creditCardNo), completion: .idempotent)
+	connection.send(content: encrypt(creditCardNo, encryptionKey), completion: .idempotent)
 
 	// ...
 }

swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.qhelp

@@ -12,7 +12,7 @@
 </recommendation>
 <example>
 
-<p>The following example shows three cases of storing information using UserDefaults. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+<p>The following example shows three cases of storing information using UserDefaults. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>
 
 <sample src="CleartextStoragePreferences.swift" />
 
@@ -26,6 +26,10 @@
 <li>
 Apple Developer Documentation: <a href="https://developer.apple.com/documentation/foundation/userdefaults">UserDefaults</a>, <a href="https://developer.apple.com/documentation/foundation/nsubiquitouskeyvaluestore">NSUbiquitousKeyValueStore</a>
 </li>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
 
 </references>
 </qhelp>

swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.swift

@@ -1,5 +1,11 @@
+import CryptoKit
 
-func storeMyData(faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func storeMyData(faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func storeMyData(faveSong : String, creditCardNo : String) {
 	UserDefaults.standard.set(creditCardNo, forKey: "myCreditCardNo")
 
 	// GOOD: encrypted sensitive information saved
-	UserDefaults.standard.set(encrypt(creditCardNo), forKey: "myCreditCardNo")
+	UserDefaults.standard.set(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")
 
 	// ...
 }

swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.swift

@@ -6,9 +6,9 @@ func encrypt(padding : Padding) {
 	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05]
 	let keyString = "this is a constant string"
 	let ivString = getRandomIV()
-	_ = try AES(key: key, blockMode: CBC(), padding: padding)
+	_ = try AES(key: key, blockMode: CBC(AES.randomIV(AES.blockSize)), padding: padding)
 	_ = try AES(key: keyString, iv: ivString)
-	_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
+	_ = try Blowfish(key: key, blockMode: CBC(Blowfish.randomIV(Blowfish.blockSize)), padding: padding)
 	_ = try Blowfish(key: keyString, iv: ivString)
 
 
@@ -18,9 +18,9 @@ func encrypt(padding : Padding) {
 	if status == errSecSuccess {
 		let keyString = String(cString: key)
 		let ivString = getRandomIV()
-		_ = try AES(key: key, blockMode: CBC(), padding: padding)
+		_ = try AES(key: key, blockMode: CBC(AES.randomIV(AES.blockSize)), padding: padding)
 		_ = try AES(key: keyString, iv: ivString)
-		_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
+		_ = try Blowfish(key: key, blockMode: CBC(Blowfish.randomIV(Blowfish.blockSize)), padding: padding)
 		_ = try Blowfish(key: keyString, iv: ivString)
 	}
 

swift/ql/src/queries/Security/CWE-327/ECBEncryption.swift

@@ -9,10 +9,11 @@ func encrypt(key : Key, padding : Padding) {
 	_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)
 
 	// GOOD: ECB is not used for block mode
-	let blockMode = CBC()
-	_ = try AES(key: key, blockMode: blockMode, padding: padding)
-	_ = try AES(key: key, blockMode: blockMode)
-	_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)
+	let aesBlockMode = CBC(iv: AES.randomIV(AES.blockSize))
+	let blowfishBlockMode = CBC(iv: Blowfish.randomIV(Blowfish.blockSize))
+	_ = try AES(key: key, blockMode: aesBlockMode, padding: padding)
+	_ = try AES(key: key, blockMode: aesBlockMode)
+	_ = try Blowfish(key: key, blockMode: blowfishBlockMode, padding: padding)
 
 	// ...
 }