Swift: Model SecKeyCopyExternalRepresentation as an explicit sensitive data source.

geoffw0 · geoffw0 · commit 509503111087 · 2023-12-05T13:35:44.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Security.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Security.qll
@@ -0,0 +1,13 @@
+/**
+ * Provides models for standard library Swift classses related to security
+ * (certificate, key and trust services).
+ */
+
+import swift
+private import codeql.swift.dataflow.ExternalFlow
+
+private class SensitiveSources extends SourceModelCsv {
+  override predicate row(string row) {
+    row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-credential"
+  }
+}
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll
@@ -19,6 +19,7 @@ private import NsUrl
 private import Numeric
 private import RawRepresentable
 private import PointerTypes
+private import Security
 private import Sequence
 private import Set
 private import Stream
diff --git a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -6,6 +6,8 @@
 
 import swift
 import internal.SensitiveDataHeuristics
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
 
 private newtype TSensitiveDataType =
   TCredential() or
@@ -172,6 +174,18 @@ class SensitiveExpr extends Expr {
     ) and
     // do not mark as sensitive it if it is probably safe
     not label.regexpMatch(regexpProbablySafe())
+    or
+    (
+      // modelled sensitive credential
+      sourceNode(DataFlow::exprNode(this), "sensitive-credential") and
+      sensitiveType = TCredential() and
+      label = "credential"
+      or
+      // modelled sensitive private information
+      sourceNode(DataFlow::exprNode(this), "sensitive-private-info") and
+      sensitiveType = TPrivateInfo() and
+      label = "private information"
+    )
   }
 
   /**
diff --git a/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected b/swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
@@ -23,6 +23,11 @@ edges
 | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... |
 | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... |
 | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." |
+| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:105:32:105:32 | data |
+| testURL.swift:105:6:105:10 | let ...? [some:0] | testURL.swift:105:10:105:10 | string |
+| testURL.swift:105:10:105:10 | string | testURL.swift:106:20:106:20 | "..." |
+| testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | testURL.swift:105:6:105:10 | let ...? [some:0] |
+| testURL.swift:105:32:105:32 | data | testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] |
 nodes
 | file://:0:0:0:0 | .value | semmle.label | .value |
 | file://:0:0:0:0 | self | semmle.label | self |
@@ -74,6 +79,12 @@ nodes
 | testURL.swift:75:53:75:69 | call to get_cert_string() | semmle.label | call to get_cert_string() |
 | testURL.swift:96:18:96:18 | "..." | semmle.label | "..." |
 | testURL.swift:96:51:96:51 | certificate | semmle.label | certificate |
+| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | semmle.label | call to SecKeyCopyExternalRepresentation(_:_:) |
+| testURL.swift:105:6:105:10 | let ...? [some:0] | semmle.label | let ...? [some:0] |
+| testURL.swift:105:10:105:10 | string | semmle.label | string |
+| testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | semmle.label | call to String.init(data:encoding:) [some:0] |
+| testURL.swift:105:32:105:32 | data | semmle.label | data |
+| testURL.swift:106:20:106:20 | "..." | semmle.label | "..." |
 subpaths
 | testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
 | testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | .value | testSend.swift:94:27:94:39 | .value |
@@ -104,3 +115,4 @@ subpaths
 | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() |
 | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() |
 | testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate |
+| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -175,3 +175,4 @@
 | testURL.swift:73:52:73:67 | call to get_secret_key() | label:get_secret_key, type:credential |
 | testURL.swift:75:53:75:69 | call to get_cert_string() | label:get_cert_string, type:credential |
 | testURL.swift:96:51:96:51 | certificate | label:certificate, type:credential |
+| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | label:credential, type:credential |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/testURL.swift b/swift/ql/test/query-tests/Security/CWE-311/testURL.swift
@@ -103,7 +103,7 @@ func test3() {
 func test4(key: SecKey) {
 	if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data {
 		if let string = String(data: data, encoding: .utf8) {
-			_ = URL(string: "http://example.com/login?tok=\(string)"); // BAD [NOT DETECTED]
+			_ = URL(string: "http://example.com/login?tok=\(string)"); // BAD
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ func test3() {`
`103`	`103`	`func test4(key: SecKey) {`
`104`	`104`	`if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data {`
`105`	`105`	`if let string = String(data: data, encoding: .utf8) {`
`106`		`- _ = URL(string: "http://example.com/login?tok=\(string)"); // BAD [NOT DETECTED]`
	`106`	`+ _ = URL(string: "http://example.com/login?tok=\(string)"); // BAD`
`107`	`107`	`}`
`108`	`108`	`}`
`109`	`109`	`}`