Skip to content

Commit 5bbc61e

Browse files
geoffw0geoffw0
committed
Swift: Add a few more test cases.
1 parent 57a1bec commit 5bbc61e

File tree

1 file changed

+88
-76
lines changed

1 file changed

+88
-76
lines changed

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

Lines changed: 88 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -154,27 +154,34 @@ class Logic {
154154
func addString(_ str: String) {} // safe
155155
}
156156

157+
// custom
158+
class MyRemoteLogger {
159+
func setPassword(password: String) { }
160+
func login(password: String) { }
161+
func logout(secret: String) { }
162+
}
163+
157164
// --- tests ---
158165

159166
func test1(password: String, passwordHash : String, passphrase: String, pass_phrase: String) {
160-
print(password) // $ hasCleartextLogging=160
161-
print(password, separator: "") // $ $ hasCleartextLogging=161
162-
print("", separator: password) // $ hasCleartextLogging=162
163-
print(password, separator: "", terminator: "") // $ hasCleartextLogging=163
164-
print("", separator: password, terminator: "") // $ hasCleartextLogging=164
165-
print("", separator: "", terminator: password) // $ hasCleartextLogging=165
167+
print(password) // $ hasCleartextLogging=167
168+
print(password, separator: "") // $ $ hasCleartextLogging=168
169+
print("", separator: password) // $ hasCleartextLogging=169
170+
print(password, separator: "", terminator: "") // $ hasCleartextLogging=170
171+
print("", separator: password, terminator: "") // $ hasCleartextLogging=171
172+
print("", separator: "", terminator: password) // $ hasCleartextLogging=172
166173
print(passwordHash) // safe
167174

168-
debugPrint(password) // $ hasCleartextLogging=168
175+
debugPrint(password) // $ hasCleartextLogging=175
169176

170-
dump(password) // $ hasCleartextLogging=170
177+
dump(password) // $ hasCleartextLogging=177
171178

172-
NSLog(password) // $ hasCleartextLogging=172
173-
NSLog("%@", password) // $ hasCleartextLogging=173
174-
NSLog("%@ %@", "", password) // $ hasCleartextLogging=174
175-
NSLog("\(password)") // $ hasCleartextLogging=175
176-
NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=176
177-
NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=177
179+
NSLog(password) // $ hasCleartextLogging=179
180+
NSLog("%@", password) // $ hasCleartextLogging=180
181+
NSLog("%@ %@", "", password) // $ hasCleartextLogging=181
182+
NSLog("\(password)") // $ hasCleartextLogging=182
183+
NSLogv("%@", getVaList([password])) // $ hasCleartextLogging=183
184+
NSLogv("%@ %@", getVaList(["", password])) // $ hasCleartextLogging=184
178185
NSLog(passwordHash) // safe
179186
NSLogv("%@", getVaList([passwordHash])) // safe
180187

@@ -184,38 +191,38 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
184191
log.log("\(password)") // safe
185192
log.log("\(password, privacy: .auto)") // safe
186193
log.log("\(password, privacy: .private)") // safe
187-
log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=187
194+
log.log("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=194
188195
log.log("\(passwordHash, privacy: .public)") // safe
189196
log.log("\(password, privacy: .sensitive)") // safe
190-
log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=190
191-
log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=191
197+
log.log("\(bankAccount)") // $ MISSING: hasCleartextLogging=197
198+
log.log("\(bankAccount, privacy: .auto)") // $ MISSING: hasCleartextLogging=198
192199
log.log("\(bankAccount, privacy: .private)") // safe
193-
log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=193
200+
log.log("\(bankAccount, privacy: .public)") // $ MISSING: hasCleartextLogging=200
194201
log.log("\(bankAccount, privacy: .sensitive)") // safe
195-
log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=195
196-
log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=196
202+
log.log(level: .default, "\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=202
203+
log.trace("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=203
197204
log.trace("\(passwordHash, privacy: .public)") // safe
198-
log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=198
205+
log.debug("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=205
199206
log.debug("\(passwordHash, privacy: .public)") // safe
200-
log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=200
207+
log.info("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=207
201208
log.info("\(passwordHash, privacy: .public)") // safe
202-
log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=202
209+
log.notice("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=209
203210
log.notice("\(passwordHash, privacy: .public)") // safe
204-
log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=204
211+
log.warning("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=211
205212
log.warning("\(passwordHash, privacy: .public)") // safe
206-
log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=206
213+
log.error("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=213
207214
log.error("\(passwordHash, privacy: .public)") // safe
208-
log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=208
215+
log.critical("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=215
209216
log.critical("\(passwordHash, privacy: .public)") // safe
210-
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=210
217+
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=217
211218
log.fault("\(passwordHash, privacy: .public)") // safe
212219

213-
NSLog(passphrase) // $ hasCleartextLogging=213
214-
NSLog(pass_phrase) // $ hasCleartextLogging=214
220+
NSLog(passphrase) // $ hasCleartextLogging=220
221+
NSLog(pass_phrase) // $ hasCleartextLogging=221
215222

216223
os_log("%@", log: .default, type: .default, "") // safe
217-
os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=217
218-
os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=218
224+
os_log("%@", log: .default, type: .default, password) // $ hasCleartextLogging=224
225+
os_log("%@ %@ %@", log: .default, type: .default, "", "", password) // $ hasCleartextLogging=225
219226
}
220227

221228
class MyClass {
@@ -229,16 +236,16 @@ func doSomething(password: String) { }
229236
func test3(x: String) {
230237
// alternative evidence of sensitivity...
231238

232-
NSLog(x) // $ MISSING: hasCleartextLogging=233
239+
NSLog(x) // $ MISSING: hasCleartextLogging=240
233240
doSomething(password: x);
234-
NSLog(x) // $ hasCleartextLogging=233
241+
NSLog(x) // $ hasCleartextLogging=240
235242

236243
let y = getPassword();
237-
NSLog(y) // $ hasCleartextLogging=236
244+
NSLog(y) // $ hasCleartextLogging=243
238245

239246
let z = MyClass()
240247
NSLog(z.harmless) // safe
241-
NSLog(z.password) // $ hasCleartextLogging=241
248+
NSLog(z.password) // $ hasCleartextLogging=248
242249
}
243250

244251
struct MyOuter {
@@ -253,7 +260,7 @@ struct MyOuter {
253260
func test3(mo : MyOuter) {
254261
// struct members...
255262

256-
NSLog(mo.password.value) // $ hasCleartextLogging=256
263+
NSLog(mo.password.value) // $ hasCleartextLogging=263
257264
NSLog(mo.harmless.value) // safe
258265
}
259266

@@ -277,39 +284,39 @@ func test4(harmless: String, password: String) {
277284
print(myString1) // safe
278285

279286
print(password, to: &myString2)
280-
print(myString2) // $ hasCleartextLogging=279
287+
print(myString2) // $ hasCleartextLogging=286
281288

282289
print("log: " + password, to: &myString3)
283-
print(myString3) // $ hasCleartextLogging=282
290+
print(myString3) // $ hasCleartextLogging=289
284291

285292
debugPrint(harmless, to: &myString4)
286293
debugPrint(myString4) // safe
287294

288295
debugPrint(password, to: &myString5)
289-
debugPrint(myString5) // $ hasCleartextLogging=288
296+
debugPrint(myString5) // $ hasCleartextLogging=295
290297

291298
dump(harmless, to: &myString6)
292299
dump(myString6) // safe
293300

294301
dump(password, to: &myString7)
295-
dump(myString7) // $ hasCleartextLogging=294
302+
dump(myString7) // $ hasCleartextLogging=301
296303

297304
myString8.write(harmless)
298305
print(myString8)
299306

300307
myString9.write(password)
301-
print(myString9) // $ hasCleartextLogging=300
308+
print(myString9) // $ hasCleartextLogging=307
302309

303310
myString10.write(harmless)
304311
myString10.write(password)
305312
myString10.write(harmless)
306-
print(myString10) // $ hasCleartextLogging=304
313+
print(myString10) // $ hasCleartextLogging=311
307314

308315
harmless.write(to: &myString11)
309316
print(myString11)
310317

311318
password.write(to: &myString12)
312-
print(myString12) // $ hasCleartextLogging=311
319+
print(myString12) // $ hasCleartextLogging=318
313320

314321
print(password, to: &myString13) // $ safe - only printed to another string
315322
debugPrint(password, to: &myString13) // $ safe - only printed to another string
@@ -324,61 +331,66 @@ func test5(password: String, caseNum: Int) {
324331

325332
switch caseNum {
326333
case 0:
327-
assert(false, password) // $ hasCleartextLogging=327
334+
assert(false, password) // $ hasCleartextLogging=334
328335
case 1:
329-
assertionFailure(password) // $ hasCleartextLogging=329
336+
assertionFailure(password) // $ hasCleartextLogging=336
330337
case 2:
331-
precondition(false, password) // $ hasCleartextLogging=331
338+
precondition(false, password) // $ hasCleartextLogging=338
332339
case 3:
333-
preconditionFailure(password) // $ hasCleartextLogging=333
340+
preconditionFailure(password) // $ hasCleartextLogging=340
334341
default:
335-
fatalError(password) // $ hasCleartextLogging=335
342+
fatalError(password) // $ hasCleartextLogging=342
336343
}
337344
}
338345

339346
func test6(passwordString: String) {
340-
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ hasCleartextLogging=340
347+
let e = NSException(name: NSExceptionName("exception"), reason: "\(passwordString) is incorrect!", userInfo: nil) // $ hasCleartextLogging=347
341348
e.raise()
342349

343-
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ hasCleartextLogging=343
344-
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ hasCleartextLogging=344
350+
NSException.raise(NSExceptionName("exception"), format: "\(passwordString) is incorrect!", arguments: getVaList([])) // $ hasCleartextLogging=350
351+
NSException.raise(NSExceptionName("exception"), format: "%s is incorrect!", arguments: getVaList([passwordString])) // $ hasCleartextLogging=351
345352

346-
_ = dprintf(0, "\(passwordString) is incorrect!") // $ hasCleartextLogging=346
347-
_ = dprintf(0, "%s is incorrect!", passwordString) // $ hasCleartextLogging=347
348-
_ = dprintf(0, "%s: %s is incorrect!", "foo", passwordString) // $ hasCleartextLogging=348
349-
_ = vprintf("\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=349
350-
_ = vprintf("%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=350
351-
_ = vfprintf(nil, "\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=351
352-
_ = vfprintf(nil, "%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=352
353+
_ = dprintf(0, "\(passwordString) is incorrect!") // $ hasCleartextLogging=353
354+
_ = dprintf(0, "%s is incorrect!", passwordString) // $ hasCleartextLogging=354
355+
_ = dprintf(0, "%s: %s is incorrect!", "foo", passwordString) // $ hasCleartextLogging=355
356+
_ = vprintf("\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=356
357+
_ = vprintf("%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=357
358+
_ = vfprintf(nil, "\(passwordString) is incorrect!", getVaList([])) // $ hasCleartextLogging=358
359+
_ = vfprintf(nil, "%s is incorrect!", getVaList([passwordString])) // $ hasCleartextLogging=359
353360
_ = vasprintf_l(nil, nil, "\(passwordString) is incorrect!", getVaList([])) // good (`sprintf` is not logging)
354361
_ = vasprintf_l(nil, nil, "%s is incorrect!", getVaList([passwordString])) // good (`sprintf` is not logging)
355362
}
356363

357-
func test7(authKey: String, authKey2: Int, authKey3: Float) {
358-
log(message: authKey) // $ hasCleartextLogging=358
359-
log(message: String(authKey2)) // $ hasCleartextLogging=359
360-
logging(message: authKey) // $ hasCleartextLogging=360
361-
logfile(file: 0, message: authKey) // $ hasCleartextLogging=361
362-
logMessage(NSString(string: authKey)) // $ hasCleartextLogging=362
363-
logInfo(authKey) // $ MISSING: hasCleartextLogging=363
364-
logError(errorMsg: authKey) // $ hasCleartextLogging=364
364+
func test7(authKey: String, authKey2: Int, authKey3: Float, password: String, secret: String) {
365+
log(message: authKey) // $ hasCleartextLogging=365
366+
log(message: String(authKey2)) // $ hasCleartextLogging=366
367+
logging(message: authKey) // $ hasCleartextLogging=367
368+
logfile(file: 0, message: authKey) // $ hasCleartextLogging=368
369+
logMessage(NSString(string: authKey)) // $ hasCleartextLogging=369
370+
logInfo(authKey) // $ MISSING: hasCleartextLogging=370
371+
logError(errorMsg: authKey) // $ hasCleartextLogging=371
365372
harmless(authKey) // GOOD: not logging
366373
_ = logarithm(authKey3) // GOOD: not logging
367374
doLogin(login: authKey) // GOOD: not logging
368375

369376
let logger = LogFile()
370377
let msg = "authKey: " + authKey
371-
logger.log(msg) // $ hasCleartextLogging=370
372-
logger.trace(msg) // $ hasCleartextLogging=370
373-
logger.debug(msg) // $ hasCleartextLogging=370
374-
logger.info(NSString(string: msg)) // $ hasCleartextLogging=370
375-
logger.notice(msg) // $ hasCleartextLogging=370
376-
logger.warning(msg) // $ hasCleartextLogging=370
377-
logger.error(msg) // $ hasCleartextLogging=370
378-
logger.critical(msg) // $ hasCleartextLogging=370
379-
logger.fatal(msg) // $ hasCleartextLogging=370
378+
logger.log(msg) // $ hasCleartextLogging=377
379+
logger.trace(msg) // $ hasCleartextLogging=377
380+
logger.debug(msg) // $ hasCleartextLogging=377
381+
logger.info(NSString(string: msg)) // $ hasCleartextLogging=377
382+
logger.notice(msg) // $ hasCleartextLogging=377
383+
logger.warning(msg) // $ hasCleartextLogging=377
384+
logger.error(msg) // $ hasCleartextLogging=377
385+
logger.critical(msg) // $ hasCleartextLogging=377
386+
logger.fatal(msg) // $ hasCleartextLogging=377
380387

381388
let logic = Logic()
382389
logic.addInt(authKey2) // GOOD: not logging
383-
logic.addString(authKey) // $ SPURIOUS: hasCleartextLogging=383 (not logging)
390+
logic.addString(authKey) // $ SPURIOUS: hasCleartextLogging=390 (not logging)
391+
392+
let rlogger = MyRemoteLogger()
393+
rlogger.setPassword(password: password) // $ SPURIOUS: hasCleartextLogging=393 (not logging)
394+
rlogger.login(password: password) // $ SPURIOUS: hasCleartextLogging=394 (not logging)
395+
rlogger.logout(secret: secret) // $ SPURIOUS: hasCleartextLogging=395 (not logging)
384396
}

0 commit comments

Comments
 (0)