Swift: Add models for SQLite.swift.

geoffw0 · geoffw0 · commit 691665fca818 · 2023-10-06T18:26:19.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll
@@ -76,6 +76,11 @@ private class EncryptionKeySinks extends SinkModelCsv {
         ";;false;sqlite3_rekey(_:_:_:);;;Argument[1];encryption-key",
         ";;false;sqlite3_key_v2(_:_:_:_:);;;Argument[2];encryption-key",
         ";;false;sqlite3_rekey_v2(_:_:_:_:);;;Argument[2];encryption-key",
+        // SQLite.swift
+        ";Connection;true;key(_:db:);;;Argument[0];encryption-key",
+        ";Connection;true;keyAndMigrate(_:db:);;;Argument[0];encryption-key",
+        ";Connection;true;rekey(_:db:);;;Argument[0];encryption-key",
+        ";Connection;true;sqlcipher_export(_:key:);;;Argument[1];encryption-key",
       ]
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected b/swift/ql/test/query-tests/Security/CWE-321/HardcodedEncryptionKey.expected
@@ -52,6 +52,10 @@ edges
 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) | rncryptor.swift:83:92:83:92 | myConstKey |
 | rncryptor.swift:60:24:60:24 | abcdef123456 | rncryptor.swift:60:19:60:38 | call to Data.init(_:) |
 nodes
+| SQLite.swift:43:13:43:13 | hardcoded_key | semmle.label | hardcoded_key |
+| SQLite.swift:45:23:45:23 | hardcoded_key | semmle.label | hardcoded_key |
+| SQLite.swift:47:15:47:15 | hardcoded_key | semmle.label | hardcoded_key |
+| SQLite.swift:49:79:49:79 | hardcoded_key | semmle.label | hardcoded_key |
 | cryptoswift.swift:76:3:76:3 | this string is constant | semmle.label | this string is constant |
 | cryptoswift.swift:90:26:90:121 | [...] | semmle.label | [...] |
 | cryptoswift.swift:92:18:92:36 | call to getConstantString() | semmle.label | call to getConstantString() |
@@ -111,6 +115,10 @@ subpaths
 | misc.swift:57:41:57:41 | myConstKey | misc.swift:30:7:30:7 | value | file://:0:0:0:0 | [post] self | misc.swift:57:2:57:18 | [post] getter for .config |
 | misc.swift:57:41:57:41 | myConstKey | misc.swift:30:7:30:7 | value | file://:0:0:0:0 | [post] self [encryptionKey] | misc.swift:57:2:57:18 | [post] getter for .config [encryptionKey] |
 #select
+| SQLite.swift:43:13:43:13 | hardcoded_key | SQLite.swift:43:13:43:13 | hardcoded_key | SQLite.swift:43:13:43:13 | hardcoded_key | The key 'hardcoded_key' has been initialized with hard-coded values from $@. | SQLite.swift:43:13:43:13 | hardcoded_key | hardcoded_key |
+| SQLite.swift:45:23:45:23 | hardcoded_key | SQLite.swift:45:23:45:23 | hardcoded_key | SQLite.swift:45:23:45:23 | hardcoded_key | The key 'hardcoded_key' has been initialized with hard-coded values from $@. | SQLite.swift:45:23:45:23 | hardcoded_key | hardcoded_key |
+| SQLite.swift:47:15:47:15 | hardcoded_key | SQLite.swift:47:15:47:15 | hardcoded_key | SQLite.swift:47:15:47:15 | hardcoded_key | The key 'hardcoded_key' has been initialized with hard-coded values from $@. | SQLite.swift:47:15:47:15 | hardcoded_key | hardcoded_key |
+| SQLite.swift:49:79:49:79 | hardcoded_key | SQLite.swift:49:79:49:79 | hardcoded_key | SQLite.swift:49:79:49:79 | hardcoded_key | The key 'hardcoded_key' has been initialized with hard-coded values from $@. | SQLite.swift:49:79:49:79 | hardcoded_key | hardcoded_key |
 | cryptoswift.swift:108:21:108:21 | keyString | cryptoswift.swift:76:3:76:3 | this string is constant | cryptoswift.swift:108:21:108:21 | keyString | The key 'keyString' has been initialized with hard-coded values from $@. | cryptoswift.swift:76:3:76:3 | this string is constant | this string is constant |
 | cryptoswift.swift:109:21:109:21 | keyString | cryptoswift.swift:76:3:76:3 | this string is constant | cryptoswift.swift:109:21:109:21 | keyString | The key 'keyString' has been initialized with hard-coded values from $@. | cryptoswift.swift:76:3:76:3 | this string is constant | this string is constant |
 | cryptoswift.swift:117:22:117:22 | key | cryptoswift.swift:90:26:90:121 | [...] | cryptoswift.swift:117:22:117:22 | key | The key 'key' has been initialized with hard-coded values from $@. | cryptoswift.swift:90:26:90:121 | [...] | [...] |
diff --git a/swift/ql/test/query-tests/Security/CWE-321/SQLite.swift b/swift/ql/test/query-tests/Security/CWE-321/SQLite.swift
@@ -40,13 +40,13 @@ func test_sqlite_swift_api(dbPath: String, goodKey: String, goodArray: [UInt8])
 	// methods taking a string key
 
 	try db.key(goodKey)
-	try db.key("hardcoded_key") // BAD [NOT DETECTED]
+	try db.key("hardcoded_key") // BAD
 	try db.keyAndMigrate(goodKey)
-	try db.keyAndMigrate("hardcoded_key") // BAD [NOT DETECTED]
+	try db.keyAndMigrate("hardcoded_key") // BAD
 	try db.rekey(goodKey)
-	try db.rekey("hardcoded_key") // BAD [NOT DETECTED]
+	try db.rekey("hardcoded_key") // BAD
 	try db.sqlcipher_export(Connection.Location.uri("encryptedDb.sqlite3"), key: goodKey)
-	try db.sqlcipher_export(Connection.Location.uri("encryptedDb.sqlite3"), key: "hardcoded_key") // BAD [NOT DETECTED]
+	try db.sqlcipher_export(Connection.Location.uri("encryptedDb.sqlite3"), key: "hardcoded_key") // BAD
 
 	// Blob variant
 

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,11 @@ private class EncryptionKeySinks extends SinkModelCsv {`
`76`	`76`	`";;false;sqlite3_rekey(_:_:_:);;;Argument[1];encryption-key",`
`77`	`77`	`";;false;sqlite3_key_v2(_:_:_:_:);;;Argument[2];encryption-key",`
`78`	`78`	`";;false;sqlite3_rekey_v2(_:_:_:_:);;;Argument[2];encryption-key",`
	`79`	`+ // SQLite.swift`
	`80`	`+ ";Connection;true;key(_:db:);;;Argument[0];encryption-key",`
	`81`	`+ ";Connection;true;keyAndMigrate(_:db:);;;Argument[0];encryption-key",`
	`82`	`+ ";Connection;true;rekey(_:db:);;;Argument[0];encryption-key",`
	`83`	`+ ";Connection;true;sqlcipher_export(_:key:);;;Argument[1];encryption-key",`
`79`	`84`	`]`
`80`	`85`	`}`
`81`	`86`	`}`