Merge pull request #11590 from atorralba/atorralba/swift/sensitive-info-logs

Swift: Add Cleartext Logging query

Author: atorralba

swift/ql/lib/codeql/swift/dataflow/ExternalFlow.qll

@@ -89,6 +89,7 @@ private module Frameworks {
   private import codeql.swift.frameworks.StandardLibrary.UrlSession
   private import codeql.swift.frameworks.StandardLibrary.WebView
   private import codeql.swift.frameworks.Alamofire.Alamofire
+  private import codeql.swift.security.CleartextLogging
   private import codeql.swift.security.PathInjection
   private import codeql.swift.security.PredicateInjection
 }

swift/ql/lib/codeql/swift/security/CleartextLogging.qll

@@ -0,0 +1,103 @@
+/** Provides classes and predicates to reason about cleartext logging of sensitive data vulnerabilities. */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.ExternalFlow
+private import codeql.swift.security.SensitiveExprs
+
+/** A data flow sink for cleartext logging of sensitive data vulnerabilities. */
+abstract class CleartextLoggingSink extends DataFlow::Node { }
+
+/** A sanitizer for cleartext logging of sensitive data vulnerabilities. */
+abstract class CleartextLoggingSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to paths related to
+ * cleartext logging of sensitive data vulnerabilities.
+ */
+class CleartextLoggingAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `n1` to `n2` should be considered a taint
+   * step for flows related to cleartext logging of sensitive data vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
+}
+
+private class DefaultCleartextLoggingSink extends CleartextLoggingSink {
+  DefaultCleartextLoggingSink() { sinkNode(this, "logging") }
+}
+
+/**
+ * A sanitizer for `OSLogMessage`s configured with the appropriate privacy option.
+ * Numeric and boolean arguments aren't redacted unless the `private` or `sensitive` options are used.
+ * Arguments of other types are always redacted unless the `public` option is used.
+ */
+private class OsLogPrivacyCleartextLoggingSanitizer extends CleartextLoggingSanitizer {
+  OsLogPrivacyCleartextLoggingSanitizer() {
+    exists(CallExpr c, AutoClosureExpr e |
+      c.getStaticTarget().getName().matches("appendInterpolation(_:%privacy:%)") and
+      c.getArgument(0).getExpr() = e and
+      this.asExpr() = e
+    |
+      e.getExpr().getType() instanceof OsLogNonRedactedType and
+      c.getArgumentWithLabel("privacy").getExpr().(OsLogPrivacyRef).isSafe()
+      or
+      not e.getExpr().getType() instanceof OsLogNonRedactedType and
+      not c.getArgumentWithLabel("privacy").getExpr().(OsLogPrivacyRef).isPublic()
+    )
+  }
+}
+
+/** A type that isn't redacted by default in an `OSLogMessage`. */
+private class OsLogNonRedactedType extends Type {
+  OsLogNonRedactedType() {
+    this.getName() = [["", "U"] + "Int" + ["", "8", "16", "32", "64"], "Double", "Float", "Bool"]
+  }
+}
+
+/** A reference to a field of `OsLogPrivacy`. */
+private class OsLogPrivacyRef extends MemberRefExpr {
+  string optionName;
+
+  OsLogPrivacyRef() {
+    exists(FieldDecl f | this.getMember() = f |
+      f.getEnclosingDecl().(NominalTypeDecl).getName() = "OSLogPrivacy" and
+      optionName = f.getName()
+    )
+  }
+
+  /** Holds if this is a safe privacy option (private or sensitive). */
+  predicate isSafe() { optionName = ["private", "sensitive"] }
+
+  /** Holds if this is a public (that is, unsafe) privacy option. */
+  predicate isPublic() { optionName = "public" }
+}
+
+private class LoggingSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";;false;print(_:separator:terminator:);;;Argument[0].ArrayElement;logging",
+        ";;false;print(_:separator:terminator:);;;Argument[1..2];logging",
+        ";;false;print(_:separator:terminator:toStream:);;;Argument[0].ArrayElement;logging",
+        ";;false;print(_:separator:terminator:toStream:);;;Argument[1..2];logging",
+        ";;false;NSLog(_:_:);;;Argument[0];logging",
+        ";;false;NSLog(_:_:);;;Argument[1].ArrayElement;logging",
+        ";;false;NSLogv(_:_:);;;Argument[0];logging",
+        ";;false;NSLogv(_:_:);;;Argument[1].ArrayElement;logging",
+        ";;false;vfprintf(_:_:_:);;;Agument[1..2];logging",
+        ";Logger;true;log(_:);;;Argument[0];logging",
+        ";Logger;true;log(level:_:);;;Argument[1];logging",
+        ";Logger;true;trace(_:);;;Argument[1];logging",
+        ";Logger;true;debug(_:);;;Argument[1];logging",
+        ";Logger;true;info(_:);;;Argument[1];logging",
+        ";Logger;true;notice(_:);;;Argument[1];logging",
+        ";Logger;true;warning(_:);;;Argument[1];logging",
+        ";Logger;true;error(_:);;;Argument[1];logging",
+        ";Logger;true;critical(_:);;;Argument[1];logging",
+        ";Logger;true;fault(_:);;;Argument[1];logging",
+      ]
+  }
+}

swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cleartext logging of
+ * sensitive data vulnerabilities.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.TaintTracking
+private import codeql.swift.security.CleartextLogging
+private import codeql.swift.security.SensitiveExprs
+
+/**
+ * A taint-tracking configuration for cleartext logging of sensitive data vulnerabilities.
+ */
+class CleartextLoggingConfiguration extends TaintTracking::Configuration {
+  CleartextLoggingConfiguration() { this = "CleartextLoggingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CleartextLoggingSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof CleartextLoggingSanitizer
+  }
+
+  // Disregard paths that contain other paths. This helps with performance.
+  override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
+  }
+}

swift/ql/src/queries/Security/CWE-312/CleartextLogging.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Attackers could gain access to sensitive information that is logged unencrypted.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Always make sure to encrypt or obfuscate sensitive information before you log it.
+</p>
+
+<p>
+Generally, you should decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.
+</p>
+
+<p>
+Be aware that external processes often store the standard output and
+standard error streams of the application. This will include logged sensitive information.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example code logs user credentials (in this case, their password)
+in plaintext:
+</p>
+<sample src="CleartextLoggingBad.swift"/>
+<p>
+Instead, you should encrypt or obfuscate the credentials, or omit them entirely:
+</p>
+<sample src="CleartextLoggingGood.swift"/>
+</example>
+
+<references>
+
+<li>M. Dowd, J. McDonald and J. Schuhm, <i>The Art of Software Security Assessment</i>, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.</li>
+<li>M. Howard and D. LeBlanc, <i>Writing Secure Code</i>, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.</li>
+<li>OWASP: <a href="https://www.owasp.org/index.php/Password_Plaintext_Storage">Password Plaintext Storage</a>.</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Cleartext logging of sensitive information
+ * @description Logging sensitive information in plaintext can
+ *              expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/clear-text-logging
+ * @tags security
+ *       external/cwe/cwe-312
+ *       external/cwe/cwe-359
+ *       external/cwe/cwe-532
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.CleartextLoggingQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode src, DataFlow::PathNode sink
+where any(CleartextLoggingConfiguration c).hasFlowPath(src, sink)
+select sink.getNode(), src, sink, "This $@ is written to a log file.", src.getNode(),
+  "potentially sensitive information"

swift/ql/src/queries/Security/CWE-312/CleartextLoggingBad.swift

@@ -0,0 +1,2 @@
+let password = "P@ssw0rd"
+NSLog("User password changed to \(password)")

swift/ql/src/queries/Security/CWE-312/CleartextLoggingGood.swift

@@ -0,0 +1,2 @@
+let password = "P@ssw0rd"
+NSLog("User password changed")

swift/ql/test/query-tests/Security/CWE-312/CleartextLoggingTest.expected

@@ -0,0 +1,24 @@
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.security.CleartextLoggingQuery
+import TestUtilities.InlineExpectationsTest
+
+class CleartextLogging extends InlineExpectationsTest {
+  CleartextLogging() { this = "CleartextLogging" }
+
+  override string getARelevantTag() { result = "hasCleartextLogging" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(
+      CleartextLoggingConfiguration config, DataFlow::Node source, DataFlow::Node sink,
+      Expr sinkExpr
+    |
+      config.hasFlow(source, sink) and
+      sinkExpr = sink.asExpr() and
+      location = sinkExpr.getLocation() and
+      element = sinkExpr.toString() and
+      tag = "hasCleartextLogging" and
+      value = source.asExpr().getLocation().getStartLine().toString()
+    )
+  }
+}