Swift: Improve the encryption in examples for swift/cleartext-* queries.

geoffw0 · geoffw0 · commit d66e407c3e5a · 2024-07-29T17:02:57.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.swift b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.swift
@@ -1,5 +1,11 @@
+import CryptoKit
 
-func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String, key: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCard
 	databaseObject.setValue(creditCardNo, forKey: "myCreditCardNo")
 
 	// GOOD: encrypted sensitive information saved
-	databaseObject.setValue(encrypt(creditCardNo), forKey: "myCreditCardNo")
+	databaseObject.setValue(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")
 
 	// ...
 }
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.swift b/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.swift
@@ -1,5 +1,11 @@
+import CryptoKit
 
-func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String, key: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo :
 	connection.send(content: creditCardNo, completion: .idempotent)
 
 	// GOOD: encrypted sensitive information saved
-	connection.send(content: encrypt(creditCardNo), completion: .idempotent)
+	connection.send(content: encrypt(creditCardNo, encryptionKey), completion: .idempotent)
 
 	// ...
 }
diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.swift b/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.swift
@@ -1,5 +1,11 @@
+import CryptoKit
 
-func storeMyData(faveSong : String, creditCardNo : String) {
+private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
+	let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
+	return sealedBox.combined!.base64EncodedString()
+}
+
+func storeMyData(faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
 	// ...
 
 	// GOOD: not sensitive information
@@ -9,7 +15,7 @@ func storeMyData(faveSong : String, creditCardNo : String) {
 	UserDefaults.standard.set(creditCardNo, forKey: "myCreditCardNo")
 
 	// GOOD: encrypted sensitive information saved
-	UserDefaults.standard.set(encrypt(creditCardNo), forKey: "myCreditCardNo")
+	UserDefaults.standard.set(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")
 
 	// ...
 }
