Swift: Add more heuristic expressions.

Author: geoffw0

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

@@ -35,7 +35,7 @@ class SensitiveCredential extends SensitiveDataType, TCredential {
       result = HeuristicNames::maybeSensitiveRegexp(classification)
     )
     or
-    result = "(?is).*(account|accnt|license).?(id|key).*"
+    result = "(?is).*((account|accnt|license).?(id|key)|one.?time.?code|pass.?phrase).*"
   }
 }
 
@@ -50,21 +50,27 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
       "(?is).*(" +
         // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
         // Government identifiers, such as Social Security Numbers
-        "social.?security|national.?insurance|" +
+        "social.?security|employer.?identification|national.?insurance|resident.?id|" +
+        "passport.?(num|no)|" +
         // Contact information, such as home addresses
-        "post.?code|zip.?code|home.?address|" +
+        "post.?code|zip.?code|home.?addr|" +
         // and telephone numbers
-        "(mob(ile)?|home).?(num|no|tel|phone)|(tel|fax).?(num|no)|telephone|" +
+        "(mob(ile)?|home).?(num|no|tel|phone)|(tel|fax).?(num|no|phone)|" +
+        "emergency.?contact|" +
         // Geographic location - where the user is (or was)
-        "latitude|longitude|" +
+        "latitude|longitude|nationality|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "credit.?card|debit.?card|salary|bank.?account|acc(ou)?nt.?(no|num)|" +
+        "(credit|debit|bank|visa).?(card|num|no|acc(ou?)nt)|acc(ou)?nt.?(no|num|credit)|" +
+        "salary|billing|credit.?(rating|score)|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
-        "email|" +
+        "e.?mail|" +
         // Health - medical conditions, insurance status, prescription records
-        "birthday|birth.?date|date.?of.?birth|medical|" +
+        "birth.?(date|day)|(date|day).?(of.?)?birth|" +
+        "medical|(health|care).?plan|healthkit|appointment|prescription|" +
+        "blood.?(type|alcohol|glucose|pressure)|heart.?(rate|rhythm)|body.?(mass|fat)|" +
+        "menstrua|pregnan|insulin|inhaler|" +
         // Relationships - work and family
-        "employer|spouse" +
+        "employer|employee|spouse|maiden.?name" +
         // ---
         ").*"
   }

swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected

@@ -15,6 +15,9 @@ edges
 | testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... |
 | testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... |
 | testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... |
+| testURL.swift:28:55:28:55 | e_mail | testURL.swift:28:22:28:55 | ... .+(_:_:) ... |
+| testURL.swift:30:57:30:57 | a_homeaddr_z | testURL.swift:30:22:30:57 | ... .+(_:_:) ... |
+| testURL.swift:32:55:32:55 | resident_ID | testURL.swift:32:22:32:55 | ... .+(_:_:) ... |
 nodes
 | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | semmle.label | [summary] to write: return (return) in Data.init(_:) |
 | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
@@ -40,13 +43,23 @@ nodes
 | testSend.swift:71:27:71:27 | license_key | semmle.label | license_key |
 | testSend.swift:72:27:72:30 | .mobileNumber | semmle.label | .mobileNumber |
 | testSend.swift:76:27:76:30 | .Telephone | semmle.label | .Telephone |
+| testSend.swift:77:27:77:30 | .birth_day | semmle.label | .birth_day |
+| testSend.swift:78:27:78:30 | .CarePlanID | semmle.label | .CarePlanID |
+| testSend.swift:79:27:79:30 | .BankCardNo | semmle.label | .BankCardNo |
+| testSend.swift:80:27:80:30 | .MyCreditRating | semmle.label | .MyCreditRating |
 | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:17:54:17:54 | passwd | semmle.label | passwd |
 | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:19:55:19:55 | account_no | semmle.label | account_no |
 | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:20:55:20:55 | credit_card_no | semmle.label | credit_card_no |
 | testURL.swift:24:22:24:22 | passwd | semmle.label | passwd |
+| testURL.swift:28:22:28:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:28:55:28:55 | e_mail | semmle.label | e_mail |
+| testURL.swift:30:22:30:57 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:30:57:30:57 | a_homeaddr_z | semmle.label | a_homeaddr_z |
+| testURL.swift:32:22:32:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:32:55:32:55 | resident_ID | semmle.label | resident_ID |
 subpaths
 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | testSend.swift:33:14:33:32 | call to Data.init(_:) |
 | testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
@@ -62,7 +75,14 @@ subpaths
 | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key |
 | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber |
 | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone |
+| testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | testSend.swift:77:27:77:30 | .birth_day | This operation transmits '.birth_day', which may contain unencrypted sensitive data from $@. | testSend.swift:77:27:77:30 | .birth_day | .birth_day |
+| testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | testSend.swift:78:27:78:30 | .CarePlanID | This operation transmits '.CarePlanID', which may contain unencrypted sensitive data from $@. | testSend.swift:78:27:78:30 | .CarePlanID | .CarePlanID |
+| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo |
+| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating |
 | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:17:54:17:54 | passwd | passwd |
 | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:19:55:19:55 | account_no | account_no |
 | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:20:55:20:55 | credit_card_no | credit_card_no |
 | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:24:22:24:22 | passwd | passwd |
+| testURL.swift:28:22:28:55 | ... .+(_:_:) ... | testURL.swift:28:55:28:55 | e_mail | testURL.swift:28:22:28:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:28:55:28:55 | e_mail | e_mail |
+| testURL.swift:30:22:30:57 | ... .+(_:_:) ... | testURL.swift:30:57:30:57 | a_homeaddr_z | testURL.swift:30:22:30:57 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:30:57:30:57 | a_homeaddr_z | a_homeaddr_z |
+| testURL.swift:32:22:32:55 | ... .+(_:_:) ... | testURL.swift:32:55:32:55 | resident_ID | testURL.swift:32:22:32:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:32:55:32:55 | resident_ID | resident_ID |

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected

@@ -129,7 +129,14 @@
 | testSend.swift:72:27:72:30 | .mobileNumber | label:mobileNumber, type:private information |
 | testSend.swift:75:27:75:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
 | testSend.swift:76:27:76:30 | .Telephone | label:Telephone, type:private information |
+| testSend.swift:77:27:77:30 | .birth_day | label:birth_day, type:private information |
+| testSend.swift:78:27:78:30 | .CarePlanID | label:CarePlanID, type:private information |
+| testSend.swift:79:27:79:30 | .BankCardNo | label:BankCardNo, type:private information |
+| testSend.swift:80:27:80:30 | .MyCreditRating | label:MyCreditRating, type:private information |
 | testURL.swift:17:54:17:54 | passwd | label:passwd, type:credential |
 | testURL.swift:19:55:19:55 | account_no | label:account_no, type:private information |
 | testURL.swift:20:55:20:55 | credit_card_no | label:credit_card_no, type:private information |
 | testURL.swift:24:22:24:22 | passwd | label:passwd, type:credential |
+| testURL.swift:28:55:28:55 | e_mail | label:e_mail, type:private information |
+| testURL.swift:30:57:30:57 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
+| testURL.swift:32:55:32:55 | resident_ID | label:resident_ID, type:private information |

swift/ql/test/query-tests/Security/CWE-311/testSend.swift

@@ -74,9 +74,9 @@ func test2(password : String, license_key: String, ms: MyStruct, connection : NW
 	connection.send(content: ms.mobilePlayer, completion: .idempotent) // GOOD (not sensitive)
 	connection.send(content: ms.passwordFeatureEnabled, completion: .idempotent) // GOOD (not sensitive)
 	connection.send(content: ms.Telephone, completion: .idempotent) // BAD
-	connection.send(content: ms.birth_day, completion: .idempotent) // BAD [NOT DETECTED]
-	connection.send(content: ms.CarePlanID, completion: .idempotent) // BAD [NOT DETECTED]
-	connection.send(content: ms.BankCardNo, completion: .idempotent) // BAD [NOT DETECTED]
-	connection.send(content: ms.MyCreditRating, completion: .idempotent) // BAD [NOT DETECTED]
+	connection.send(content: ms.birth_day, completion: .idempotent) // BAD
+	connection.send(content: ms.CarePlanID, completion: .idempotent) // BAD
+	connection.send(content: ms.BankCardNo, completion: .idempotent) // BAD
+	connection.send(content: ms.MyCreditRating, completion: .idempotent) // BAD
 	connection.send(content: ms.OneTimeCode, completion: .idempotent) // BAD [NOT DETECTED]
 }

swift/ql/test/query-tests/Security/CWE-311/testURL.swift

@@ -25,9 +25,9 @@ func test1(passwd : String, encrypted_passwd : String, account_no : String, cred
 	let g = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
 
 	let e_mail = myString
-	let h = URL(string: "http://example.com/login?em=" + e_mail); // BAD [NOT DETECTED]
+	let h = URL(string: "http://example.com/login?em=" + e_mail); // BAD
 	var a_homeaddr_z = getMyString()
-	let i = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD [NOT DETECTED]
+	let i = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD
 	var resident_ID = getMyString()
-	let j = URL(string: "http://example.com/login?id=" + resident_ID); // BAD [NOT DETECTED]
+	let j = URL(string: "http://example.com/login?id=" + resident_ID); // BAD
 }

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

@@ -134,7 +134,7 @@ func test1(password: String, passwordHash : String, passphrase: String, pass_phr
     log.fault("\(passwordHash, privacy: .public)") // Safe
 
     NSLog(passphrase) // $ hasCleartextLogging=136
-    NSLog(pass_phrase) // $ MISSING: hasCleartextLogging=137
+    NSLog(pass_phrase) // $ hasCleartextLogging=137
 }
 
 class MyClass {