Merge pull request github#12794 from geoffw0/modernsec2

geoffw0 · web-flow · commit 3f8ac1a12bce · 2023-04-13T19:43:05.000+01:00
Swift: Add CSV extension points to the encryption queries.
diff --git a/swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll b/swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for constant password vulnerabilities. That is,
@@ -31,10 +32,10 @@ class ConstantPasswordAdditionalTaintStep extends Unit {
 /**
  * A password sink for the CryptoSwift library.
  */
-private class DefaultConstantPasswordSink extends ConstantPasswordSink {
-  DefaultConstantPasswordSink() {
+private class CryptoSwiftPasswordSink extends ConstantPasswordSink {
+  CryptoSwiftPasswordSink() {
     // `password` arg in `init` is a sink
-    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+    exists(NominalTypeDecl c, ConstructorDecl f, CallExpr call |
       c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
@@ -49,8 +50,12 @@ private class DefaultConstantPasswordSink extends ConstantPasswordSink {
 private class RnCryptorPasswordSink extends ConstantPasswordSink {
   RnCryptorPasswordSink() {
     // RNCryptor (labelled arguments)
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+    exists(NominalTypeDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() =
+        [
+          "RNCryptor", "RNEncryptor", "RNDecryptor", "RNCryptor.EncryptorV3",
+          "RNCryptor.DecryptorV3"
+        ] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["password", "withPassword", "forPassword"]).getExpr() =
@@ -65,3 +70,10 @@ private class RnCryptorPasswordSink extends ConstantPasswordSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultPasswordSink extends ConstantPasswordSink {
+  DefaultPasswordSink() { sinkNode(this, "encryption-password") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll b/swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for constant salt vulnerabilities. That is,
@@ -34,7 +35,7 @@ class ConstantSaltAdditionalTaintStep extends Unit {
 private class CryptoSwiftSaltSink extends ConstantSaltSink {
   CryptoSwiftSaltSink() {
     // `salt` arg in `init` is a sink
-    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+    exists(NominalTypeDecl c, ConstructorDecl f, CallExpr call |
       c.getName() = ["HKDF", "PBKDF1", "PBKDF2", "Scrypt"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
@@ -48,12 +49,23 @@ private class CryptoSwiftSaltSink extends ConstantSaltSink {
  */
 private class RnCryptorSaltSink extends ConstantSaltSink {
   RnCryptorSaltSink() {
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+    exists(NominalTypeDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() =
+        [
+          "RNCryptor", "RNEncryptor", "RNDecryptor", "RNCryptor.EncryptorV3",
+          "RNCryptor.DecryptorV3"
+        ] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() =
         this.asExpr()
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultSaltSink extends ConstantSaltSink {
+  DefaultSaltSink() { sinkNode(this, "encryption-salt") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll b/swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow source for ECB encryption vulnerabilities. That is,
@@ -48,32 +49,22 @@ private class CryptoSwiftEcb extends EcbEncryptionSource {
   }
 }
 
-/**
- * A block mode being used to form a CryptoSwift `AES` cipher.
- */
-private class AES extends EcbEncryptionSink {
-  AES() {
-    // `blockMode` arg in `AES.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("AES", ["init(key:blockMode:)", "init(key:blockMode:padding:)"]) and
-      call.getArgument(1).getExpr() = this.asExpr()
-    )
+private class EcbEncryptionSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CryptoSwift `AES.init` block mode
+        ";AES;true;init(key:blockMode:);;;Argument[1];encryption-block-mode",
+        ";AES;true;init(key:blockMode:padding:);;;Argument[1];encryption-block-mode",
+        // CryptoSwift `Blowfish.init` block mode
+        ";Blowfish;true;init(key:blockMode:padding:);;;Argument[1];encryption-block-mode",
+      ]
   }
 }
 
 /**
- * A block mode being used to form a CryptoSwift `Blowfish` cipher.
+ * A sink defined in a CSV model.
  */
-private class Blowfish extends EcbEncryptionSink {
-  Blowfish() {
-    // `blockMode` arg in `Blowfish.init` is a sink
-    exists(CallExpr call |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName("Blowfish", "init(key:blockMode:padding:)") and
-      call.getArgument(1).getExpr() = this.asExpr()
-    )
-  }
+private class DefaultEcbEncryptionSink extends EcbEncryptionSink {
+  DefaultEcbEncryptionSink() { sinkNode(this, "encryption-block-mode") }
 }
diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for hard-coded encryption key vulnerabilities. That is,
@@ -34,14 +35,11 @@ class HardcodedEncryptionKeyAdditionalTaintStep extends Unit {
 private class CryptoSwiftEncryptionKeySink extends HardcodedEncryptionKeySink {
   CryptoSwiftEncryptionKeySink() {
     // `key` arg in `init` is a sink
-    exists(CallExpr call, string fName |
-      call.getStaticTarget()
-          .(MethodDecl)
-          .hasQualifiedName([
-              "AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"
-            ], fName) and
-      fName.matches("init(key:%") and
-      call.getArgument(0).getExpr() = this.asExpr()
+    exists(NominalTypeDecl c, ConstructorDecl f, CallExpr call |
+      c.getName() = ["AES", "HMAC", "ChaCha20", "CBCMAC", "CMAC", "Poly1305", "Blowfish", "Rabbit"] and
+      c.getAMember() = f and
+      call.getStaticTarget() = f and
+      call.getArgumentWithLabel("key").getExpr() = this.asExpr()
     )
   }
 }
@@ -51,11 +49,22 @@ private class CryptoSwiftEncryptionKeySink extends HardcodedEncryptionKeySink {
  */
 private class RnCryptorEncryptionKeySink extends HardcodedEncryptionKeySink {
   RnCryptorEncryptionKeySink() {
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+    exists(NominalTypeDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() =
+        [
+          "RNCryptor", "RNEncryptor", "RNDecryptor", "RNCryptor.EncryptorV3",
+          "RNCryptor.DecryptorV3"
+        ] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["encryptionKey", "withEncryptionKey"]).getExpr() = this.asExpr()
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultEncryptionKeySink extends HardcodedEncryptionKeySink {
+  DefaultEncryptionKeySink() { sinkNode(this, "encryption-key") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow source for insecure TLS configuration vulnerabilities. That is,
@@ -59,3 +60,10 @@ private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultTlsExtensionsSink extends InsecureTlsExtensionsSink {
+  DefaultTlsExtensionsSink() { sinkNode(this, "tls-protocol-version") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsExtensions.qll b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for insufficient hash interation vulnerabilities. That is,
@@ -35,11 +36,18 @@ class InsufficientHashIterationsAdditionalTaintStep extends Unit {
 private class CryptoSwiftHashIterationsSink extends InsufficientHashIterationsSink {
   CryptoSwiftHashIterationsSink() {
     // `iterations` arg in `init` is a sink
-    exists(ClassOrStructDecl c, ConstructorDecl f, CallExpr call |
+    exists(NominalTypeDecl c, ConstructorDecl f, CallExpr call |
       c.getName() = ["PBKDF1", "PBKDF2"] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel("iterations").getExpr() = this.asExpr()
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultHashIterationsSink extends InsufficientHashIterationsSink {
+  DefaultHashIterationsSink() { sinkNode(this, "hash-iteration-count") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorExtensions.qll b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorExtensions.qll
@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for static initialization vector vulnerabilities. That is,
@@ -50,11 +51,22 @@ private class CryptoSwiftInitializationVectorSink extends StaticInitializationVe
  */
 private class RnCryptorInitializationVectorSink extends StaticInitializationVectorSink {
   RnCryptorInitializationVectorSink() {
-    exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
-      c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
+    exists(NominalTypeDecl c, MethodDecl f, CallExpr call |
+      c.getFullName() =
+        [
+          "RNCryptor", "RNEncryptor", "RNDecryptor", "RNCryptor.EncryptorV3",
+          "RNCryptor.DecryptorV3"
+        ] and
       c.getAMember() = f and
       call.getStaticTarget() = f and
       call.getArgumentWithLabel(["iv", "IV"]).getExpr() = this.asExpr()
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultInitializationVectorSink extends StaticInitializationVectorSink {
+  DefaultInitializationVectorSink() { sinkNode(this, "encryption-iv") }
+}
diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
@@ -6,9 +6,11 @@
 import swift
 import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
- * A dataflow sink for weak sensitive data hashing vulnerabilities.
+ * A dataflow sink for weak sensitive data hashing vulnerabilities. That is,
+ * a `DataFlow::Node` that is passed into a weak hashing function.
  */
 abstract class WeakSensitiveDataHashingSink extends DataFlow::Node {
   /**
@@ -33,21 +35,28 @@ class WeakSensitiveDataHashingAdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
 }
 
+private class WeakHashingSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CryptoKit
+        ";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
+      ]
+  }
+}
+
 /**
- * A sink for the CryptoSwift library.
+ * A sink defined in a CSV model.
  */
-private class CryptoSwiftWeakHashingSink extends WeakSensitiveDataHashingSink {
+private class DefaultWeakHashingSink extends WeakSensitiveDataHashingSink {
   string algorithm;
 
-  CryptoSwiftWeakHashingSink() {
-    exists(ApplyExpr call, FuncDecl func |
-      call.getAnArgument().getExpr() = this.asExpr() and
-      call.getStaticTarget() = func and
-      func.getName().matches(["hash(%", "update(%"]) and
-      algorithm = func.getEnclosingDecl().(ClassOrStructDecl).getName() and
-      algorithm = ["MD5", "SHA1"]
-    )
-  }
+  DefaultWeakHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }
 
   override string getAlgorithm() { result = algorithm }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`
`6`	`6`	`import swift`
`7`	`7`	`import codeql.swift.dataflow.DataFlow`
	`8`	`+import codeql.swift.dataflow.ExternalFlow`
`8`	`9`
`9`	`10`	`/**`
`10`	`11`	`* A dataflow source for insecure TLS configuration vulnerabilities. That is,`
`@@ -59,3 +60,10 @@ private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {`
`59`	`60`	`)`
`60`	`61`	`}`
`61`	`62`	`}`
	`63`	`+`
	`64`	`+/**`
	`65`	`+ * A sink defined in a CSV model.`
	`66`	`+ */`
	`67`	`+private class DefaultTlsExtensionsSink extends InsecureTlsExtensionsSink {`
	`68`	`+ DefaultTlsExtensionsSink() { sinkNode(this, "tls-protocol-version") }`
	`69`	`+}`