Swift: Tweak private info regexps to restore 'account_no' results.

Author: geoffw0

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

@@ -58,7 +58,7 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
         // Geographic location - where the user is (or was)
         "latitude|longitude|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "credit.?card|debit.?card|salary|bank.?account|" +
+        "credit.?card|debit.?card|salary|bank.?account|acc(ou)?nt.?(no|num)|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         "email|" +
         // Health - medical conditions, insurance status, prescription records

swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected

@@ -13,6 +13,7 @@ edges
 | testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data |
 | testSend.swift:54:17:54:17 | password | testSend.swift:54:13:54:25 | call to pad(_:) |
 | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
+| testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
 nodes
 | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | semmle.label | [summary] to write: return (return) in Data.init(_:) |
@@ -40,6 +41,8 @@ nodes
 | testSend.swift:66:27:66:30 | .mobileNumber | semmle.label | .mobileNumber |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:13:54:13:54 | passwd | semmle.label | passwd |
+| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
+| testURL.swift:15:55:15:55 | account_no | semmle.label | account_no |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
 | testURL.swift:16:55:16:55 | credit_card_no | semmle.label | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
@@ -58,5 +61,6 @@ subpaths
 | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:65:27:65:27 | license_key | license_key |
 | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:66:27:66:30 | .mobileNumber | .mobileNumber |
 | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:13:54:13:54 | passwd | passwd |
+| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:15:55:15:55 | account_no | account_no |
 | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:16:55:16:55 | credit_card_no | credit_card_no |
 | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:20:22:20:22 | passwd | passwd |

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected

@@ -129,5 +129,6 @@
 | testSend.swift:66:27:66:30 | .mobileNumber | label:mobileNumber, type:private information |
 | testSend.swift:69:27:69:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
 | testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
+| testURL.swift:15:55:15:55 | account_no | label:account_no, type:private information |
 | testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
 | testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |

swift/ql/test/query-tests/Security/CWE-311/testURL.swift

@@ -12,7 +12,7 @@ struct URL
 func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
 	let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
 	let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
-	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD [NOT DETECTED]
+	let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD
 	let d = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD
 
 	let base = URL(string: "http://example.com/"); // GOOD (not sensitive)

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -2,22 +2,28 @@ edges
 nodes
 | testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:57:43:57:43 | cert | semmle.label | cert |
+| testCryptoKit.swift:59:43:59:43 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:64:44:64:44 | cert | semmle.label | cert |
+| testCryptoKit.swift:66:44:66:44 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:91:23:91:23 | cert | semmle.label | cert |
+| testCryptoKit.swift:93:23:93:23 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:100:23:100:23 | cert | semmle.label | cert |
+| testCryptoKit.swift:102:23:102:23 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:133:32:133:32 | cert | semmle.label | cert |
+| testCryptoKit.swift:135:32:135:32 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:142:32:142:32 | cert | semmle.label | cert |
+| testCryptoKit.swift:144:32:144:32 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
@@ -33,22 +39,28 @@ subpaths
 #select
 | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:57:43:57:43 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:59:43:59:43 | account_no | testCryptoKit.swift:59:43:59:43 | account_no | testCryptoKit.swift:59:43:59:43 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:59:43:59:43 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | testCryptoKit.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | testCryptoKit.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:64:44:64:44 | cert | testCryptoKit.swift:64:44:64:44 | cert | testCryptoKit.swift:64:44:64:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:64:44:64:44 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:66:44:66:44 | account_no | testCryptoKit.swift:66:44:66:44 | account_no | testCryptoKit.swift:66:44:66:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:66:44:66:44 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | testCryptoKit.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:91:23:91:23 | cert | testCryptoKit.swift:91:23:91:23 | cert | testCryptoKit.swift:91:23:91:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:23:91:23 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:93:23:93:23 | account_no | testCryptoKit.swift:93:23:93:23 | account_no | testCryptoKit.swift:93:23:93:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:93:23:93:23 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | testCryptoKit.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:100:23:100:23 | cert | testCryptoKit.swift:100:23:100:23 | cert | testCryptoKit.swift:100:23:100:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:23:100:23 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:102:23:102:23 | account_no | testCryptoKit.swift:102:23:102:23 | account_no | testCryptoKit.swift:102:23:102:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:102:23:102:23 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | testCryptoKit.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:133:32:133:32 | cert | testCryptoKit.swift:133:32:133:32 | cert | testCryptoKit.swift:133:32:133:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:133:32:133:32 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:135:32:135:32 | account_no | testCryptoKit.swift:135:32:135:32 | account_no | testCryptoKit.swift:135:32:135:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:135:32:135:32 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | testCryptoKit.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
 | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:32:142:32 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:144:32:144:32 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | sensitive data (credential passwdArray) |
 | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | sensitive data (credential passwdArray) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift

@@ -56,14 +56,14 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
     var hash = Crypto.Insecure.MD5.hash(data: passwd)  // BAD
     hash = Crypto.Insecure.MD5.hash(data: cert)   // BAD
     hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash = Crypto.Insecure.MD5.hash(data: account_no)   // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.MD5.hash(data: account_no)   // BAD
     hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
     hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
 
     hash = Crypto.Insecure.SHA1.hash(data: passwd)  // BAD
     hash = Crypto.Insecure.SHA1.hash(data: cert)   // BAD
     hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash = Crypto.Insecure.SHA1.hash(data: account_no)   // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.SHA1.hash(data: account_no)   // BAD
     hash = Crypto.Insecure.SHA1.hash(data: credit_card_no)   // BAD
 
     hash = Crypto.SHA256.hash(data: passwd)   // BAD [NOT DETECTED] not a computationally expensive hash
@@ -90,7 +90,7 @@ func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : Str
     hash.update(data: passwd)  // BAD
     hash.update(data: cert)  // BAD
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no)   // BAD [NOT DETECTED]
+    hash.update(data: account_no)   // BAD
     hash.update(data: credit_card_no)   // BAD
 }
 
@@ -99,7 +99,7 @@ func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : St
     hash.update(data: passwd)  // BAD
     hash.update(data: cert)  // BAD
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no)   // BAD [NOT DETECTED]
+    hash.update(data: account_no)   // BAD
     hash.update(data: credit_card_no)   // BAD
 }
 
@@ -132,7 +132,7 @@ func testMD5UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, ce
     hash.update(bufferPointer: passwd)  // BAD
     hash.update(bufferPointer: cert)  // BAD
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
+    hash.update(bufferPointer: account_no)   // BAD
     hash.update(bufferPointer: credit_card_no)   // BAD
 }
 
@@ -141,7 +141,7 @@ func testSHA1UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, c
     hash.update(bufferPointer: passwd)  // BAD
     hash.update(bufferPointer: cert)  // BAD
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
+    hash.update(bufferPointer: account_no)   // BAD
     hash.update(bufferPointer: credit_card_no)   // BAD
 }