Swift: Edit the weak sensitive data hashing examples and qhelp to encourage use of HMAC and key derivation algorithms where appropriate.

geoffw0 · geoffw0 · commit 94a5aa450cce · 2023-08-10T18:21:25.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp
@@ -51,12 +51,17 @@
             </li>
         </ul>
 
+        <p>
+            Note that special purpose algorithms exist for message authentication (ensuring that a message comes from a particular sender). These algorithms should be used when appropriate, as they address common vulnerabilities of simple hashing schemes in this context.
+        </p>
+
     </recommendation>
     <example>
 
         <p>
-            The following examples show a function for checking whether the hash
-            of a certificate matches a known value -- to prevent tampering.
+            The following examples show a function for fetching data from a
+            URL along with a hash of the data, perhaps to check the data has
+            not been tampered with.
 
             In the first case the MD5 hashing algorithm is used that is known to be vulnerable to collision attacks.
         </p>
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift
@@ -1,5 +1,10 @@
-typealias Hasher = Crypto.Insecure.MD5
+func getContentsAndHash(url: URL) -> (Data, String)? {
+    guard let data = try? Data(contentsOf: url) else {
+        return nil
+    }
 
-func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
-  return Hasher.hash(data: cert) == hash  // BAD
-}
+    let digest = Insecure.MD5.hash(data: data)
+    let hash = digest.map { String(format: "%02hhx", $0) }.joined()
+
+    return (data, hash)
+}
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift
@@ -1,4 +1,10 @@
-typealias Hasher = Crypto.SHA512
+func getContentsAndHash(url: URL) -> (Data, String)? {
+    guard let data = try? Data(contentsOf: url) else {
+        return nil
+    }
 
-func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
-  return Hasher.hash(data: cert) == hash  // GOOD
+    let digest = SHA512.hash(data: data)
+    let hash = digest.map { String(format: "%02hhx", $0) }.joined()
+
+    return (data, hash)
+}
