Skip to content

Commit a91c450

Browse files
geoffw0geoffw0
committed
Swift: Add some special cases to preserve (for now) result quality.
1 parent e2080c5 commit a91c450

File tree

3 files changed

+4
-17
lines changed

3 files changed

+4
-17
lines changed

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,10 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
7070
* contain hashed or encrypted data, or are only a reference to data that is
7171
* actually stored elsewhere.
7272
*/
73-
private string regexpProbablySafe() { result = HeuristicNames::notSensitiveRegexp() }
73+
private string regexpProbablySafe() {
74+
result = HeuristicNames::notSensitiveRegexp() or
75+
result = "(?is).*(file|path|url|invalid).*"
76+
}
7477

7578
/**
7679
* A `VarDecl` that might be used to contain sensitive data.

swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -110,13 +110,9 @@ edges
110110
| testCoreData.swift:18:19:18:26 | value | testCoreData.swift:19:12:19:12 | value |
111111
| testCoreData.swift:31:3:31:3 | newValue | testCoreData.swift:32:13:32:13 | newValue |
112112
| testCoreData.swift:61:25:61:25 | password | testCoreData.swift:18:19:18:26 | value |
113-
| testCoreData.swift:62:25:62:25 | password_file | testCoreData.swift:18:19:18:26 | value |
114113
| testCoreData.swift:64:2:64:2 | [post] obj [myValue] | testCoreData.swift:64:2:64:2 | [post] obj |
115114
| testCoreData.swift:64:16:64:16 | password | testCoreData.swift:31:3:31:3 | newValue |
116115
| testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj [myValue] |
117-
| testCoreData.swift:65:2:65:2 | [post] obj [myValue] | testCoreData.swift:65:2:65:2 | [post] obj |
118-
| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:31:3:31:3 | newValue |
119-
| testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj [myValue] |
120116
| testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x |
121117
| testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y |
122118
| testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x |
@@ -315,15 +311,10 @@ nodes
315311
| testCoreData.swift:48:15:48:15 | password | semmle.label | password |
316312
| testCoreData.swift:51:24:51:24 | password | semmle.label | password |
317313
| testCoreData.swift:58:15:58:15 | password | semmle.label | password |
318-
| testCoreData.swift:59:15:59:15 | password_file | semmle.label | password_file |
319314
| testCoreData.swift:61:25:61:25 | password | semmle.label | password |
320-
| testCoreData.swift:62:25:62:25 | password_file | semmle.label | password_file |
321315
| testCoreData.swift:64:2:64:2 | [post] obj | semmle.label | [post] obj |
322316
| testCoreData.swift:64:2:64:2 | [post] obj [myValue] | semmle.label | [post] obj [myValue] |
323317
| testCoreData.swift:64:16:64:16 | password | semmle.label | password |
324-
| testCoreData.swift:65:2:65:2 | [post] obj | semmle.label | [post] obj |
325-
| testCoreData.swift:65:2:65:2 | [post] obj [myValue] | semmle.label | [post] obj [myValue] |
326-
| testCoreData.swift:65:16:65:16 | password_file | semmle.label | password_file |
327318
| testCoreData.swift:77:24:77:24 | x | semmle.label | x |
328319
| testCoreData.swift:78:15:78:15 | x | semmle.label | x |
329320
| testCoreData.swift:80:10:80:22 | call to getPassword() | semmle.label | call to getPassword() |
@@ -501,15 +492,11 @@ subpaths
501492
| testCoreData2.swift:104:2:104:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:104:2:104:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo |
502493
| testCoreData2.swift:105:2:105:2 | dbObj | testCoreData2.swift:101:10:101:10 | bankAccountNo | testCoreData2.swift:105:2:105:2 | [post] dbObj | This operation stores 'dbObj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:101:10:101:10 | bankAccountNo | bankAccountNo |
503494
| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:61:25:61:25 | password | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:61:25:61:25 | password | password |
504-
| testCoreData.swift:19:12:19:12 | value | testCoreData.swift:62:25:62:25 | password_file | testCoreData.swift:19:12:19:12 | value | This operation stores 'value' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:62:25:62:25 | password_file | password_file |
505495
| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password |
506-
| testCoreData.swift:32:13:32:13 | newValue | testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:32:13:32:13 | newValue | This operation stores 'newValue' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:65:16:65:16 | password_file | password_file |
507496
| testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | testCoreData.swift:48:15:48:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:48:15:48:15 | password | password |
508497
| testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | testCoreData.swift:51:24:51:24 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:51:24:51:24 | password | password |
509498
| testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | testCoreData.swift:58:15:58:15 | password | This operation stores 'password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:58:15:58:15 | password | password |
510-
| testCoreData.swift:59:15:59:15 | password_file | testCoreData.swift:59:15:59:15 | password_file | testCoreData.swift:59:15:59:15 | password_file | This operation stores 'password_file' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:59:15:59:15 | password_file | password_file |
511499
| testCoreData.swift:64:2:64:2 | obj | testCoreData.swift:64:16:64:16 | password | testCoreData.swift:64:2:64:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:64:16:64:16 | password | password |
512-
| testCoreData.swift:65:2:65:2 | obj | testCoreData.swift:65:16:65:16 | password_file | testCoreData.swift:65:2:65:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:65:16:65:16 | password_file | password_file |
513500
| testCoreData.swift:78:15:78:15 | x | testCoreData.swift:77:24:77:24 | x | testCoreData.swift:78:15:78:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:77:24:77:24 | x | x |
514501
| testCoreData.swift:81:15:81:15 | y | testCoreData.swift:80:10:80:22 | call to getPassword() | testCoreData.swift:81:15:81:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:80:10:80:22 | call to getPassword() | call to getPassword() |
515502
| testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | testCoreData.swift:85:15:85:17 | .password | This operation stores '.password' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:85:15:85:17 | .password | .password |

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,11 +51,8 @@
5151
| testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
5252
| testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
5353
| testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
54-
| testCoreData.swift:59:15:59:15 | password_file | label:password_file, type:credential |
5554
| testCoreData.swift:61:25:61:25 | password | label:password, type:credential |
56-
| testCoreData.swift:62:25:62:25 | password_file | label:password_file, type:credential |
5755
| testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
58-
| testCoreData.swift:65:16:65:16 | password_file | label:password_file, type:credential |
5956
| testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
6057
| testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword, type:credential |
6158
| testCoreData.swift:85:15:85:17 | .password | label:password, type:credential |

0 commit comments

Comments
 (0)