Skip to content

Commit bc57e46

Browse files
geoffw0geoffw0
committed
Swift: Add some more test cases.
1 parent edfdddb commit bc57e46

File tree

5 files changed

+81
-52
lines changed

5 files changed

+81
-52
lines changed

swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected

Lines changed: 36 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,14 @@ edges
77
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) |
88
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:33:14:33:32 | call to Data.init(_:) |
99
| testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data |
10-
| testSend.swift:52:13:52:13 | password | testSend.swift:59:27:59:27 | str1 |
11-
| testSend.swift:53:13:53:13 | password | testSend.swift:60:27:60:27 | str2 |
12-
| testSend.swift:54:13:54:25 | call to pad(_:) | testSend.swift:61:27:61:27 | str3 |
13-
| testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data |
14-
| testSend.swift:54:17:54:17 | password | testSend.swift:54:13:54:25 | call to pad(_:) |
15-
| testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... |
16-
| testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... |
17-
| testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... |
10+
| testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 |
11+
| testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 |
12+
| testSend.swift:60:13:60:25 | call to pad(_:) | testSend.swift:67:27:67:27 | str3 |
13+
| testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data |
14+
| testSend.swift:60:17:60:17 | password | testSend.swift:60:13:60:25 | call to pad(_:) |
15+
| testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... |
16+
| testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... |
17+
| testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... |
1818
nodes
1919
| file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | semmle.label | [summary] to write: return (return) in Data.init(_:) |
2020
| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
@@ -30,37 +30,39 @@ nodes
3030
| testSend.swift:37:19:37:19 | data2 | semmle.label | data2 |
3131
| testSend.swift:41:10:41:18 | data | semmle.label | data |
3232
| testSend.swift:41:45:41:45 | data | semmle.label | data |
33-
| testSend.swift:52:13:52:13 | password | semmle.label | password |
34-
| testSend.swift:53:13:53:13 | password | semmle.label | password |
35-
| testSend.swift:54:13:54:25 | call to pad(_:) | semmle.label | call to pad(_:) |
36-
| testSend.swift:54:17:54:17 | password | semmle.label | password |
37-
| testSend.swift:59:27:59:27 | str1 | semmle.label | str1 |
38-
| testSend.swift:60:27:60:27 | str2 | semmle.label | str2 |
39-
| testSend.swift:61:27:61:27 | str3 | semmle.label | str3 |
40-
| testSend.swift:65:27:65:27 | license_key | semmle.label | license_key |
41-
| testSend.swift:66:27:66:30 | .mobileNumber | semmle.label | .mobileNumber |
42-
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
43-
| testURL.swift:13:54:13:54 | passwd | semmle.label | passwd |
44-
| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
45-
| testURL.swift:15:55:15:55 | account_no | semmle.label | account_no |
46-
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
47-
| testURL.swift:16:55:16:55 | credit_card_no | semmle.label | credit_card_no |
48-
| testURL.swift:20:22:20:22 | passwd | semmle.label | passwd |
33+
| testSend.swift:58:13:58:13 | password | semmle.label | password |
34+
| testSend.swift:59:13:59:13 | password | semmle.label | password |
35+
| testSend.swift:60:13:60:25 | call to pad(_:) | semmle.label | call to pad(_:) |
36+
| testSend.swift:60:17:60:17 | password | semmle.label | password |
37+
| testSend.swift:65:27:65:27 | str1 | semmle.label | str1 |
38+
| testSend.swift:66:27:66:27 | str2 | semmle.label | str2 |
39+
| testSend.swift:67:27:67:27 | str3 | semmle.label | str3 |
40+
| testSend.swift:71:27:71:27 | license_key | semmle.label | license_key |
41+
| testSend.swift:72:27:72:30 | .mobileNumber | semmle.label | .mobileNumber |
42+
| testSend.swift:76:27:76:30 | .Telephone | semmle.label | .Telephone |
43+
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
44+
| testURL.swift:17:54:17:54 | passwd | semmle.label | passwd |
45+
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
46+
| testURL.swift:19:55:19:55 | account_no | semmle.label | account_no |
47+
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
48+
| testURL.swift:20:55:20:55 | credit_card_no | semmle.label | credit_card_no |
49+
| testURL.swift:24:22:24:22 | passwd | semmle.label | passwd |
4950
subpaths
5051
| testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) | testSend.swift:33:14:33:32 | call to Data.init(_:) |
51-
| testSend.swift:54:17:54:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:54:13:54:25 | call to pad(_:) |
52+
| testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
5253
#select
5354
| testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | testAlamofire.swift:150:45:150:45 | password | testAlamofire.swift:150:13:150:45 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:150:45:150:45 | password | password |
5455
| testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | testAlamofire.swift:152:51:152:51 | password | testAlamofire.swift:152:19:152:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:152:51:152:51 | password | password |
5556
| testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | testAlamofire.swift:154:38:154:38 | email | testAlamofire.swift:154:14:154:46 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testAlamofire.swift:154:38:154:38 | email | email |
5657
| testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | testSend.swift:29:19:29:19 | passwordPlain | This operation transmits 'passwordPlain', which may contain unencrypted sensitive data from $@. | testSend.swift:29:19:29:19 | passwordPlain | passwordPlain |
5758
| testSend.swift:37:19:37:19 | data2 | testSend.swift:33:19:33:19 | passwordPlain | testSend.swift:37:19:37:19 | data2 | This operation transmits 'data2', which may contain unencrypted sensitive data from $@. | testSend.swift:33:19:33:19 | passwordPlain | passwordPlain |
58-
| testSend.swift:59:27:59:27 | str1 | testSend.swift:52:13:52:13 | password | testSend.swift:59:27:59:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:52:13:52:13 | password | password |
59-
| testSend.swift:60:27:60:27 | str2 | testSend.swift:53:13:53:13 | password | testSend.swift:60:27:60:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:53:13:53:13 | password | password |
60-
| testSend.swift:61:27:61:27 | str3 | testSend.swift:54:17:54:17 | password | testSend.swift:61:27:61:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:54:17:54:17 | password | password |
61-
| testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | testSend.swift:65:27:65:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:65:27:65:27 | license_key | license_key |
62-
| testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | testSend.swift:66:27:66:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:66:27:66:30 | .mobileNumber | .mobileNumber |
63-
| testURL.swift:13:22:13:54 | ... .+(_:_:) ... | testURL.swift:13:54:13:54 | passwd | testURL.swift:13:22:13:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:13:54:13:54 | passwd | passwd |
64-
| testURL.swift:15:22:15:55 | ... .+(_:_:) ... | testURL.swift:15:55:15:55 | account_no | testURL.swift:15:22:15:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:15:55:15:55 | account_no | account_no |
65-
| testURL.swift:16:22:16:55 | ... .+(_:_:) ... | testURL.swift:16:55:16:55 | credit_card_no | testURL.swift:16:22:16:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:16:55:16:55 | credit_card_no | credit_card_no |
66-
| testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | testURL.swift:20:22:20:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:20:22:20:22 | passwd | passwd |
59+
| testSend.swift:65:27:65:27 | str1 | testSend.swift:58:13:58:13 | password | testSend.swift:65:27:65:27 | str1 | This operation transmits 'str1', which may contain unencrypted sensitive data from $@. | testSend.swift:58:13:58:13 | password | password |
60+
| testSend.swift:66:27:66:27 | str2 | testSend.swift:59:13:59:13 | password | testSend.swift:66:27:66:27 | str2 | This operation transmits 'str2', which may contain unencrypted sensitive data from $@. | testSend.swift:59:13:59:13 | password | password |
61+
| testSend.swift:67:27:67:27 | str3 | testSend.swift:60:17:60:17 | password | testSend.swift:67:27:67:27 | str3 | This operation transmits 'str3', which may contain unencrypted sensitive data from $@. | testSend.swift:60:17:60:17 | password | password |
62+
| testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | testSend.swift:71:27:71:27 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | testSend.swift:71:27:71:27 | license_key | license_key |
63+
| testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | testSend.swift:72:27:72:30 | .mobileNumber | This operation transmits '.mobileNumber', which may contain unencrypted sensitive data from $@. | testSend.swift:72:27:72:30 | .mobileNumber | .mobileNumber |
64+
| testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | testSend.swift:76:27:76:30 | .Telephone | This operation transmits '.Telephone', which may contain unencrypted sensitive data from $@. | testSend.swift:76:27:76:30 | .Telephone | .Telephone |
65+
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:17:54:17:54 | passwd | passwd |
66+
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:19:55:19:55 | account_no | account_no |
67+
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:20:55:20:55 | credit_card_no | credit_card_no |
68+
| testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:24:22:24:22 | passwd | passwd |

swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -119,16 +119,17 @@
119119
| testRealm.swift:73:15:73:15 | myPassword | label:myPassword, type:credential |
120120
| testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:credential |
121121
| testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
122-
| testSend.swift:52:13:52:13 | password | label:password, type:credential |
123-
| testSend.swift:53:13:53:13 | password | label:password, type:credential |
124-
| testSend.swift:54:17:54:17 | password | label:password, type:credential |
125-
| testSend.swift:55:23:55:23 | password | label:password, type:credential |
126-
| testSend.swift:56:27:56:27 | password | label:password, type:credential |
127-
| testSend.swift:57:27:57:27 | password | label:password, type:credential |
128-
| testSend.swift:65:27:65:27 | license_key | label:license_key, type:credential |
129-
| testSend.swift:66:27:66:30 | .mobileNumber | label:mobileNumber, type:private information |
130-
| testSend.swift:69:27:69:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
131-
| testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
132-
| testURL.swift:15:55:15:55 | account_no | label:account_no, type:private information |
133-
| testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
134-
| testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |
122+
| testSend.swift:58:13:58:13 | password | label:password, type:credential |
123+
| testSend.swift:59:13:59:13 | password | label:password, type:credential |
124+
| testSend.swift:60:17:60:17 | password | label:password, type:credential |
125+
| testSend.swift:61:23:61:23 | password | label:password, type:credential |
126+
| testSend.swift:62:27:62:27 | password | label:password, type:credential |
127+
| testSend.swift:63:27:63:27 | password | label:password, type:credential |
128+
| testSend.swift:71:27:71:27 | license_key | label:license_key, type:credential |
129+
| testSend.swift:72:27:72:30 | .mobileNumber | label:mobileNumber, type:private information |
130+
| testSend.swift:75:27:75:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
131+
| testSend.swift:76:27:76:30 | .Telephone | label:Telephone, type:private information |
132+
| testURL.swift:17:54:17:54 | passwd | label:passwd, type:credential |
133+
| testURL.swift:19:55:19:55 | account_no | label:account_no, type:private information |
134+
| testURL.swift:20:55:20:55 | credit_card_no | label:credit_card_no, type:private information |
135+
| testURL.swift:24:22:24:22 | passwd | label:passwd, type:credential |

swift/ql/test/query-tests/Security/CWE-311/testSend.swift

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,12 @@ struct MyStruct {
4646
var mobileUrl: String
4747
var mobilePlayer: String
4848
var passwordFeatureEnabled: Bool
49+
var Telephone: String
50+
var birth_day: String
51+
var CarePlanID: String
52+
var BankCardNo: String
53+
var MyCreditRating: String
54+
var OneTimeCode: String
4955
}
5056

5157
func test2(password : String, license_key: String, ms: MyStruct, connection : NWConnection) {
@@ -67,4 +73,10 @@ func test2(password : String, license_key: String, ms: MyStruct, connection : NW
6773
connection.send(content: ms.mobileUrl, completion: .idempotent) // GOOD (not sensitive)
6874
connection.send(content: ms.mobilePlayer, completion: .idempotent) // GOOD (not sensitive)
6975
connection.send(content: ms.passwordFeatureEnabled, completion: .idempotent) // GOOD (not sensitive)
76+
connection.send(content: ms.Telephone, completion: .idempotent) // BAD
77+
connection.send(content: ms.birth_day, completion: .idempotent) // BAD [NOT DETECTED]
78+
connection.send(content: ms.CarePlanID, completion: .idempotent) // BAD [NOT DETECTED]
79+
connection.send(content: ms.BankCardNo, completion: .idempotent) // BAD [NOT DETECTED]
80+
connection.send(content: ms.MyCreditRating, completion: .idempotent) // BAD [NOT DETECTED]
81+
connection.send(content: ms.OneTimeCode, completion: .idempotent) // BAD [NOT DETECTED]
7082
}

swift/ql/test/query-tests/Security/CWE-311/testURL.swift

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ struct URL
99

1010
// --- tests ---
1111

12+
var myString = ""
13+
func setMyString(str: String) { myString = str }
14+
func getMyString() -> String { return myString }
15+
1216
func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
1317
let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
1418
let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
@@ -19,4 +23,11 @@ func test1(passwd : String, encrypted_passwd : String, account_no : String, cred
1923
let e = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
2024
let f = URL(string: passwd, relativeTo: base); // BAD
2125
let g = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
26+
27+
let e_mail = myString
28+
let h = URL(string: "http://example.com/login?em=" + e_mail); // BAD [NOT DETECTED]
29+
var a_homeaddr_z = getMyString()
30+
let i = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD [NOT DETECTED]
31+
var resident_ID = getMyString()
32+
let j = URL(string: "http://example.com/login?id=" + resident_ID); // BAD [NOT DETECTED]
2233
}

swift/ql/test/query-tests/Security/CWE-312/cleartextLoggingTest.swift

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ struct Logger {
8383

8484
// --- tests ---
8585

86-
func test1(password: String, passwordHash : String) {
86+
func test1(password: String, passwordHash : String, passphrase: String, pass_phrase: String) {
8787
print(password) // $ MISSING: hasCleartextLogging=87
8888
print(password, separator: "") // $ MISSING: $ hasCleartextLogging=88
8989
print("", separator: password) // $ hasCleartextLogging=89
@@ -132,6 +132,9 @@ func test1(password: String, passwordHash : String) {
132132
log.critical("\(passwordHash, privacy: .public)") // Safe
133133
log.fault("\(password, privacy: .public)") // $ MISSING: hasCleartextLogging=133
134134
log.fault("\(passwordHash, privacy: .public)") // Safe
135+
136+
NSLog(passphrase) // $ hasCleartextLogging=136
137+
NSLog(pass_phrase) // $ MISSING: hasCleartextLogging=137
135138
}
136139

137140
class MyClass {
@@ -145,14 +148,14 @@ func doSomething(password: String) { }
145148
func test3(x: String) {
146149
// alternative evidence of sensitivity...
147150

148-
NSLog(x) // $ MISSING: hasCleartextLogging=148
151+
NSLog(x) // $ MISSING: hasCleartextLogging=152
149152
doSomething(password: x);
150-
NSLog(x) // $ hasCleartextLogging=149
153+
NSLog(x) // $ hasCleartextLogging=152
151154

152155
let y = getPassword();
153-
NSLog(y) // $ hasCleartextLogging=152
156+
NSLog(y) // $ hasCleartextLogging=155
154157

155158
let z = MyClass()
156159
NSLog(z.harmless) // Safe
157-
NSLog(z.password) // $ hasCleartextLogging=157
160+
NSLog(z.password) // $ hasCleartextLogging=160
158161
}

0 commit comments

Comments
 (0)