Swift: Add some test cases.

geoffw0 · geoffw0 · commit c1a95d57bbba · 2023-04-20T17:15:47.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected b/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected
@@ -24,6 +24,9 @@ edges
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:185:20:185:36 | withMinVersion :  | InsecureTLS.swift:187:42:187:42 | withMinVersion |
+| InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | InsecureTLS.swift:185:20:185:36 | withMinVersion :  |
 | file://:0:0:0:0 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [TLSVersion] :  |
 nodes
@@ -55,6 +58,11 @@ nodes
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | semmle.label | def [TLSVersion] :  |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion | semmle.label | .TLSVersion |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | semmle.label | .TLSVersion :  |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 | semmle.label | .TLSv10 |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:185:20:185:36 | withMinVersion :  | semmle.label | withMinVersion :  |
+| InsecureTLS.swift:187:42:187:42 | withMinVersion | semmle.label | withMinVersion |
+| InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | semmle.label | .TLSv10 :  |
 | file://:0:0:0:0 | .TLSVersion :  | semmle.label | .TLSVersion :  |
 | file://:0:0:0:0 | [post] self [TLSVersion] :  | semmle.label | [post] self [TLSVersion] :  |
 | file://:0:0:0:0 | self [TLSVersion] :  | semmle.label | self [TLSVersion] :  |
@@ -76,6 +84,8 @@ subpaths
 | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | This TLS configuration is insecure. |
 | InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:122:47:122:47 | version | This TLS configuration is insecure. |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion | This TLS configuration is insecure. |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 | InsecureTLS.swift:181:53:181:76 | .TLSv10 | InsecureTLS.swift:181:53:181:76 | .TLSv10 | This TLS configuration is insecure. |
+| InsecureTLS.swift:187:42:187:42 | withMinVersion | InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | InsecureTLS.swift:187:42:187:42 | withMinVersion | This TLS configuration is insecure. |
 | file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
 | file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
 | file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
@@ -84,3 +94,4 @@ subpaths
 | file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
 | file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
 | file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
diff --git a/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift b/swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift
@@ -171,3 +171,33 @@ func case_19() {
   let config = URLSessionConfiguration()
   config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
 }
+
+class MyClass {
+  var config = URLSessionConfiguration()
+}
+
+func case_20(myObj: MyClass) {
+  myObj.config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13 // GOOD
+  myObj.config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
+}
+
+extension URLSessionConfiguration {
+  convenience init(withMinVersion: tls_protocol_version_t) {
+    self.init()
+    tlsMinimumSupportedProtocolVersion = withMinVersion
+  }
+}
+
+func case_21() {
+  let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv13) // GOOD
+  let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv10) // BAD
+}
+
+func setVersion(version: inout tls_protocol_version_t, value: tls_protocol_version_t) {
+  version = value
+}
+
+func case_22(config: URLSessionConfiguration) {
+  setVersion(version: &config.tlsMinimumSupportedProtocolVersion, value: tls_protocol_version_t.TLSv13) // GOOD
+  setVersion(version: &config.tlsMinimumSupportedProtocolVersion, value: tls_protocol_version_t.TLSv10) // BAD [NOT DETECTED]
+}
