Swift: Widen the new sinks to cover more cases the MaD sinks are missing.

Author: geoffw0

swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll

@@ -121,7 +121,7 @@ private class WeakPasswordHashingMetatypeSink extends WeakPasswordHashingSink {
     exists(CallExpr c |
       c.getAnArgument().getExpr() = this.asExpr() and
       algorithm = ["SHA256", "SHA384", "SHA512"] and
-      c.getQualifier().getType().getFullName() = algorithm + ".Type" and
+      c.getQualifier().getType().getFullName() = algorithm + ["", ".Type"] and
       c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
     )
   }

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

@@ -87,7 +87,7 @@ private class WeakSenitiveDataHashingMetatypeSink extends WeakSensitiveDataHashi
     exists(CallExpr c |
       c.getAnArgument().getExpr() = this.asExpr() and
       algorithm = ["MD5", "SHA1"] and
-      c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ".Type" and
+      c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and
       c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
     )
   }

swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected

@@ -8,6 +8,11 @@ nodes
 | testCryptoKit.swift:102:37:102:37 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:108:37:108:37 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:114:37:114:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:123:23:123:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:132:23:132:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:141:23:141:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:150:23:150:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:159:23:159:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:168:32:168:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:177:32:177:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:186:32:186:32 | passwd | semmle.label | passwd |
@@ -49,6 +54,11 @@ subpaths
 | testCryptoKit.swift:102:37:102:37 | passwd | testCryptoKit.swift:102:37:102:37 | passwd | testCryptoKit.swift:102:37:102:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:102:37:102:37 | passwd | password (passwd) |
 | testCryptoKit.swift:108:37:108:37 | passwd | testCryptoKit.swift:108:37:108:37 | passwd | testCryptoKit.swift:108:37:108:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:108:37:108:37 | passwd | password (passwd) |
 | testCryptoKit.swift:114:37:114:37 | passwd | testCryptoKit.swift:114:37:114:37 | passwd | testCryptoKit.swift:114:37:114:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:114:37:114:37 | passwd | password (passwd) |
+| testCryptoKit.swift:123:23:123:23 | passwd | testCryptoKit.swift:123:23:123:23 | passwd | testCryptoKit.swift:123:23:123:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:123:23:123:23 | passwd | password (passwd) |
+| testCryptoKit.swift:132:23:132:23 | passwd | testCryptoKit.swift:132:23:132:23 | passwd | testCryptoKit.swift:132:23:132:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:132:23:132:23 | passwd | password (passwd) |
+| testCryptoKit.swift:141:23:141:23 | passwd | testCryptoKit.swift:141:23:141:23 | passwd | testCryptoKit.swift:141:23:141:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:141:23:141:23 | passwd | password (passwd) |
+| testCryptoKit.swift:150:23:150:23 | passwd | testCryptoKit.swift:150:23:150:23 | passwd | testCryptoKit.swift:150:23:150:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:150:23:150:23 | passwd | password (passwd) |
+| testCryptoKit.swift:159:23:159:23 | passwd | testCryptoKit.swift:159:23:159:23 | passwd | testCryptoKit.swift:159:23:159:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:159:23:159:23 | passwd | password (passwd) |
 | testCryptoKit.swift:168:32:168:32 | passwd | testCryptoKit.swift:168:32:168:32 | passwd | testCryptoKit.swift:168:32:168:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:168:32:168:32 | passwd | password (passwd) |
 | testCryptoKit.swift:177:32:177:32 | passwd | testCryptoKit.swift:177:32:177:32 | passwd | testCryptoKit.swift:177:32:177:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:177:32:177:32 | passwd | password (passwd) |
 | testCryptoKit.swift:186:32:186:32 | passwd | testCryptoKit.swift:186:32:186:32 | passwd | testCryptoKit.swift:186:32:186:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:186:32:186:32 | passwd | password (passwd) |

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -28,6 +28,12 @@ nodes
 | testCryptoKit.swift:97:44:97:44 | cert | semmle.label | cert |
 | testCryptoKit.swift:99:44:99:44 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:100:44:100:44 | credit_card_no | semmle.label | credit_card_no |
+| testCryptoKit.swift:124:23:124:23 | cert | semmle.label | cert |
+| testCryptoKit.swift:126:23:126:23 | account_no | semmle.label | account_no |
+| testCryptoKit.swift:127:23:127:23 | credit_card_no | semmle.label | credit_card_no |
+| testCryptoKit.swift:133:23:133:23 | cert | semmle.label | cert |
+| testCryptoKit.swift:135:23:135:23 | account_no | semmle.label | account_no |
+| testCryptoKit.swift:136:23:136:23 | credit_card_no | semmle.label | credit_card_no |
 | testCryptoKit.swift:169:32:169:32 | cert | semmle.label | cert |
 | testCryptoKit.swift:171:32:171:32 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:172:32:172:32 | credit_card_no | semmle.label | credit_card_no |
@@ -79,6 +85,12 @@ subpaths
 | testCryptoKit.swift:97:44:97:44 | cert | testCryptoKit.swift:97:44:97:44 | cert | testCryptoKit.swift:97:44:97:44 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:97:44:97:44 | cert | sensitive data (credential cert) |
 | testCryptoKit.swift:99:44:99:44 | account_no | testCryptoKit.swift:99:44:99:44 | account_no | testCryptoKit.swift:99:44:99:44 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:44:99:44 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:100:44:100:44 | credit_card_no | testCryptoKit.swift:100:44:100:44 | credit_card_no | testCryptoKit.swift:100:44:100:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:100:44:100:44 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCryptoKit.swift:124:23:124:23 | cert | testCryptoKit.swift:124:23:124:23 | cert | testCryptoKit.swift:124:23:124:23 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:124:23:124:23 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:126:23:126:23 | account_no | testCryptoKit.swift:126:23:126:23 | account_no | testCryptoKit.swift:126:23:126:23 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:126:23:126:23 | account_no | sensitive data (private information account_no) |
+| testCryptoKit.swift:127:23:127:23 | credit_card_no | testCryptoKit.swift:127:23:127:23 | credit_card_no | testCryptoKit.swift:127:23:127:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:127:23:127:23 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCryptoKit.swift:133:23:133:23 | cert | testCryptoKit.swift:133:23:133:23 | cert | testCryptoKit.swift:133:23:133:23 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:133:23:133:23 | cert | sensitive data (credential cert) |
+| testCryptoKit.swift:135:23:135:23 | account_no | testCryptoKit.swift:135:23:135:23 | account_no | testCryptoKit.swift:135:23:135:23 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:135:23:135:23 | account_no | sensitive data (private information account_no) |
+| testCryptoKit.swift:136:23:136:23 | credit_card_no | testCryptoKit.swift:136:23:136:23 | credit_card_no | testCryptoKit.swift:136:23:136:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:136:23:136:23 | credit_card_no | sensitive data (private information credit_card_no) |
 | testCryptoKit.swift:169:32:169:32 | cert | testCryptoKit.swift:169:32:169:32 | cert | testCryptoKit.swift:169:32:169:32 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:169:32:169:32 | cert | sensitive data (credential cert) |
 | testCryptoKit.swift:171:32:171:32 | account_no | testCryptoKit.swift:171:32:171:32 | account_no | testCryptoKit.swift:171:32:171:32 | account_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:171:32:171:32 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:172:32:172:32 | credit_card_no | testCryptoKit.swift:172:32:172:32 | credit_card_no | testCryptoKit.swift:172:32:172:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:172:32:172:32 | credit_card_no | sensitive data (private information credit_card_no) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift

@@ -120,25 +120,25 @@ func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_pa
 
 func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.MD5()
-    hash.update(data: passwd)  // BAD [NOT DETECTED]
-    hash.update(data: cert)  // BAD [NOT DETECTED]
+    hash.update(data: passwd)  // BAD
+    hash.update(data: cert)  // BAD
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no)   // BAD [NOT DETECTED]
-    hash.update(data: credit_card_no)   // BAD [NOT DETECTED]
+    hash.update(data: account_no)   // BAD
+    hash.update(data: credit_card_no)   // BAD
 }
 
 func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.SHA1()
-    hash.update(data: passwd)  // BAD [NOT DETECTED]
-    hash.update(data: cert)  // BAD [NOT DETECTED]
+    hash.update(data: passwd)  // BAD
+    hash.update(data: cert)  // BAD
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
-    hash.update(data: account_no)   // BAD [NOT DETECTED]
-    hash.update(data: credit_card_no)   // BAD [NOT DETECTED]
+    hash.update(data: account_no)   // BAD
+    hash.update(data: credit_card_no)   // BAD
 }
 
 func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA256()
-    hash.update(data: passwd)  // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash.update(data: passwd)  // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD
@@ -147,7 +147,7 @@ func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd :
 
 func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA384()
-    hash.update(data: passwd)  // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash.update(data: passwd)  // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD
@@ -156,7 +156,7 @@ func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd :
 
 func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.SHA512()
-    hash.update(data: passwd)  // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash.update(data: passwd)  // BAD, not a computationally expensive hash
     hash.update(data: cert)  // GOOD
     hash.update(data: encrypted_passwd)   // GOOD  (not sensitive)
     hash.update(data: account_no)   // GOOD