Swift: add more testing to WeakSensitiveDataHashing

redsun82 · redsun82 · commit 6223103bbd6e · 2022-09-09T11:02:08.000+02:00
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
@@ -1,28 +1,42 @@
 edges
+| testCrypto.swift:56:47:56:47 | passwd :  | testCrypto.swift:63:44:63:44 | passwd |
+| testCrypto.swift:60:43:60:43 | credit_card_no :  | testCrypto.swift:61:43:61:43 | credit_card_no |
+| testCrypto.swift:60:43:60:43 | credit_card_no :  | testCrypto.swift:61:43:61:43 | credit_card_no :  |
+| testCrypto.swift:60:43:60:43 | credit_card_no :  | testCrypto.swift:67:44:67:44 | credit_card_no |
+| testCrypto.swift:61:43:61:43 | credit_card_no :  | testCrypto.swift:67:44:67:44 | credit_card_no |
 nodes
-| testCrypto.swift:25:47:25:47 | passwd | semmle.label | passwd |
-| testCrypto.swift:28:43:28:43 | credit_card_no | semmle.label | credit_card_no |
-| testCrypto.swift:32:48:32:48 | passwd | semmle.label | passwd |
-| testCrypto.swift:35:44:35:44 | credit_card_no | semmle.label | credit_card_no |
-| testCrypto.swift:40:23:40:23 | passwd | semmle.label | passwd |
-| testCrypto.swift:43:23:43:23 | credit_card_no | semmle.label | credit_card_no |
-| testCrypto.swift:48:23:48:23 | passwd | semmle.label | passwd |
-| testCrypto.swift:51:23:51:23 | credit_card_no | semmle.label | credit_card_no |
-| testCrypto.swift:56:32:56:32 | passwd | semmle.label | passwd |
-| testCrypto.swift:59:32:59:32 | credit_card_no | semmle.label | credit_card_no |
-| testCrypto.swift:64:32:64:32 | passwd | semmle.label | passwd |
-| testCrypto.swift:67:32:67:32 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:56:47:56:47 | passwd | semmle.label | passwd |
+| testCrypto.swift:56:47:56:47 | passwd :  | semmle.label | passwd :  |
+| testCrypto.swift:60:43:60:43 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:60:43:60:43 | credit_card_no :  | semmle.label | credit_card_no :  |
+| testCrypto.swift:61:43:61:43 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:61:43:61:43 | credit_card_no :  | semmle.label | credit_card_no :  |
+| testCrypto.swift:63:44:63:44 | passwd | semmle.label | passwd |
+| testCrypto.swift:67:44:67:44 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:90:23:90:23 | passwd | semmle.label | passwd |
+| testCrypto.swift:94:23:94:23 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:99:23:99:23 | passwd | semmle.label | passwd |
+| testCrypto.swift:103:23:103:23 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:132:32:132:32 | passwd | semmle.label | passwd |
+| testCrypto.swift:136:32:136:32 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:141:32:141:32 | passwd | semmle.label | passwd |
+| testCrypto.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
 subpaths
 #select
-| testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:25:47:25:47 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:28:43:28:43 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:32:48:32:48 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:35:44:35:44 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:40:23:40:23 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:43:23:43:23 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:48:23:48:23 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:51:23:51:23 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:32:56:32 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:59:32:59:32 | credit_card_no | sensitive data (private information credit_card_no) |
-| testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:64:32:64:32 | passwd | sensitive data (credential passwd) |
-| testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:32:67:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | testCrypto.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no :  | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:56:47:56:47 | passwd :  | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:56:47:56:47 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | testCrypto.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:63:44:63:44 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:60:43:60:43 | credit_card_no :  | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:60:43:60:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:61:43:61:43 | credit_card_no :  | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:61:43:61:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | testCrypto.swift:67:44:67:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:44:67:44 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | testCrypto.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:90:23:90:23 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | testCrypto.swift:94:23:94:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:94:23:94:23 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | testCrypto.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:99:23:99:23 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | testCrypto.swift:103:23:103:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:103:23:103:23 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | testCrypto.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:132:32:132:32 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | testCrypto.swift:136:32:136:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:136:32:136:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | testCrypto.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:141:32:141:32 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | testCrypto.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift b/swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift
@@ -1,5 +1,36 @@
 //codeql-extractor-options: -module-name Crypto
 
+struct SHA256 {
+    static func hash<D>(data: D) -> [UInt8] {
+        return []
+    }
+
+    func update<D>(data: D) {}
+    func update(bufferPointer: UnsafeRawBufferPointer) {}
+    func finalize() -> [UInt8] { return [] }
+}
+
+struct SHA384 {
+    static func hash<D>(data: D) -> [UInt8] {
+        return []
+    }
+
+    func update<D>(data: D) {}
+    func update(bufferPointer: UnsafeRawBufferPointer) {}
+    func finalize() -> [UInt8] { return [] }
+}
+
+struct SHA512 {
+    static func hash<D>(data: D) -> [UInt8] {
+        return []
+    }
+
+    func update<D>(data: D) {}
+    func update(bufferPointer: UnsafeRawBufferPointer) {}
+    func finalize() -> [UInt8] { return [] }
+}
+
+
 enum Insecure {
     struct MD5 {
         static func hash<D>(data: D) -> [UInt8] {
@@ -21,48 +52,119 @@ enum Insecure {
     }
 }
 
-func test1(passwd : UnsafeRawBufferPointer, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.MD5.hash(data: passwd)  // BAD
+    hash = Crypto.Insecure.MD5.hash(data: cert)   // BAD [NOT DETECTED]
     hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash = Crypto.Insecure.MD5.hash(data: account_no)   // BAD [NOT DETECTED]
     hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
-}
+    hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
 
-func test2(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
-    var hash = Crypto.Insecure.SHA1.hash(data: passwd)  // BAD
+    hash = Crypto.Insecure.SHA1.hash(data: passwd)  // BAD
+    hash = Crypto.Insecure.SHA1.hash(data: cert)   // BAD [NOT DETECTED]
     hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash = Crypto.Insecure.SHA1.hash(data: account_no)   // BAD [NOT DETECTED]
     hash = Crypto.Insecure.SHA1.hash(data: credit_card_no)   // BAD
+
+    hash = Crypto.SHA256.hash(data: passwd)   // BAD [NOT DETECTED] not a computationally hard hash
+    hash = Crypto.SHA256.hash(data: cert)   // GOOD
+    hash = Crypto.SHA256.hash(data: account_no)   // GOOD
+    hash = Crypto.SHA256.hash(data: credit_card_no)   // GOOD
+    hash = Crypto.SHA256.hash(data: credit_card_no)   // GOOD
+
+    hash = Crypto.SHA256.hash(data: passwd)   // BAD [NOT DETECTED] not a computationally hard hash
+    hash = Crypto.SHA384.hash(data: cert)   // GOOD
+    hash = Crypto.SHA384.hash(data: account_no)   // GOOD
+    hash = Crypto.SHA384.hash(data: credit_card_no)   // GOOD
+    hash = Crypto.SHA384.hash(data: credit_card_no)   // GOOD
+
+    hash = Crypto.SHA256.hash(data: passwd)   // BAD [NOT DETECTED] not a computationally hard hash
+    hash = Crypto.SHA512.hash(data: cert)   // GOOD
+    hash = Crypto.SHA512.hash(data: account_no)   // GOOD
+    hash = Crypto.SHA512.hash(data: credit_card_no)   // GOOD
+    hash = Crypto.SHA512.hash(data: credit_card_no)   // GOOD
 }
 
-func test3(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+func testMD5UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.MD5()
     hash.update(data: passwd)  // BAD
+    hash.update(data: cert)  // BAD [NOT DETECTED]
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(data: account_no)   // BAD [NOT DETECTED]
     hash.update(data: credit_card_no)   // BAD
 }
 
-func test4(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+func testSHA1UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.SHA1()
     hash.update(data: passwd)  // BAD
+    hash.update(data: cert)  // BAD [NOT DETECTED]
     hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(data: account_no)   // BAD [NOT DETECTED]
     hash.update(data: credit_card_no)   // BAD
 }
 
-func test5(passwd : UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+func testSHA256UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.SHA256()
+    hash.update(data: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(data: cert)  // GOOD
+    hash.update(data: account_no)   // GOOD
+    hash.update(data: credit_card_no)   // GOOD
+}
+
+func testSHA384UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.SHA384()
+    hash.update(data: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(data: cert)  // GOOD
+    hash.update(data: account_no)   // GOOD
+    hash.update(data: credit_card_no)   // GOOD
+}
+
+func testSHA512UpdateWithData(passwd : String, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.SHA512()
+    hash.update(data: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(data: cert)  // GOOD
+    hash.update(data: account_no)   // GOOD
+    hash.update(data: credit_card_no)   // GOOD
+}
+
+func testMD5UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.Insecure.MD5()
     hash.update(bufferPointer: passwd)  // BAD
+    hash.update(bufferPointer: cert)  // BAD [NOT DETECTED]
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
     hash.update(bufferPointer: credit_card_no)   // BAD
 }
 
-func test6(passwd : UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+func testSHA1UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
     var hash = Crypto.Insecure.SHA1()
     hash.update(bufferPointer: passwd)  // BAD
+    hash.update(bufferPointer: cert)  // BAD [NOT DETECTED]
     hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
     hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
     hash.update(bufferPointer: credit_card_no)   // BAD
 }
+
+func testSHA256UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+    var hash = Crypto.SHA256()
+    hash.update(bufferPointer: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(bufferPointer: cert)  // GOOD
+    hash.update(bufferPointer: account_no)   // GOOD
+    hash.update(bufferPointer: credit_card_no)   // GOOD
+}
+
+func testSHA384UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+    var hash = Crypto.SHA384()
+    hash.update(bufferPointer: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(bufferPointer: cert)  // GOOD
+    hash.update(bufferPointer: account_no)   // GOOD
+    hash.update(bufferPointer: credit_card_no)   // GOOD
+}
+
+func testSHA512UpdateWithUnsafeRawBufferPointer(passwd : UnsafeRawBufferPointer, cert: UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+    var hash = Crypto.SHA512()
+    hash.update(bufferPointer: passwd)  // BAD [NOT DETECTED] not a computationally hard hash
+    hash.update(bufferPointer: cert)  // GOOD
+    hash.update(bufferPointer: account_no)   // GOOD
+    hash.update(bufferPointer: credit_card_no)   // GOOD
+}
