Merge pull request #10061 from geoffw0/cleartext

Swift: Queries for CWE-311 (originally CWE-200)

Author: MathiasVP

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

@@ -0,0 +1,156 @@
+/**
+ * Provides classes for heuristically identifying expressions that contain
+ * 'sensitive' data, meaning that they contain or return a password or other
+ * credential, or sensitive private information.
+ */
+
+import swift
+
+private newtype TSensitiveDataType =
+  TCredential() or
+  TPrivateInfo()
+
+/**
+ * A type of sensitive expression.
+ */
+abstract class SensitiveDataType extends TSensitiveDataType {
+  abstract string toString();
+
+  /**
+   * Gets a regexp for identifying expressions of this type.
+   */
+  abstract string getRegexp();
+}
+
+/**
+ * The type of sensitive expression for passwords and other credentials.
+ */
+class SensitiveCredential extends SensitiveDataType, TCredential {
+  override string toString() { result = "credential" }
+
+  override string getRegexp() {
+    result = ".*(password|passwd|accountid|account.?key|accnt.?key|license.?key|trusted).*"
+  }
+}
+
+/**
+ * The type of sensitive expression for private information.
+ */
+class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
+  override string toString() { result = "private information" }
+
+  override string getRegexp() {
+    result =
+      ".*(" +
+        // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+        // Government identifiers, such as Social Security Numbers
+        "social.?security|national.?insurance|" +
+        // Contact information, such as home addresses
+        "post.?code|zip.?code|home.?address|" +
+        // and telephone numbers
+        "telephone|home.?phone|mobile|fax.?no|fax.?number|" +
+        // Geographic location - where the user is (or was)
+        "latitude|longitude|" +
+        // Financial data - such as credit card numbers, salary, bank accounts, and debts
+        "credit.?card|debit.?card|salary|bank.?account|" +
+        // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
+        "email|" +
+        // Health - medical conditions, insurance status, prescription records
+        "birthday|birth.?date|date.?of.?birth|medical|" +
+        // Relationships - work and family
+        "employer|spouse" +
+        // ---
+        ").*"
+  }
+}
+
+/**
+ * A regexp string to identify variables etc that might be safe because they
+ * contain hashed or encrypted data, or are only a reference to data that is
+ * actually stored elsewhere.
+ */
+private string regexpProbablySafe() { result = ".*(hash|crypt|file|path|invalid).*" }
+
+/**
+ * A `VarDecl` that might be used to contain sensitive data.
+ */
+private class SensitiveVarDecl extends VarDecl {
+  SensitiveDataType sensitiveType;
+
+  SensitiveVarDecl() { this.getName().toLowerCase().regexpMatch(sensitiveType.getRegexp()) }
+
+  predicate hasInfo(string label, SensitiveDataType type) {
+    label = this.getName() and
+    sensitiveType = type
+  }
+}
+
+/**
+ * An `AbstractFunctionDecl` that might be used to contain sensitive data.
+ */
+private class SensitiveFunctionDecl extends AbstractFunctionDecl {
+  SensitiveDataType sensitiveType;
+
+  SensitiveFunctionDecl() { this.getName().toLowerCase().regexpMatch(sensitiveType.getRegexp()) }
+
+  predicate hasInfo(string label, SensitiveDataType type) {
+    label = this.getName() and
+    sensitiveType = type
+  }
+}
+
+/**
+ * An `Argument` that might be used to contain sensitive data.
+ */
+private class SensitiveArgument extends Argument {
+  SensitiveDataType sensitiveType;
+
+  SensitiveArgument() { this.getLabel().toLowerCase().regexpMatch(sensitiveType.getRegexp()) }
+
+  predicate hasInfo(string label, SensitiveDataType type) {
+    label = this.getLabel() and
+    sensitiveType = type
+  }
+}
+
+/**
+ * An expression whose value might be sensitive data.
+ */
+class SensitiveExpr extends Expr {
+  string label;
+  SensitiveDataType sensitiveType;
+
+  SensitiveExpr() {
+    // variable reference
+    this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+    or
+    // member variable reference
+    this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+    or
+    // function call
+    this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType)
+    or
+    // sensitive argument
+    exists(SensitiveArgument a |
+      a.hasInfo(label, sensitiveType) and
+      a.getExpr() = this
+    )
+  }
+
+  /**
+   * Gets the label associated with this expression.
+   */
+  string getLabel() { result = label }
+
+  /**
+   * Gets the type of sensitive expression this is.
+   */
+  SensitiveDataType getSensitiveType() { result = sensitiveType }
+
+  /**
+   * Holds if this sensitive expression might be safe because it contains
+   * hashed or encrypted data, or is only a reference to data that is stored
+   * elsewhere.
+   */
+  predicate isProbablySafe() { label.toLowerCase().regexpMatch(regexpProbablySafe()) }
+}

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Sensitive information that is stored unencrypted in a database is accessible to an attacker who gains access to that database. For example, the information could be accessed by any process or user in a rooted device, or exposed through another vulnerability.</p>
+
+</overview>
+<recommendation>
+
+<p>Either encrypt the entire database, or ensure that each piece of sensitive information is encrypted before being stored. In general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext. Avoid storing sensitive information at all if you do not need to keep it.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows three cases of storing information using the Core Data library. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+
+<sample src="CleartextStorageDatabase.swift" />
+
+</example>
+<references>
+
+<li>
+  OWASP Top 10:2021:
+  <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
+</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql

@@ -0,0 +1,105 @@
+/**
+ * @name Cleartext storage of sensitive information in a local database
+ * @description Storing sensitive information in a non-encrypted
+ *              database can expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id swift/cleartext-storage-database
+ * @tags security
+ *       external/cwe/cwe-312
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * An `Expr` that is stored in a local database.
+ */
+abstract class Stored extends Expr { }
+
+/**
+ * An `Expr` that is stored with the Core Data library.
+ */
+class CoreDataStore extends Stored {
+  CoreDataStore() {
+    // `content` arg to `NWConnection.send` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "NSManagedObject" and
+      c.getAMember() = f and
+      f.getName() = ["setValue(_:forKey:)", "setPrimitiveValue(_:forKey:)"] and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+  }
+}
+
+/**
+ * An `Expr` that is stored with the Realm database library.
+ */
+class RealmStore extends Stored {
+  RealmStore() {
+    // `object` arg to `Realm.add` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "Realm" and
+      c.getAMember() = f and
+      f.getName() = "add(_:update:)" and
+      call.getStaticTarget() = f and
+      call.getArgument(0).getExpr() = this
+    )
+    or
+    // `value` arg to `Realm.create` is a sink
+    exists(ClassDecl c, AbstractFunctionDecl f, CallExpr call |
+      c.getName() = "Realm" and
+      c.getAMember() = f and
+      f.getName() = "create(_:value:update:)" and
+      call.getStaticTarget() = f and
+      call.getArgument(1).getExpr() = this
+    )
+  }
+}
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * transmitted over a network.
+ */
+class CleartextStorageConfig extends TaintTracking::Configuration {
+  CleartextStorageConfig() { this = "CleartextStorageConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(SensitiveExpr e |
+      node.asExpr() = e and
+      not e.isProbablySafe()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Stored }
+
+  override predicate isSanitizerIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from fields of a `RealmSwiftObject` at the sink, for example in `obj.var = tainted; sink(obj)`.
+    isSink(node) and
+    exists(ClassDecl cd |
+      c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cd.getAMember() and
+      cd.getType().(NominalType).getABaseType*().getName() = "RealmSwiftObject"
+    )
+    or
+    // any default implicit reads
+    super.allowImplicitRead(node, c)
+  }
+}
+
+from CleartextStorageConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This operation stores '" + sinkNode.getNode().toString() +
+    "' in a database. It may contain unencrypted sensitive data from $@", sourceNode,
+  sourceNode.getNode().toString()

swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.swift

@@ -0,0 +1,15 @@
+
+func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String) {
+	// ...
+
+	// GOOD: not sensitive information
+	databaseObject.setValue(faveSong, forKey: "myFaveSong")
+
+	// BAD: sensitive information saved in cleartext
+	databaseObject.setValue(creditCardNo, forKey: "myCreditCardNo")
+
+	// GOOD: encrypted sensitive information saved
+	databaseObject.setValue(encrypt(creditCardNo), forKey: "myCreditCardNo")
+
+	// ...
+}

swift/ql/src/queries/Security/CWE-311/CleartextTransmission.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Sensitive information that is transmitted without encryption may be accessible to an attacker.</p>
+
+</overview>
+<recommendation>
+
+<p>Ensure that sensitive information is always encrypted before being transmitted over the network. In general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext. Avoid transmitting sensitive information when it is not necessary to.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows three cases of transmitting information. In the 'BAD' case, the data transmitted is sensitive (a credit card number) and is not encrypted.  In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
+
+<sample src="CleartextTransmission.swift" />
+
+</example>
+<references>
+
+<li>
+  OWASP Top 10:2021:
+  <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
+</li>
+
+</references>
+</qhelp>