Merge pull request #10045 from github/alexdenisov/swift-cwe-757

Swift: CWE-757: insecure TLS configuration

Author: AlexDenisov

swift/ql/src/queries/Security/CWE-757/InsecureTLS.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>TLS v1.0 and v1.1 versions are known to be vulnerable.</p>
+</overview>
+<recommendation>
+
+<p>Use <code>tls_protocol_version_t.TLSv12</code> or <code>tls_protocol_version_t.TLSv13</code> when configuring <code>URLSession</code>.</p>
+
+</recommendation>
+<example>
+
+<p>Specify a newer <code>tls_protocol_version_t</code> explicitly, or omit it completely as the OS will use secure defaults.</p>
+
+<sample src="SecureTLS.swift" />
+
+</example>
+<references>
+
+<li>
+  <a href="https://support.apple.com/en-gb/guide/security/sec100a75d12/web">Apple Platform Security - TLS security</a>
+  <a href="https://developer.apple.com/documentation/security/preventing_insecure_network_connections">Preventing Insecure Network Connections</a>
+</li>
+
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql

@@ -0,0 +1,55 @@
+/**
+ * @name Insecure TLS configuration
+ * @description TLS v1.0 and v1.1 versions are known to be vulnerable. TLS v1.2 or v1.3 should be used instead.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id swift/insecure-tls
+ * @tags security
+ *       external/cwe/cwe-757
+ */
+
+import swift
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import codeql.swift.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/**
+ * A taint config to detect insecure configuration of `NSURLSessionConfiguration`
+ */
+class InsecureTlsConfig extends TaintTracking::Configuration {
+  InsecureTlsConfig() { this = "InsecureTLSConfig" }
+
+  /**
+   * Holds for enum values that represent an insecure version of TLS
+   */
+  override predicate isSource(DataFlow::Node node) {
+    exists(MethodRefExpr expr, EnumElementDecl enum, string enumName |
+      node.asExpr() = expr and
+      expr.getMember() = enum and
+      enumName = enum.getName() and
+      enumName in ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
+    )
+  }
+
+  /**
+   * Holds for assignment of TLS-related properties of `NSURLSessionConfiguration`
+   */
+  override predicate isSink(DataFlow::Node node) {
+    exists(AssignExpr assign, MemberRefExpr member, string memberName |
+      assign.getSource() = node.asExpr() and
+      assign.getDest() = member and
+      memberName = member.getMember().(ConcreteVarDecl).getName() and
+      memberName in [
+          "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
+          "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
+        ]
+    )
+  }
+}
+
+from InsecureTlsConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
+where config.hasFlowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This TLS configuration is insecure."

swift/ql/src/queries/Security/CWE-757/SecureTLS.swift

@@ -0,0 +1,12 @@
+// Set TLS version explicitly
+func createURLSession() -> URLSession {
+  let config = URLSessionConfiguration.default
+  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13
+  return URLSession(configuration: config)
+}
+
+// Use the secure OS defaults
+func createURLSession() -> URLSession {
+  let config = URLSessionConfiguration.default
+  return URLSession(configuration: config)
+}

swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected

@@ -0,0 +1,86 @@
+edges
+| InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | value |
+| InsecureTLS.swift:20:7:20:7 | value :  | file://:0:0:0:0 | value |
+| InsecureTLS.swift:22:7:22:7 | value :  | file://:0:0:0:0 | value |
+| InsecureTLS.swift:23:7:23:7 | value :  | file://:0:0:0:0 | value |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:20:7:20:7 | value :  |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:22:7:22:7 | value :  |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:23:7:23:7 | value :  |
+| InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() |
+| InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:121:55:121:66 | version :  | InsecureTLS.swift:122:47:122:47 | version |
+| InsecureTLS.swift:121:55:121:66 | version :  | InsecureTLS.swift:122:47:122:47 | version :  |
+| InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:121:55:121:66 | version :  |
+| InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | self [TLSVersion] :  |
+| InsecureTLS.swift:158:7:158:7 | value :  | file://:0:0:0:0 | value :  |
+| InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  |
+| InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:158:7:158:7 | value :  |
+| InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| file://:0:0:0:0 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [TLSVersion] :  |
+nodes
+| InsecureTLS.swift:19:7:19:7 | value :  | semmle.label | value :  |
+| InsecureTLS.swift:20:7:20:7 | value :  | semmle.label | value :  |
+| InsecureTLS.swift:22:7:22:7 | value :  | semmle.label | value :  |
+| InsecureTLS.swift:23:7:23:7 | value :  | semmle.label | value :  |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 | semmle.label | .TLSv10 |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 | semmle.label | .TLSv11 |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | semmle.label | .TLSv11 :  |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 | semmle.label | .TLSv10 |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | semmle.label | .tlsProtocol10 :  |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | semmle.label | .tlsProtocol10 :  |
+| InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | semmle.label | call to getBadTLSVersion() |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | semmle.label | call to getBadTLSVersion() :  |
+| InsecureTLS.swift:121:55:121:66 | version :  | semmle.label | version :  |
+| InsecureTLS.swift:122:47:122:47 | version | semmle.label | version |
+| InsecureTLS.swift:122:47:122:47 | version :  | semmle.label | version :  |
+| InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | semmle.label | .TLSv11 :  |
+| InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | semmle.label | self [TLSVersion] :  |
+| InsecureTLS.swift:158:7:158:7 | value :  | semmle.label | value :  |
+| InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  | semmle.label | [post] def [TLSVersion] :  |
+| InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | semmle.label | def [TLSVersion] :  |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion | semmle.label | .TLSVersion |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | semmle.label | .TLSVersion :  |
+| file://:0:0:0:0 | .TLSVersion :  | semmle.label | .TLSVersion :  |
+| file://:0:0:0:0 | [post] self [TLSVersion] :  | semmle.label | [post] self [TLSVersion] :  |
+| file://:0:0:0:0 | self [TLSVersion] :  | semmle.label | self [TLSVersion] :  |
+| file://:0:0:0:0 | value | semmle.label | value |
+| file://:0:0:0:0 | value | semmle.label | value |
+| file://:0:0:0:0 | value | semmle.label | value |
+| file://:0:0:0:0 | value | semmle.label | value |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
+subpaths
+| InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:158:7:158:7 | value :  | file://:0:0:0:0 | [post] self [TLSVersion] :  | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
+| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  |
+#select
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | This TLS configuration is insecure. |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | This TLS configuration is insecure. |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | This TLS configuration is insecure. |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | This TLS configuration is insecure. |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | This TLS configuration is insecure. |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | This TLS configuration is insecure. |
+| InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:122:47:122:47 | version | This TLS configuration is insecure. |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |

swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.qlref

@@ -0,0 +1 @@
+queries/Security/CWE-757/InsecureTLS.ql

swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift

@@ -0,0 +1,173 @@
+// Stubs
+
+enum tls_protocol_version_t : UInt16 {
+  case TLSv10
+  case TLSv11
+  case TLSv12
+  case TLSv13
+}
+
+enum SSLProtocol {
+  case tlsProtocol10
+  case tlsProtocol11
+  case tlsProtocol12
+  case tlsProtocol13
+}
+
+class URLSessionConfiguration {
+  init() {}
+  var tlsMinimumSupportedProtocolVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
+  var tlsMaximumSupportedProtocolVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv13
+
+  var tlsMinimumSupportedProtocol: SSLProtocol = SSLProtocol.tlsProtocol12
+  var tlsMaximumSupportedProtocol: SSLProtocol = SSLProtocol.tlsProtocol13
+}
+
+/// tlsMinimumSupportedProtocolVersion
+
+func case_0() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv12 // GOOD
+}
+
+func case_1() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13 // GOOD
+}
+
+func case_2() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
+}
+
+func case_3() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv11 // BAD
+}
+
+/// tlsMaximumSupportedProtocolVersion
+
+func case_4() {
+  let config = URLSessionConfiguration()
+  config.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv12 // GOOD
+}
+
+func case_5() {
+  let config = URLSessionConfiguration()
+  config.tlsMaximumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
+}
+
+/// tlsMinimumSupportedProtocol
+
+func case_6() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocol = SSLProtocol.tlsProtocol10 // BAD
+}
+
+func case_7() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocol = SSLProtocol.tlsProtocol12 // GOOD
+}
+
+/// tlsMaximumSupportedProtocol
+
+func case_8() {
+  let config = URLSessionConfiguration()
+  config.tlsMaximumSupportedProtocol = SSLProtocol.tlsProtocol10 // BAD
+}
+
+func case_9() {
+  let config = URLSessionConfiguration()
+  config.tlsMaximumSupportedProtocol = SSLProtocol.tlsProtocol12 // GOOD
+}
+
+/// Indirect assignment (global vars)
+
+let badGlobalVersion = tls_protocol_version_t.TLSv10
+let goodGlobalVersion = tls_protocol_version_t.TLSv12
+
+func case_10() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = badGlobalVersion // BAD [not detected]
+}
+
+func case_11() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = goodGlobalVersion // GOOD
+}
+
+/// Indirect assignment (function calls)
+
+func getBadTLSVersion() -> tls_protocol_version_t {
+  return tls_protocol_version_t.TLSv10
+}
+
+func getGoodTLSVersion() -> tls_protocol_version_t {
+  return tls_protocol_version_t.TLSv13
+}
+
+func case_12() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = getBadTLSVersion() // BAD
+}
+
+func case_13() {
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = getGoodTLSVersion() // GOOD
+}
+
+/// Indirect assignment (via call arguments)
+
+func setTLSVersion(_ config: URLSessionConfiguration, _ version: tls_protocol_version_t) {
+  config.tlsMinimumSupportedProtocolVersion = version
+}
+
+func case_14() {
+  let config = URLSessionConfiguration()
+  setTLSVersion(config, tls_protocol_version_t.TLSv11) // BAD
+}
+
+func case_15() {
+  let config = URLSessionConfiguration()
+  setTLSVersion(config, tls_protocol_version_t.TLSv13) // GOOD
+}
+
+/// Indirect assignment (via external entity)
+
+struct BadDefault {
+  let TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv11
+}
+
+func case_16() {
+  let def = BadDefault()
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // BAD [not detected]
+}
+
+struct GoodDefault {
+  let TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
+}
+
+func case_17() {
+  let def = GoodDefault()
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
+}
+
+struct VarDefault {
+  var TLSVersion: tls_protocol_version_t = tls_protocol_version_t.TLSv12
+}
+
+func case_18() {
+  var def = VarDefault()
+  def.TLSVersion = tls_protocol_version_t.TLSv10
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // BAD
+}
+
+func case_19() {
+  var def = VarDefault()
+  def.TLSVersion = tls_protocol_version_t.TLSv13
+  let config = URLSessionConfiguration()
+  config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
+}