Swift: bake in isProbablySafe in SensitiveExpr

redsun82 · redsun82 · commit c739bbb0515f · 2022-09-09T11:00:02.000+02:00
Also restructured the code a bit in the weak hashing query.
diff --git a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -121,20 +121,24 @@ class SensitiveExpr extends Expr {
   SensitiveDataType sensitiveType;
 
   SensitiveExpr() {
-    // variable reference
-    this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType)
-    or
-    // member variable reference
-    this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType)
-    or
-    // function call
-    this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType)
-    or
-    // sensitive argument
-    exists(SensitiveArgument a |
-      a.hasInfo(label, sensitiveType) and
-      a.getExpr() = this
-    )
+    (
+      // variable reference
+      this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+      or
+      // member variable reference
+      this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType)
+      or
+      // function call
+      this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType)
+      or
+      // sensitive argument
+      exists(SensitiveArgument a |
+        a.hasInfo(label, sensitiveType) and
+        a.getExpr() = this
+      )
+    ) and
+    // do not mark as sensitive it if it is probably safe
+    not label.toLowerCase().regexpMatch(regexpProbablySafe())
   }
 
   /**
@@ -146,11 +150,4 @@ class SensitiveExpr extends Expr {
    * Gets the type of sensitive expression this is.
    */
   SensitiveDataType getSensitiveType() { result = sensitiveType }
-
-  /**
-   * Holds if this sensitive expression might be safe because it contains
-   * hashed or encrypted data, or is only a reference to data that is stored
-   * elsewhere.
-   */
-  predicate isProbablySafe() { label.toLowerCase().regexpMatch(regexpProbablySafe()) }
 }
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql b/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@@ -70,12 +70,7 @@ class RealmStore extends Stored {
 class CleartextStorageConfig extends TaintTracking::Configuration {
   CleartextStorageConfig() { this = "CleartextStorageConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(SensitiveExpr e |
-      node.asExpr() = e and
-      not e.isProbablySafe()
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
 
   override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Stored }
 
diff --git a/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql b/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
@@ -63,12 +63,7 @@ class URL extends Transmitted {
 class CleartextTransmissionConfig extends TaintTracking::Configuration {
   CleartextTransmissionConfig() { this = "CleartextTransmissionConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(SensitiveExpr e |
-      node.asExpr() = e and
-      not e.isProbablySafe()
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
 
   override predicate isSink(DataFlow::Node node) { node.asExpr() instanceof Transmitted }
 
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
@@ -20,21 +20,24 @@ import DataFlow::PathGraph
 class WeakHashingConfig extends TaintTracking::Configuration {
   WeakHashingConfig() { this = "WeakHashingConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(SensitiveExpr e |
-      node.asExpr() = e and
-      not e.isProbablySafe()
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node instanceof WeakHashingConfig::Source }
 
   override predicate isSink(DataFlow::Node node) { node instanceof WeakHashingConfig::Sink }
 }
 
 module WeakHashingConfig {
-  class Sink extends DataFlow::Node {
+  class Source extends DataFlow::Node {
+    Source() { this.asExpr() instanceof SensitiveExpr }
+  }
+
+  abstract class Sink extends DataFlow::Node {
+    abstract string getAlgorithm();
+  }
+
+  class CryptoHash extends Sink {
     string algorithm;
 
-    Sink() {
+    CryptoHash() {
       exists(ApplyExpr call, FuncDecl func |
         call.getAnArgument().getExpr() = this.asExpr() and
         call.getStaticTarget() = func and
@@ -44,14 +47,17 @@ module WeakHashingConfig {
       )
     }
 
-    string getAlgorithm() { result = algorithm }
+    override string getAlgorithm() { result = algorithm }
   }
 }
 
-from WeakHashingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink, string algorithm
+from
+  WeakHashingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink, string algorithm,
+  SensitiveExpr expr
 where
   config.hasFlowPath(source, sink) and
-  algorithm = sink.getNode().(WeakHashingConfig::Sink).getAlgorithm()
+  algorithm = sink.getNode().(WeakHashingConfig::Sink).getAlgorithm() and
+  expr = source.getNode().asExpr()
 select sink.getNode(), source, sink,
   "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
-  "sensitive data"
+  "sensitive data (" + expr.getSensitiveType() + " " + expr.getLabel() + ")"
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -1,13 +1,8 @@
 | testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
-| testCoreData.swift:49:15:49:15 | password_hash | isProbablySafe, label:password_hash, type:credential |
 | testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
-| testCoreData.swift:52:24:52:24 | password_hash | isProbablySafe, label:password_hash, type:credential |
 | testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
-| testCoreData.swift:59:15:59:15 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:61:25:61:25 | password | label:password, type:credential |
-| testCoreData.swift:62:25:62:25 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
-| testCoreData.swift:65:16:65:16 | password_file | isProbablySafe, label:password_file, type:credential |
 | testCoreData.swift:77:2:77:25 | call to doSomething(password:) | label:doSomething(password:), type:credential |
 | testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
 | testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword(), type:credential |
@@ -16,16 +11,10 @@
 | testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |
 | testCoreData.swift:93:10:93:10 | passwd | label:passwd, type:credential |
 | testRealm.swift:34:11:34:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:38:11:38:11 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testRealm.swift:42:11:42:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:46:11:46:11 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testRealm.swift:52:12:52:12 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:55:12:55:12 | myHashedPassword | isProbablySafe, label:myHashedPassword, type:credential |
 | testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:30:19:30:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
 | testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:34:19:34:19 | passwordHash | isProbablySafe, label:passwordHash, type:credential |
 | testURL.swift:13:54:13:54 | passwd | label:passwd, type:credential |
-| testURL.swift:14:54:14:54 | encrypted_passwd | isProbablySafe, label:encrypted_passwd, type:credential |
 | testURL.swift:16:55:16:55 | credit_card_no | label:credit_card_no, type:private information |
 | testURL.swift:20:22:20:22 | passwd | label:passwd, type:credential |
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.ql b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.ql
@@ -5,8 +5,6 @@ string describe(SensitiveExpr e) {
   result = "label:" + e.getLabel()
   or
   result = "type:" + e.getSensitiveType().toString()
-  or
-  e.isProbablySafe() and result = "isProbablySafe"
 }
 
 from SensitiveExpr e
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
@@ -14,15 +14,15 @@ nodes
 | testCrypto.swift:67:32:67:32 | credit_card_no | semmle.label | credit_card_no |
 subpaths
 #select
-| testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:25:47:25:47 | passwd | sensitive data |
-| testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:28:43:28:43 | credit_card_no | sensitive data |
-| testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:32:48:32:48 | passwd | sensitive data |
-| testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:35:44:35:44 | credit_card_no | sensitive data |
-| testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:40:23:40:23 | passwd | sensitive data |
-| testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:43:23:43:23 | credit_card_no | sensitive data |
-| testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:48:23:48:23 | passwd | sensitive data |
-| testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:51:23:51:23 | credit_card_no | sensitive data |
-| testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:32:56:32 | passwd | sensitive data |
-| testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:59:32:59:32 | credit_card_no | sensitive data |
-| testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:64:32:64:32 | passwd | sensitive data |
-| testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:32:67:32 | credit_card_no | sensitive data |
+| testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:25:47:25:47 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:28:43:28:43 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:32:48:32:48 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:35:44:35:44 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:40:23:40:23 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:43:23:43:23 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:48:23:48:23 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:51:23:51:23 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:32:56:32 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:59:32:59:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:64:32:64:32 | passwd | sensitive data (credential passwd) |
+| testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:32:67:32 | credit_card_no | sensitive data (private information credit_card_no) |

Original file line number	Diff line number	Diff line change
`@@ -5,8 +5,6 @@ string describe(SensitiveExpr e) {`
`5`	`5`	`result = "label:" + e.getLabel()`
`6`	`6`	`or`
`7`	`7`	`result = "type:" + e.getSensitiveType().toString()`
`8`		`- or`
`9`		`- e.isProbablySafe() and result = "isProbablySafe"`
`10`	`8`	`}`
`11`	`9`
`12`	`10`	`from SensitiveExpr e`