|
| 1 | +/** |
| 2 | + * Provides classes for heuristically identifying expressions that contain |
| 3 | + * 'sensitive' data, meaning that they contain or return a password or other |
| 4 | + * credential, or sensitive private information. |
| 5 | + */ |
| 6 | + |
| 7 | +import swift |
| 8 | + |
| 9 | +private newtype TSensitiveDataType = |
| 10 | + TCredential() or |
| 11 | + TPrivateInfo() |
| 12 | + |
| 13 | +/** |
| 14 | + * A type of sensitive expression. |
| 15 | + */ |
| 16 | +abstract class SensitiveDataType extends TSensitiveDataType { |
| 17 | + abstract string toString(); |
| 18 | + |
| 19 | + /** |
| 20 | + * Gets a regexp for identifying expressions of this type. |
| 21 | + */ |
| 22 | + abstract string getRegexp(); |
| 23 | +} |
| 24 | + |
| 25 | +/** |
| 26 | + * The type of sensitive expression for passwords and other credentials. |
| 27 | + */ |
| 28 | +class SensitiveCredential extends SensitiveDataType, TCredential { |
| 29 | + override string toString() { result = "credential" } |
| 30 | + |
| 31 | + override string getRegexp() { |
| 32 | + result = ".*(password|passwd|accountid|account.?key|accnt.?key|license.?key|trusted).*" |
| 33 | + } |
| 34 | +} |
| 35 | + |
| 36 | +/** |
| 37 | + * The type of sensitive expression for private information. |
| 38 | + */ |
| 39 | +class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo { |
| 40 | + override string toString() { result = "private information" } |
| 41 | + |
| 42 | + override string getRegexp() { |
| 43 | + result = |
| 44 | + ".*(" + |
| 45 | + // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html |
| 46 | + // Government identifiers, such as Social Security Numbers |
| 47 | + "social.?security|national.?insurance|" + |
| 48 | + // Contact information, such as home addresses |
| 49 | + "post.?code|zip.?code|home.?address|" + |
| 50 | + // and telephone numbers |
| 51 | + "telephone|home.?phone|mobile|fax.?no|fax.?number|" + |
| 52 | + // Geographic location - where the user is (or was) |
| 53 | + "latitude|longitude|" + |
| 54 | + // Financial data - such as credit card numbers, salary, bank accounts, and debts |
| 55 | + "credit.?card|debit.?card|salary|bank.?account|" + |
| 56 | + // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc. |
| 57 | + "email|" + |
| 58 | + // Health - medical conditions, insurance status, prescription records |
| 59 | + "birthday|birth.?date|date.?of.?birth|medical|" + |
| 60 | + // Relationships - work and family |
| 61 | + "employer|spouse" + |
| 62 | + // --- |
| 63 | + ").*" |
| 64 | + } |
| 65 | +} |
| 66 | + |
| 67 | +/** |
| 68 | + * A regexp string to identify variables etc that might be safe because they |
| 69 | + * contain hashed or encrypted data, or are only a reference to data that is |
| 70 | + * actually stored elsewhere. |
| 71 | + */ |
| 72 | +private string regexpProbablySafe() { result = ".*(hash|crypt|file|path|invalid).*" } |
| 73 | + |
| 74 | +/** |
| 75 | + * A `VarDecl` that might be used to contain sensitive data. |
| 76 | + */ |
| 77 | +private class SensitiveVarDecl extends VarDecl { |
| 78 | + SensitiveDataType sensitiveType; |
| 79 | + |
| 80 | + SensitiveVarDecl() { this.getName().toLowerCase().regexpMatch(sensitiveType.getRegexp()) } |
| 81 | + |
| 82 | + predicate hasInfo(string label, SensitiveDataType type) { |
| 83 | + label = this.getName() and |
| 84 | + sensitiveType = type |
| 85 | + } |
| 86 | +} |
| 87 | + |
| 88 | +/** |
| 89 | + * An `AbstractFunctionDecl` that might be used to contain sensitive data. |
| 90 | + */ |
| 91 | +private class SensitiveFunctionDecl extends AbstractFunctionDecl { |
| 92 | + SensitiveDataType sensitiveType; |
| 93 | + |
| 94 | + SensitiveFunctionDecl() { this.getName().toLowerCase().regexpMatch(sensitiveType.getRegexp()) } |
| 95 | + |
| 96 | + predicate hasInfo(string label, SensitiveDataType type) { |
| 97 | + label = this.getName() and |
| 98 | + sensitiveType = type |
| 99 | + } |
| 100 | +} |
| 101 | + |
| 102 | +/** |
| 103 | + * An `Argument` that might be used to contain sensitive data. |
| 104 | + */ |
| 105 | +private class SensitiveArgument extends Argument { |
| 106 | + SensitiveDataType sensitiveType; |
| 107 | + |
| 108 | + SensitiveArgument() { this.getLabel().toLowerCase().regexpMatch(sensitiveType.getRegexp()) } |
| 109 | + |
| 110 | + predicate hasInfo(string label, SensitiveDataType type) { |
| 111 | + label = this.getLabel() and |
| 112 | + sensitiveType = type |
| 113 | + } |
| 114 | +} |
| 115 | + |
| 116 | +/** |
| 117 | + * An expression whose value might be sensitive data. |
| 118 | + */ |
| 119 | +class SensitiveExpr extends Expr { |
| 120 | + string label; |
| 121 | + SensitiveDataType sensitiveType; |
| 122 | + |
| 123 | + SensitiveExpr() { |
| 124 | + // variable reference |
| 125 | + this.(DeclRefExpr).getDecl().(SensitiveVarDecl).hasInfo(label, sensitiveType) |
| 126 | + or |
| 127 | + // member variable reference |
| 128 | + this.(MemberRefExpr).getMember().(SensitiveVarDecl).hasInfo(label, sensitiveType) |
| 129 | + or |
| 130 | + // function call |
| 131 | + this.(ApplyExpr).getStaticTarget().(SensitiveFunctionDecl).hasInfo(label, sensitiveType) |
| 132 | + or |
| 133 | + // sensitive argument |
| 134 | + exists(SensitiveArgument a | |
| 135 | + a.hasInfo(label, sensitiveType) and |
| 136 | + a.getExpr() = this |
| 137 | + ) |
| 138 | + } |
| 139 | + |
| 140 | + /** |
| 141 | + * Gets the label associated with this expression. |
| 142 | + */ |
| 143 | + string getLabel() { result = label } |
| 144 | + |
| 145 | + /** |
| 146 | + * Gets the type of sensitive expression this is. |
| 147 | + */ |
| 148 | + SensitiveDataType getSensitiveType() { result = sensitiveType } |
| 149 | + |
| 150 | + /** |
| 151 | + * Holds if this sensitive expression might be safe because it contains |
| 152 | + * hashed or encrypted data, or is only a reference to data that is stored |
| 153 | + * elsewhere. |
| 154 | + */ |
| 155 | + predicate isProbablySafe() { label.toLowerCase().regexpMatch(regexpProbablySafe()) } |
| 156 | +} |
0 commit comments