Skip to content

Commit d1cfdb9

Browse files
geoffw0geoffw0
committed
Swift: Model RNCryptor.
1 parent a92e1c7 commit d1cfdb9

File tree

3 files changed

+37
-6
lines changed

3 files changed

+37
-6
lines changed

swift/ql/src/queries/Security/CWE-760/ConstantSalt.ql

+8
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,14 @@ class ConstantSaltSink extends Expr {
3838
call.getStaticTarget() = f and
3939
call.getArgumentWithLabel("salt").getExpr() = this
4040
)
41+
or
42+
// RNCryptor
43+
exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
44+
c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
45+
c.getAMember() = f and
46+
call.getStaticTarget() = f and
47+
call.getArgumentWithLabel(["salt", "encryptionSalt", "hmacSalt", "HMACSalt"]).getExpr() = this
48+
)
4149
}
4250
}
4351

swift/ql/test/query-tests/Security/CWE-760/ConstantSalt.expected

+24-1
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,40 @@
11
edges
2+
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : |
3+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | rncryptor.swift:63:57:63:57 | myConstantSalt1 |
4+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | rncryptor.swift:68:106:68:106 | myConstantSalt1 |
5+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | rncryptor.swift:71:106:71:106 | myConstantSalt1 |
6+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | rncryptor.swift:75:127:75:127 | myConstantSalt1 |
7+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | rncryptor.swift:78:135:78:135 | myConstantSalt1 |
8+
| rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : |
9+
| rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:59:24:59:43 | call to Data.init(_:) : |
210
| test.swift:43:35:43:130 | [...] : | test.swift:51:49:51:49 | constantSalt |
311
| test.swift:43:35:43:130 | [...] : | test.swift:56:59:56:59 | constantSalt |
412
| test.swift:43:35:43:130 | [...] : | test.swift:62:59:62:59 | constantSalt |
513
| test.swift:43:35:43:130 | [...] : | test.swift:67:53:67:53 | constantSalt |
614
nodes
15+
| file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | semmle.label | [summary] to write: return (return) in Data.init(_:) : |
16+
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | semmle.label | [summary param] 0 in Data.init(_:) : |
17+
| rncryptor.swift:59:24:59:43 | call to Data.init(_:) : | semmle.label | call to Data.init(_:) : |
18+
| rncryptor.swift:59:29:59:29 | abcdef123456 : | semmle.label | abcdef123456 : |
19+
| rncryptor.swift:63:57:63:57 | myConstantSalt1 | semmle.label | myConstantSalt1 |
20+
| rncryptor.swift:68:106:68:106 | myConstantSalt1 | semmle.label | myConstantSalt1 |
21+
| rncryptor.swift:71:106:71:106 | myConstantSalt1 | semmle.label | myConstantSalt1 |
22+
| rncryptor.swift:75:127:75:127 | myConstantSalt1 | semmle.label | myConstantSalt1 |
23+
| rncryptor.swift:78:135:78:135 | myConstantSalt1 | semmle.label | myConstantSalt1 |
724
| test.swift:43:35:43:130 | [...] : | semmle.label | [...] : |
825
| test.swift:51:49:51:49 | constantSalt | semmle.label | constantSalt |
926
| test.swift:56:59:56:59 | constantSalt | semmle.label | constantSalt |
1027
| test.swift:62:59:62:59 | constantSalt | semmle.label | constantSalt |
1128
| test.swift:67:53:67:53 | constantSalt | semmle.label | constantSalt |
1229
subpaths
30+
| rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | rncryptor.swift:59:24:59:43 | call to Data.init(_:) : |
1331
#select
32+
| rncryptor.swift:63:57:63:57 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:63:57:63:57 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
33+
| rncryptor.swift:68:106:68:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:68:106:68:106 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
34+
| rncryptor.swift:71:106:71:106 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:71:106:71:106 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
35+
| rncryptor.swift:75:127:75:127 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:75:127:75:127 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
36+
| rncryptor.swift:78:135:78:135 | myConstantSalt1 | rncryptor.swift:59:29:59:29 | abcdef123456 : | rncryptor.swift:78:135:78:135 | myConstantSalt1 | The value 'abcdef123456' is used as a constant salt, which is insecure for hashing passwords. |
1437
| test.swift:51:49:51:49 | constantSalt | test.swift:43:35:43:130 | [...] : | test.swift:51:49:51:49 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
1538
| test.swift:56:59:56:59 | constantSalt | test.swift:43:35:43:130 | [...] : | test.swift:56:59:56:59 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
1639
| test.swift:62:59:62:59 | constantSalt | test.swift:43:35:43:130 | [...] : | test.swift:62:59:62:59 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
17-
| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] : | test.swift:67:53:67:53 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |
40+
| test.swift:67:53:67:53 | constantSalt | test.swift:43:35:43:130 | [...] : | test.swift:67:53:67:53 | constantSalt | The value '[...]' is used as a constant salt, which is insecure for hashing passwords. |

swift/ql/test/query-tests/Security/CWE-760/rncryptor.swift

+5-5
Original file line numberDiff line numberDiff line change
@@ -60,21 +60,21 @@ func test(myPassword: String) {
6060
let myConstantSalt2 = Data(0)
6161

6262
let _ = myEncryptor.key(forPassword: myPassword, salt: myRandomSalt1, settings: myKeyDerivationSettings) // GOOD
63-
let _ = myEncryptor.key(forPassword: myPassword, salt: myConstantSalt1, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
63+
let _ = myEncryptor.key(forPassword: myPassword, salt: myConstantSalt1, settings: myKeyDerivationSettings) // BAD
6464
let _ = myEncryptor.keyForPassword(myPassword, salt: myRandomSalt2, settings: myKeyDerivationSettings) // GOOD
6565
let _ = myEncryptor.keyForPassword(myPassword, salt: myConstantSalt2, settings: myKeyDerivationSettings) // BAD [NOT DETECTED]
6666

6767
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // GOOD
68-
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // BAD [NOT DETECTED]
68+
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2, handler: myHandler) // BAD
6969
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2, handler: myHandler) // BAD [NOT DETECTED]
7070
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // GOOD
71-
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // BAD [NOT DETECTED]
71+
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2, handler: myHandler) // BAD
7272
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2, handler: myHandler) // BAD [NOT DETECTED]
7373

7474
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myRandomSalt2) // GOOD
75-
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2) // BAD [NOT DETECTED]
75+
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myConstantSalt1, hmacSalt: myRandomSalt2) // BAD
7676
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myIV, encryptionSalt: myRandomSalt1, hmacSalt: myConstantSalt2) // BAD [NOT DETECTED]
7777
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myRandomSalt2) // GOOD
78-
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2) // BAD [NOT DETECTED]
78+
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myConstantSalt1, HMACSalt: myRandomSalt2) // BAD
7979
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myIV, encryptionSalt: myRandomSalt1, HMACSalt: myConstantSalt2) // BAD [NOT DETECTED]
8080
}

0 commit comments

Comments
 (0)