Swift: Queries for CWE-311 (originally CWE-200) #10061
Conversation
…e (it has alternative meanings so is not a good test).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I've just pushed a load of progress.
There are some refinements I still want to make (to deal with some potential false positives; and spot certain types of sensitive data more reliably), but I'd rather do these things as follow-up. This PR is already quite big and I believe complete enough to be reviewed and merged now. |
geoffw0
added
the
ready-for-doc-review
|
The merge with main has caused some non-trivial problems in the taint flow. I'll have to fix them next week. I've requested a docs review for the two |
|
@geoffw0 👋🏻 - just wondering if this is ready for editorial review. I am confused by the presence of the |
The docs are finished and ready for review. Something needs fixing with the query itself running on latest |
|
Great, thanks for clarifying @geoffw0 ⚡ |
There was a problem hiding this comment.
@geoffw0 - this LGTM ✨
I've made minor comments on punctuation. You can ignore any you don't agree with, but it would be great to add the full stops to the list items in the references.
Also, perhaps I misunderstood but I thought these two queries related to CWE 311 🤔
The previews failed so I wasn't able to preview the qhelp files. Also, do we need to add something to the changelog?
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp
Outdated
Show resolved
Hide resolved
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp
Outdated
Show resolved
Hide resolved
swift/ql/src/queries/Security/CWE-311/CleartextTransmission.qhelp
Outdated
Show resolved
Hide resolved
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp
Outdated
Show resolved
Hide resolved
swift/ql/src/queries/Security/CWE-311/CleartextTransmission.qhelp
Outdated
Show resolved
Hide resolved
| * @precision medium | ||
| * @id swift/cleartext-storage-database | ||
| * @tags security | ||
| * external/cwe/cwe-312 |
There was a problem hiding this comment.
Shouldn't this be CWE 311?
| * external/cwe/cwe-312 | |
| * external/cwe/cwe-311 |
There was a problem hiding this comment.
Again, CWE-312 is a child of CWE-311. The relevant part of the hierarchy looks something like this:
CWE-693: Protection Mechanism Failure
|-- ...
\-- CWE-311: Missing Encryption of Sensitive Data
|-- CWE-312: Cleartext Storage of Sensitive Information
\-- CWE-319: Cleartext Transmission of Sensitive Information
There was a problem hiding this comment.
Thanks for clarifying 🙇🏻♀️
….qhelp Co-authored-by: mc <[email protected]>
Co-authored-by: mc <[email protected]>
|
Thanks for the review @mchammer01 ! |
Where is this?
Swift isn't released to the public yet, so we're not writing change notes until then. |
|
Ah, the previews ran correctly now (see |
|
The merge issues are fixed, the query is now working again. And ready to review. Some of the results are less than perfect, that will be improved by one or more follow-up PRs at some stage. Right now I just want to get the essentials in. |
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
Outdated
Show resolved
Hide resolved
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
Outdated
Show resolved
Hide resolved
|
All comments addressed (thanks for the review and help). |
| override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { | ||
| // flow out from fields of a `RealmSwiftObject` at the sink, for example in `obj.var = tainted; sink(obj)`. | ||
| isSink(node) and | ||
| exists(ClassDecl cd | | ||
| c.getAReadContent().(DataFlow::Content::FieldContent).getField() = cd.getAMember() and | ||
| cd.getType().(NominalType).getABaseType*().getName() = "RealmSwiftObject" | ||
| ) | ||
| or | ||
| // any default implicit reads | ||
| super.allowImplicitRead(node, c) | ||
| } | ||
| } |
There was a problem hiding this comment.
Fantastic! I'm very happy to see that we could get rid of all the additional taint steps 😍. I just opened #10254 which will hopefully make it possible to get a base type declaration without going the types themselves. But we can always do that change as a follow-up to avoid an unnecessary merge from main.
The idea is to have two queries, one for "Cleartext storage of sensitive information in a local database" and one for "Cleartext transmission of sensitive information". Both will use the same heuristic framework for determining what is sensitive information, but each will have different taint sinks. Right now there are no queries, just test cases covering the following:
URLNWConnection.sendAt this stage I would appreciate a review of these tests, with a particular focus on whether I've modelled Core Data and Realm in a reasonably realistic way (albeit with a lot of setup + result handling code missing as its long winded and should be irrelevant to the queries). I'm also open to other suggestions, including other sinks that might be worth considering.