Skip to content

Commit 581c478

Browse files
committed
Swift: Model RNCryptor.
1 parent bb59d05 commit 581c478

File tree

3 files changed

+24
-2
lines changed

3 files changed

+24
-2
lines changed

swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ class EncryptionInitializationSink extends Expr {
4040
], _) and
4141
call.getArgumentWithLabel("iv").getExpr() = this
4242
)
43+
or
44+
// RNCryptor
45+
exists(ClassOrStructDecl c, MethodDecl f, CallExpr call |
46+
c.getFullName() = ["RNCryptor", "RNEncryptor", "RNDecryptor"] and
47+
c.getAMember() = f and
48+
call.getStaticTarget() = f and
49+
call.getArgumentWithLabel(["iv", "IV"]).getExpr() = this
50+
)
4351
}
4452
}
4553

swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
edges
2+
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : |
3+
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | rncryptor.swift:74:84:74:84 | myConstIV4 |
4+
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | rncryptor.swift:83:113:83:113 | myConstIV4 |
5+
| rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : |
6+
| rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:63:19:63:28 | call to Data.init(_:) : |
27
| test.swift:53:19:53:34 | iv : | test.swift:54:17:54:17 | iv |
38
| test.swift:85:3:85:3 | this string is constant : | test.swift:101:17:101:35 | call to getConstantString() : |
49
| test.swift:99:25:99:120 | [...] : | test.swift:128:33:128:33 | iv |
@@ -23,6 +28,12 @@ edges
2328
| test.swift:101:17:101:35 | call to getConstantString() : | test.swift:130:39:130:39 | ivString |
2429
| test.swift:147:22:147:22 | iv : | test.swift:53:19:53:34 | iv : |
2530
nodes
31+
| file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | semmle.label | [summary] to write: return (return) in Data.init(_:) : |
32+
| rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | semmle.label | [summary param] 0 in Data.init(_:) : |
33+
| rncryptor.swift:63:19:63:28 | call to Data.init(_:) : | semmle.label | call to Data.init(_:) : |
34+
| rncryptor.swift:63:24:63:24 | iv : | semmle.label | iv : |
35+
| rncryptor.swift:74:84:74:84 | myConstIV4 | semmle.label | myConstIV4 |
36+
| rncryptor.swift:83:113:83:113 | myConstIV4 | semmle.label | myConstIV4 |
2637
| test.swift:53:19:53:34 | iv : | semmle.label | iv : |
2738
| test.swift:54:17:54:17 | iv | semmle.label | iv |
2839
| test.swift:85:3:85:3 | this string is constant : | semmle.label | this string is constant : |
@@ -49,7 +60,10 @@ nodes
4960
| test.swift:167:22:167:22 | iv | semmle.label | iv |
5061
| test.swift:168:22:168:22 | iv | semmle.label | iv |
5162
subpaths
63+
| rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:5:5:5:29 | [summary param] 0 in Data.init(_:) : | file://:0:0:0:0 | [summary] to write: return (return) in Data.init(_:) : | rncryptor.swift:63:19:63:28 | call to Data.init(_:) : |
5264
#select
65+
| rncryptor.swift:74:84:74:84 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:74:84:74:84 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. |
66+
| rncryptor.swift:83:113:83:113 | myConstIV4 | rncryptor.swift:63:24:63:24 | iv : | rncryptor.swift:83:113:83:113 | myConstIV4 | The static value 'iv' is used as an initialization vector for encryption. |
5367
| test.swift:54:17:54:17 | iv | test.swift:99:25:99:120 | [...] : | test.swift:54:17:54:17 | iv | The static value '[...]' is used as an initialization vector for encryption. |
5468
| test.swift:112:36:112:36 | ivString | test.swift:85:3:85:3 | this string is constant : | test.swift:112:36:112:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |
5569
| test.swift:113:36:113:36 | ivString | test.swift:85:3:85:3 | this string is constant : | test.swift:113:36:113:36 | ivString | The static value 'this string is constant' is used as an initialization vector for encryption. |

swift/ql/test/query-tests/Security/CWE-1204/rncryptor.swift

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ func test(myPassword: String) {
7171
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // GOOD
7272
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2, handler: myHandler) // BAD [NOT DETECTED]
7373
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // GOOD
74-
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD [NOT DETECTED]
74+
let _ = RNEncryptor(settings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2, handler: myHandler) // BAD
7575

7676
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myRandomIV) // GOOD
7777
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, encryptionKey: myKey, hmacKey: myHMACKey, iv: myConstIV1) // BAD [NOT DETECTED]
@@ -80,5 +80,5 @@ func test(myPassword: String) {
8080
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myRandomIV, encryptionSalt: mySalt, hmacSalt: mySalt2) // GOOD
8181
let _ = try? myEncryptor.encryptData(myData, with: kRNCryptorAES256Settings, password: myPassword, iv: myConstIV3, encryptionSalt: mySalt, hmacSalt: mySalt2) // BAD [NOT DETECTED]
8282
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myRandomIV, encryptionSalt: mySalt, HMACSalt: mySalt2) // GOOD
83-
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD [NOT DETECTED]
83+
let _ = try? myEncryptor.encryptData(myData, withSettings: kRNCryptorAES256Settings, password: myPassword, IV: myConstIV4, encryptionSalt: mySalt, HMACSalt: mySalt2) // BAD
8484
}

0 commit comments

Comments
 (0)