Swift: Make passwords their own sensitive data type.

geoffw0 · geoffw0 · commit 5faa25fc6c13 · 2023-12-14T16:09:47.000Z
diff --git a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -10,6 +10,7 @@ private import codeql.swift.dataflow.DataFlow
 private import codeql.swift.dataflow.ExternalFlow
 
 private newtype TSensitiveDataType =
+  TPassword() or
   TCredential() or
   TPrivateInfo()
 
@@ -26,18 +27,32 @@ abstract class SensitiveDataType extends TSensitiveDataType {
 }
 
 /**
- * The type of sensitive expression for passwords and other credentials.
+ * The type of sensitive expression for passwords.
+ */
+class SensitivePassword extends SensitiveDataType, TPassword {
+  override string toString() { result = "password" }
+
+  override string getRegexp() {
+    result = HeuristicNames::maybeSensitiveRegexp(SensitiveDataClassification::password())
+    or
+    result = "(?is).*pass.?phrase.*"
+  }
+}
+
+/**
+ * The type of sensitive expression for credentials and secrets other than passwords.
  */
 class SensitiveCredential extends SensitiveDataType, TCredential {
   override string toString() { result = "credential" }
 
   override string getRegexp() {
     exists(SensitiveDataClassification classification |
+      not classification = SensitiveDataClassification::password() and // covered by `SensitivePassword`
       not classification = SensitiveDataClassification::id() and // not accurate enough
       result = HeuristicNames::maybeSensitiveRegexp(classification)
     )
     or
-    result = "(?is).*((account|accnt|licen(se|ce)).?(id|key)|one.?time.?code|pass.?phrase).*"
+    result = "(?is).*((account|accnt|licen(se|ce)).?(id|key)|one.?time.?code).*"
   }
 }
 
@@ -176,6 +191,11 @@ class SensitiveExpr extends Expr {
     not label.regexpMatch(regexpProbablySafe())
     or
     (
+      // modeled sensitive password
+      sourceNode(DataFlow::exprNode(this), "sensitive-password") and
+      sensitiveType = TPassword() and
+      label = "password"
+      or
       // modeled sensitive credential
       sourceNode(DataFlow::exprNode(this), "sensitive-credential") and
       sensitiveType = TCredential() and
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -26,16 +26,16 @@
 | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | label:medicalNotes, type:private information |
 | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | label:medicalNotes, type:private information |
 | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | label:medicalNotes, type:private information |
-| testAlamofire.swift:150:45:150:45 | password | label:password, type:credential |
-| testAlamofire.swift:152:51:152:51 | password | label:password, type:credential |
+| testAlamofire.swift:150:45:150:45 | password | label:password, type:password |
+| testAlamofire.swift:152:51:152:51 | password | label:password, type:password |
 | testAlamofire.swift:154:38:154:38 | email | label:email, type:private information |
 | testAlamofire.swift:159:26:159:26 | email | label:email, type:private information |
 | testAlamofire.swift:171:35:171:35 | email | label:email, type:private information |
 | testAlamofire.swift:177:35:177:35 | email | label:email, type:private information |
-| testAlamofire.swift:187:65:187:65 | password | label:password, type:credential |
-| testAlamofire.swift:195:64:195:64 | password | label:password, type:credential |
-| testAlamofire.swift:205:62:205:62 | password | label:password, type:credential |
-| testAlamofire.swift:213:65:213:65 | password | label:password, type:credential |
+| testAlamofire.swift:187:65:187:65 | password | label:password, type:password |
+| testAlamofire.swift:195:64:195:64 | password | label:password, type:password |
+| testAlamofire.swift:205:62:205:62 | password | label:password, type:password |
+| testAlamofire.swift:213:65:213:65 | password | label:password, type:password |
 | testCoreData2.swift:37:16:37:16 | bankAccountNo | label:bankAccountNo, type:private information |
 | testCoreData2.swift:38:2:38:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
 | testCoreData2.swift:39:2:39:6 | .myBankAccountNumber | label:myBankAccountNumber, type:private information |
@@ -76,99 +76,99 @@
 | testCoreData2.swift:91:10:91:10 | bankAccountNo | label:bankAccountNo, type:private information |
 | testCoreData2.swift:95:10:95:10 | bankAccountNo | label:bankAccountNo, type:private information |
 | testCoreData2.swift:101:10:101:10 | bankAccountNo | label:bankAccountNo, type:private information |
-| testCoreData.swift:48:15:48:15 | password | label:password, type:credential |
-| testCoreData.swift:51:24:51:24 | password | label:password, type:credential |
-| testCoreData.swift:58:15:58:15 | password | label:password, type:credential |
-| testCoreData.swift:61:25:61:25 | password | label:password, type:credential |
-| testCoreData.swift:64:16:64:16 | password | label:password, type:credential |
-| testCoreData.swift:77:24:77:24 | x | label:password, type:credential |
-| testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword, type:credential |
-| testCoreData.swift:85:15:85:17 | .password | label:password, type:credential |
-| testCoreData.swift:91:10:91:10 | passwd | label:passwd, type:credential |
-| testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |
-| testCoreData.swift:93:10:93:10 | passwd | label:passwd, type:credential |
+| testCoreData.swift:48:15:48:15 | password | label:password, type:password |
+| testCoreData.swift:51:24:51:24 | password | label:password, type:password |
+| testCoreData.swift:58:15:58:15 | password | label:password, type:password |
+| testCoreData.swift:61:25:61:25 | password | label:password, type:password |
+| testCoreData.swift:64:16:64:16 | password | label:password, type:password |
+| testCoreData.swift:77:24:77:24 | x | label:password, type:password |
+| testCoreData.swift:80:10:80:22 | call to getPassword() | label:getPassword, type:password |
+| testCoreData.swift:85:15:85:17 | .password | label:password, type:password |
+| testCoreData.swift:91:10:91:10 | passwd | label:passwd, type:password |
+| testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:password |
+| testCoreData.swift:93:10:93:10 | passwd | label:passwd, type:password |
 | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | label:generateSecretKey, type:credential |
 | testCoreData.swift:129:15:129:30 | call to getCertificate() | label:getCertificate, type:credential |
-| testGRDB.swift:73:57:73:57 | password | label:password, type:credential |
-| testGRDB.swift:76:43:76:43 | password | label:password, type:credential |
-| testGRDB.swift:81:45:81:45 | password | label:password, type:credential |
-| testGRDB.swift:83:45:83:45 | password | label:password, type:credential |
-| testGRDB.swift:85:45:85:45 | password | label:password, type:credential |
-| testGRDB.swift:87:45:87:45 | password | label:password, type:credential |
-| testGRDB.swift:92:38:92:38 | password | label:password, type:credential |
-| testGRDB.swift:95:37:95:37 | password | label:password, type:credential |
-| testGRDB.swift:100:73:100:73 | password | label:password, type:credential |
-| testGRDB.swift:101:73:101:73 | password | label:password, type:credential |
-| testGRDB.swift:107:53:107:53 | password | label:password, type:credential |
-| testGRDB.swift:109:53:109:53 | password | label:password, type:credential |
-| testGRDB.swift:111:52:111:52 | password | label:password, type:credential |
-| testGRDB.swift:116:48:116:48 | password | label:password, type:credential |
-| testGRDB.swift:118:48:118:48 | password | label:password, type:credential |
-| testGRDB.swift:121:45:121:45 | password | label:password, type:credential |
-| testGRDB.swift:123:45:123:45 | password | label:password, type:credential |
-| testGRDB.swift:126:45:126:45 | password | label:password, type:credential |
-| testGRDB.swift:128:45:128:45 | password | label:password, type:credential |
-| testGRDB.swift:131:45:131:45 | password | label:password, type:credential |
-| testGRDB.swift:133:45:133:45 | password | label:password, type:credential |
-| testGRDB.swift:138:69:138:69 | password | label:password, type:credential |
-| testGRDB.swift:140:69:140:69 | password | label:password, type:credential |
-| testGRDB.swift:143:66:143:66 | password | label:password, type:credential |
-| testGRDB.swift:145:66:145:66 | password | label:password, type:credential |
-| testGRDB.swift:148:66:148:66 | password | label:password, type:credential |
-| testGRDB.swift:150:66:150:66 | password | label:password, type:credential |
-| testGRDB.swift:153:66:153:66 | password | label:password, type:credential |
-| testGRDB.swift:155:66:155:66 | password | label:password, type:credential |
-| testGRDB.swift:160:60:160:60 | password | label:password, type:credential |
-| testGRDB.swift:161:51:161:51 | password | label:password, type:credential |
-| testGRDB.swift:164:60:164:60 | password | label:password, type:credential |
-| testGRDB.swift:165:51:165:51 | password | label:password, type:credential |
-| testGRDB.swift:169:57:169:57 | password | label:password, type:credential |
-| testGRDB.swift:170:48:170:48 | password | label:password, type:credential |
-| testGRDB.swift:173:57:173:57 | password | label:password, type:credential |
-| testGRDB.swift:174:48:174:48 | password | label:password, type:credential |
-| testGRDB.swift:178:57:178:57 | password | label:password, type:credential |
-| testGRDB.swift:179:48:179:48 | password | label:password, type:credential |
-| testGRDB.swift:182:57:182:57 | password | label:password, type:credential |
-| testGRDB.swift:183:48:183:48 | password | label:password, type:credential |
-| testGRDB.swift:187:57:187:57 | password | label:password, type:credential |
-| testGRDB.swift:188:48:188:48 | password | label:password, type:credential |
-| testGRDB.swift:191:57:191:57 | password | label:password, type:credential |
-| testGRDB.swift:192:48:192:48 | password | label:password, type:credential |
-| testGRDB.swift:198:30:198:30 | password | label:password, type:credential |
-| testGRDB.swift:201:24:201:24 | password | label:password, type:credential |
-| testGRDB.swift:206:67:206:67 | password | label:password, type:credential |
-| testGRDB.swift:208:81:208:81 | password | label:password, type:credential |
-| testGRDB.swift:210:85:210:85 | password | label:password, type:credential |
-| testGRDB.swift:212:99:212:99 | password | label:password, type:credential |
-| testRealm2.swift:18:11:18:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:31:20:31:20 | .password | label:password, type:credential |
-| testRealm.swift:41:11:41:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:49:11:49:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:59:12:59:12 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:66:11:66:11 | myPassword | label:myPassword, type:credential |
-| testRealm.swift:73:2:73:4 | .password | label:password, type:credential |
-| testRealm.swift:73:15:73:15 | myPassword | label:myPassword, type:credential |
-| testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:credential |
-| testSend.swift:58:13:58:13 | password | label:password, type:credential |
-| testSend.swift:59:13:59:13 | password | label:password, type:credential |
-| testSend.swift:60:17:60:17 | password | label:password, type:credential |
-| testSend.swift:61:23:61:23 | password | label:password, type:credential |
-| testSend.swift:62:27:62:27 | password | label:password, type:credential |
-| testSend.swift:63:27:63:27 | password | label:password, type:credential |
+| testGRDB.swift:73:57:73:57 | password | label:password, type:password |
+| testGRDB.swift:76:43:76:43 | password | label:password, type:password |
+| testGRDB.swift:81:45:81:45 | password | label:password, type:password |
+| testGRDB.swift:83:45:83:45 | password | label:password, type:password |
+| testGRDB.swift:85:45:85:45 | password | label:password, type:password |
+| testGRDB.swift:87:45:87:45 | password | label:password, type:password |
+| testGRDB.swift:92:38:92:38 | password | label:password, type:password |
+| testGRDB.swift:95:37:95:37 | password | label:password, type:password |
+| testGRDB.swift:100:73:100:73 | password | label:password, type:password |
+| testGRDB.swift:101:73:101:73 | password | label:password, type:password |
+| testGRDB.swift:107:53:107:53 | password | label:password, type:password |
+| testGRDB.swift:109:53:109:53 | password | label:password, type:password |
+| testGRDB.swift:111:52:111:52 | password | label:password, type:password |
+| testGRDB.swift:116:48:116:48 | password | label:password, type:password |
+| testGRDB.swift:118:48:118:48 | password | label:password, type:password |
+| testGRDB.swift:121:45:121:45 | password | label:password, type:password |
+| testGRDB.swift:123:45:123:45 | password | label:password, type:password |
+| testGRDB.swift:126:45:126:45 | password | label:password, type:password |
+| testGRDB.swift:128:45:128:45 | password | label:password, type:password |
+| testGRDB.swift:131:45:131:45 | password | label:password, type:password |
+| testGRDB.swift:133:45:133:45 | password | label:password, type:password |
+| testGRDB.swift:138:69:138:69 | password | label:password, type:password |
+| testGRDB.swift:140:69:140:69 | password | label:password, type:password |
+| testGRDB.swift:143:66:143:66 | password | label:password, type:password |
+| testGRDB.swift:145:66:145:66 | password | label:password, type:password |
+| testGRDB.swift:148:66:148:66 | password | label:password, type:password |
+| testGRDB.swift:150:66:150:66 | password | label:password, type:password |
+| testGRDB.swift:153:66:153:66 | password | label:password, type:password |
+| testGRDB.swift:155:66:155:66 | password | label:password, type:password |
+| testGRDB.swift:160:60:160:60 | password | label:password, type:password |
+| testGRDB.swift:161:51:161:51 | password | label:password, type:password |
+| testGRDB.swift:164:60:164:60 | password | label:password, type:password |
+| testGRDB.swift:165:51:165:51 | password | label:password, type:password |
+| testGRDB.swift:169:57:169:57 | password | label:password, type:password |
+| testGRDB.swift:170:48:170:48 | password | label:password, type:password |
+| testGRDB.swift:173:57:173:57 | password | label:password, type:password |
+| testGRDB.swift:174:48:174:48 | password | label:password, type:password |
+| testGRDB.swift:178:57:178:57 | password | label:password, type:password |
+| testGRDB.swift:179:48:179:48 | password | label:password, type:password |
+| testGRDB.swift:182:57:182:57 | password | label:password, type:password |
+| testGRDB.swift:183:48:183:48 | password | label:password, type:password |
+| testGRDB.swift:187:57:187:57 | password | label:password, type:password |
+| testGRDB.swift:188:48:188:48 | password | label:password, type:password |
+| testGRDB.swift:191:57:191:57 | password | label:password, type:password |
+| testGRDB.swift:192:48:192:48 | password | label:password, type:password |
+| testGRDB.swift:198:30:198:30 | password | label:password, type:password |
+| testGRDB.swift:201:24:201:24 | password | label:password, type:password |
+| testGRDB.swift:206:67:206:67 | password | label:password, type:password |
+| testGRDB.swift:208:81:208:81 | password | label:password, type:password |
+| testGRDB.swift:210:85:210:85 | password | label:password, type:password |
+| testGRDB.swift:212:99:212:99 | password | label:password, type:password |
+| testRealm2.swift:18:11:18:11 | myPassword | label:myPassword, type:password |
+| testRealm.swift:31:20:31:20 | .password | label:password, type:password |
+| testRealm.swift:41:11:41:11 | myPassword | label:myPassword, type:password |
+| testRealm.swift:49:11:49:11 | myPassword | label:myPassword, type:password |
+| testRealm.swift:59:12:59:12 | myPassword | label:myPassword, type:password |
+| testRealm.swift:66:11:66:11 | myPassword | label:myPassword, type:password |
+| testRealm.swift:73:2:73:4 | .password | label:password, type:password |
+| testRealm.swift:73:15:73:15 | myPassword | label:myPassword, type:password |
+| testSend.swift:29:19:29:19 | passwordPlain | label:passwordPlain, type:password |
+| testSend.swift:33:19:33:19 | passwordPlain | label:passwordPlain, type:password |
+| testSend.swift:58:13:58:13 | password | label:password, type:password |
+| testSend.swift:59:13:59:13 | password | label:password, type:password |
+| testSend.swift:60:17:60:17 | password | label:password, type:password |
+| testSend.swift:61:23:61:23 | password | label:password, type:password |
+| testSend.swift:62:27:62:27 | password | label:password, type:password |
+| testSend.swift:63:27:63:27 | password | label:password, type:password |
 | testSend.swift:71:27:71:27 | license_key | label:license_key, type:credential |
 | testSend.swift:72:27:72:30 | .mobileNumber | label:mobileNumber, type:private information |
-| testSend.swift:75:27:75:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:credential |
+| testSend.swift:75:27:75:30 | .passwordFeatureEnabled | label:passwordFeatureEnabled, type:password |
 | testSend.swift:76:27:76:30 | .Telephone | label:Telephone, type:private information |
 | testSend.swift:77:27:77:30 | .birth_day | label:birth_day, type:private information |
 | testSend.swift:78:27:78:30 | .CarePlanID | label:CarePlanID, type:private information |
 | testSend.swift:79:27:79:30 | .BankCardNo | label:BankCardNo, type:private information |
 | testSend.swift:80:27:80:30 | .MyCreditRating | label:MyCreditRating, type:private information |
-| testSend.swift:94:27:94:30 | .password | label:password, type:credential |
-| testURL.swift:39:50:39:50 | passwd | label:passwd, type:credential |
+| testSend.swift:94:27:94:30 | .password | label:password, type:password |
+| testURL.swift:39:50:39:50 | passwd | label:passwd, type:password |
 | testURL.swift:41:51:41:51 | account_no | label:account_no, type:private information |
 | testURL.swift:42:51:42:51 | credit_card_no | label:credit_card_no, type:private information |
-| testURL.swift:46:22:46:22 | passwd | label:passwd, type:credential |
+| testURL.swift:46:22:46:22 | passwd | label:passwd, type:password |
 | testURL.swift:50:51:50:51 | e_mail | label:e_mail, type:private information |
 | testURL.swift:52:53:52:53 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
 | testURL.swift:54:51:54:51 | resident_ID | label:resident_ID, type:private information |
