github
diff --git a/‎swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll‎
Lines changed: 56 additions & 7 deletions b/‎swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll‎
Lines changed: 56 additions & 7 deletions
diff --git a/‎swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected‎
Lines changed: 46 additions & 0 deletions b/‎swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected‎
Lines changed: 46 additions & 0 deletions
@@ -43,11 +43,62 @@ class WeakPasswordHashingAdditionalFlowStep extends Unit {
  * hashing as well.
  */
 private class InheritedWeakPasswordHashingSink extends WeakPasswordHashingSink {
- InheritedWeakPasswordHashingSink() {
-   this instanceof WeakSensitiveDataHashingSink
- }
+  InheritedWeakPasswordHashingSink() { this instanceof WeakSensitiveDataHashingSink }
 
- override string getAlgorithm() { result = this.(WeakSensitiveDataHashingSink).getAlgorithm() }
+  override string getAlgorithm() { result = this.(WeakSensitiveDataHashingSink).getAlgorithm() }
+}
+
+private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CryptoKit
+        // (SHA-256, SHA-384 and SHA-512 are all variants of the SHA-2 algorithm)
+        ";SHA256;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";SHA256;true;update(data:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";SHA256;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";SHA384;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";SHA384;true;update(data:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";SHA384;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";SHA512;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA512",
+        ";SHA512;true;update(data:);;;Argument[0];weak-password-hash-input-SHA512",
+        ";SHA512;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
+        // CryptoSwift
+        ";SHA2;true;calculate(for:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA2;true;callAsFunction(_:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA2;true;process64(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA2;true;process32(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA2;true;update(withBytes:isLast:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA3;true;calculate(for:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA3;true;callAsFunction(_:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA3;true;process(block:currentHash:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";SHA3;true;update(withBytes:isLast:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";Digest;true;sha2(_:variant:);;;Argument[0];weak-password-hash-input-SHA2",
+        ";Digest;true;sha3(_:variant:);;;Argument[0];weak-password-hash-input-SHA3",
+        ";Digest;true;sha224(_:);;;Argument[0];weak-password-hash-input-SHA224",
+        ";Digest;true;sha256(_:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";Digest;true;sha384(_:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";Digest;true;sha512(_:);;;Argument[0];weak-password-hash-input-SHA512",
+        ";Array;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
+        ";Array;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
+        ";Array;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
+        ";Array;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
+        ";Array;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
+        ";Array;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
+        ";Data;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
+        ";Data;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
+        ";Data;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
+        ";Data;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
+        ";Data;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
+        ";Data;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
+        ";String;true;sha2(_:);;;Argument[-1];weak-password-hash-input-SHA2",
+        ";String;true;sha3(_:);;;Argument[-1];weak-password-hash-input-SHA3",
+        ";String;true;sha224();;;Argument[-1];weak-password-hash-input-SHA224",
+        ";String;true;sha256();;;Argument[-1];weak-password-hash-input-SHA256",
+        ";String;true;sha384();;;Argument[-1];weak-password-hash-input-SHA384",
+        ";String;true;sha512();;;Argument[-1];weak-password-hash-input-SHA512",
+      ]
+  }
 }
 
 /**
@@ -56,9 +107,7 @@ private class InheritedWeakPasswordHashingSink extends WeakPasswordHashingSink {
 private class DefaultWeakPasswordHashingSink extends WeakPasswordHashingSink {
   string algorithm;
 
-  DefaultWeakPasswordHashingSink() {
-    sinkNode(this, "weak-password-hash-input-" + algorithm)
-  }
+  DefaultWeakPasswordHashingSink() { sinkNode(this, "weak-password-hash-input-" + algorithm) }
 
   override string getAlgorithm() { result = algorithm }
 }
@@ -2,35 +2,81 @@ edges
 nodes
 | testCryptoKit.swift:56:47:56:47 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:63:44:63:44 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:69:37:69:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:75:37:75:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:81:37:81:37 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:90:23:90:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:108:23:108:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:116:23:116:23 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:124:23:124:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:150:32:150:32 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:158:32:158:32 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:166:32:166:32 | passwd | semmle.label | passwd |
 | testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:160:47:160:47 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:163:47:163:47 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:167:20:167:20 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:170:21:170:21 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:173:23:173:23 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:176:21:176:21 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:179:21:179:21 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:183:9:183:9 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:186:9:186:9 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:189:9:189:9 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:192:9:192:9 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:195:9:195:9 | passwdArray | semmle.label | passwdArray |
 | testCryptoSwift.swift:201:9:201:9 | passwdData | semmle.label | passwdData |
 | testCryptoSwift.swift:204:9:204:9 | passwdData | semmle.label | passwdData |
+| testCryptoSwift.swift:207:9:207:9 | passwdData | semmle.label | passwdData |
+| testCryptoSwift.swift:210:9:210:9 | passwdData | semmle.label | passwdData |
+| testCryptoSwift.swift:213:9:213:9 | passwdData | semmle.label | passwdData |
 | testCryptoSwift.swift:219:9:219:9 | passwd | semmle.label | passwd |
 | testCryptoSwift.swift:222:9:222:9 | passwd | semmle.label | passwd |
+| testCryptoSwift.swift:225:9:225:9 | passwd | semmle.label | passwd |
+| testCryptoSwift.swift:228:9:228:9 | passwd | semmle.label | passwd |
+| testCryptoSwift.swift:231:9:231:9 | passwd | semmle.label | passwd |
 subpaths
 #select
 | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | password (passwd) |
 | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | testCryptoKit.swift:63:44:63:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:63:44:63:44 | passwd | password (passwd) |
+| testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | testCryptoKit.swift:69:37:69:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:69:37:69:37 | passwd | password (passwd) |
+| testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | testCryptoKit.swift:75:37:75:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:75:37:75:37 | passwd | password (passwd) |
+| testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | testCryptoKit.swift:81:37:81:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:81:37:81:37 | passwd | password (passwd) |
 | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | testCryptoKit.swift:90:23:90:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:90:23:90:23 | passwd | password (passwd) |
 | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | password (passwd) |
+| testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | testCryptoKit.swift:108:23:108:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:108:23:108:23 | passwd | password (passwd) |
+| testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | testCryptoKit.swift:116:23:116:23 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:116:23:116:23 | passwd | password (passwd) |
+| testCryptoKit.swift:124:23:124:23 | passwd | testCryptoKit.swift:124:23:124:23 | passwd | testCryptoKit.swift:124:23:124:23 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:124:23:124:23 | passwd | password (passwd) |
 | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | password (passwd) |
 | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | password (passwd) |
+| testCryptoKit.swift:150:32:150:32 | passwd | testCryptoKit.swift:150:32:150:32 | passwd | testCryptoKit.swift:150:32:150:32 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:150:32:150:32 | passwd | password (passwd) |
+| testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | testCryptoKit.swift:158:32:158:32 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:158:32:158:32 | passwd | password (passwd) |
+| testCryptoKit.swift:166:32:166:32 | passwd | testCryptoKit.swift:166:32:166:32 | passwd | testCryptoKit.swift:166:32:166:32 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:166:32:166:32 | passwd | password (passwd) |
 | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | testCryptoSwift.swift:160:47:160:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:160:47:160:47 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | testCryptoSwift.swift:163:47:163:47 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:163:47:163:47 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | testCryptoSwift.swift:173:23:173:23 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:173:23:173:23 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | testCryptoSwift.swift:176:21:176:21 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:176:21:176:21 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | testCryptoSwift.swift:179:21:179:21 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:179:21:179:21 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | testCryptoSwift.swift:189:9:189:9 | passwdArray | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:189:9:189:9 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | testCryptoSwift.swift:192:9:192:9 | passwdArray | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:192:9:192:9 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | testCryptoSwift.swift:195:9:195:9 | passwdArray | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:195:9:195:9 | passwdArray | password (passwdArray) |
 | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) |
 | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) |
+| testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | testCryptoSwift.swift:207:9:207:9 | passwdData | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:207:9:207:9 | passwdData | password (passwdData) |
+| testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | testCryptoSwift.swift:210:9:210:9 | passwdData | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:210:9:210:9 | passwdData | password (passwdData) |
+| testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | testCryptoSwift.swift:213:9:213:9 | passwdData | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:213:9:213:9 | passwdData | password (passwdData) |
 | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) |
 | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) |
+| testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | testCryptoSwift.swift:225:9:225:9 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoSwift.swift:225:9:225:9 | passwd | password (passwd) |
+| testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | testCryptoSwift.swift:228:9:228:9 | passwd | Insecure hashing algorithm (SHA2) depends on $@. | testCryptoSwift.swift:228:9:228:9 | passwd | password (passwd) |
+| testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | testCryptoSwift.swift:231:9:231:9 | passwd | Insecure hashing algorithm (SHA3) depends on $@. | testCryptoSwift.swift:231:9:231:9 | passwd | password (passwd) |