Swift: Add more cases to test.

Author: geoffw0

swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected

@@ -6,16 +6,16 @@ nodes
 | testCryptoKit.swift:99:23:99:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:132:32:132:32 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:141:32:141:32 | passwd | semmle.label | passwd |
-| testCryptoSwift.swift:113:30:113:30 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:115:31:115:31 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:120:20:120:20 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:122:21:122:21 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:127:9:127:9 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:129:9:129:9 | passwdArray | semmle.label | passwdArray |
-| testCryptoSwift.swift:136:9:136:9 | passwdData | semmle.label | passwdData |
-| testCryptoSwift.swift:138:9:138:9 | passwdData | semmle.label | passwdData |
-| testCryptoSwift.swift:145:9:145:9 | passwd | semmle.label | passwd |
-| testCryptoSwift.swift:147:9:147:9 | passwd | semmle.label | passwd |
+| testCryptoSwift.swift:154:30:154:30 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:157:31:157:31 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:167:20:167:20 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:170:21:170:21 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:183:9:183:9 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:186:9:186:9 | passwdArray | semmle.label | passwdArray |
+| testCryptoSwift.swift:201:9:201:9 | passwdData | semmle.label | passwdData |
+| testCryptoSwift.swift:204:9:204:9 | passwdData | semmle.label | passwdData |
+| testCryptoSwift.swift:219:9:219:9 | passwd | semmle.label | passwd |
+| testCryptoSwift.swift:222:9:222:9 | passwd | semmle.label | passwd |
 subpaths
 #select
 | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | testCryptoKit.swift:56:47:56:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:56:47:56:47 | passwd | password (passwd) |
@@ -24,13 +24,13 @@ subpaths
 | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | testCryptoKit.swift:99:23:99:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:23:99:23 | passwd | password (passwd) |
 | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | testCryptoKit.swift:132:32:132:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:132:32:132:32 | passwd | password (passwd) |
 | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | testCryptoKit.swift:141:32:141:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:141:32:141:32 | passwd | password (passwd) |
-| testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | testCryptoSwift.swift:113:30:113:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:113:30:113:30 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | testCryptoSwift.swift:115:31:115:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:115:31:115:31 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | testCryptoSwift.swift:120:20:120:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:120:20:120:20 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | testCryptoSwift.swift:122:21:122:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:122:21:122:21 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | testCryptoSwift.swift:127:9:127:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:127:9:127:9 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | testCryptoSwift.swift:129:9:129:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:129:9:129:9 | passwdArray | password (passwdArray) |
-| testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | testCryptoSwift.swift:136:9:136:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:136:9:136:9 | passwdData | password (passwdData) |
-| testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | testCryptoSwift.swift:138:9:138:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:138:9:138:9 | passwdData | password (passwdData) |
-| testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | testCryptoSwift.swift:145:9:145:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:145:9:145:9 | passwd | password (passwd) |
-| testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | testCryptoSwift.swift:147:9:147:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:147:9:147:9 | passwd | password (passwd) |
+| testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | testCryptoSwift.swift:154:30:154:30 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:154:30:154:30 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | testCryptoSwift.swift:157:31:157:31 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:157:31:157:31 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | testCryptoSwift.swift:167:20:167:20 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:167:20:167:20 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | testCryptoSwift.swift:170:21:170:21 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:170:21:170:21 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | testCryptoSwift.swift:183:9:183:9 | passwdArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:183:9:183:9 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | testCryptoSwift.swift:186:9:186:9 | passwdArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:186:9:186:9 | passwdArray | password (passwdArray) |
+| testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | testCryptoSwift.swift:201:9:201:9 | passwdData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:201:9:201:9 | passwdData | password (passwdData) |
+| testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | testCryptoSwift.swift:204:9:204:9 | passwdData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:204:9:204:9 | passwdData | password (passwdData) |
+| testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | testCryptoSwift.swift:219:9:219:9 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:219:9:219:9 | passwd | password (passwd) |
+| testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | testCryptoSwift.swift:222:9:222:9 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:222:9:222:9 | passwd | password (passwd) |

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -19,6 +19,10 @@ nodes
 | testCryptoKit.swift:142:32:142:32 | cert | semmle.label | cert |
 | testCryptoKit.swift:144:32:144:32 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
+| testCryptoSwift.swift:200:9:200:9 | medicalData | semmle.label | medicalData |
+| testCryptoSwift.swift:203:9:203:9 | medicalData | semmle.label | medicalData |
+| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | semmle.label | creditCardNumber |
+| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | semmle.label | creditCardNumber |
 subpaths
 #select
 | testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | testCryptoKit.swift:57:43:57:43 | cert | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:57:43:57:43 | cert | sensitive data (credential cert) |
@@ -40,3 +44,7 @@ subpaths
 | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:32:142:32 | cert | sensitive data (credential cert) |
 | testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:144:32:144:32 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) |
+| testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) |
+| testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) |
+| testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:221:9:221:9 | creditCardNumber | sensitive data (private information creditCardNumber) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift

@@ -34,6 +34,18 @@ class SHA2 : DigestType {
     }
 }
 
+class SHA3 : DigestType {
+    public enum Variant {
+        case sha512
+    }
+
+    public init(variant: SHA3.Variant) {}
+
+    public func calculate(for bytes: Array<UInt8>) -> Array<UInt8> {
+        return Array<UInt8>()
+    }
+}
+
 struct Digest {
     static func md5(_ bytes: Array<UInt8>) -> Array<UInt8> {
         return MD5().calculate(for: bytes)
@@ -50,6 +62,10 @@ struct Digest {
     static func sha2(_ bytes: Array<UInt8>, variant: SHA2.Variant) -> Array<UInt8> {
         return SHA2(variant: variant).calculate(for: bytes)
     }
+
+    static func sha3(_ bytes: Array<UInt8>, variant: SHA3.Variant) -> Array<UInt8> {
+        return SHA3(variant: variant).calculate(for: bytes)
+    }
 }
 
 extension Array where Element == UInt8 {
@@ -68,6 +84,14 @@ extension Array where Element == UInt8 {
     func sha512() -> [Element] {
         return Digest.sha512(self)
     }
+
+    func sha2(_ variant: SHA2.Variant) -> [Element] {
+        return Digest.sha2(self, variant: variant)
+    }
+
+    func sha3(_ variant: SHA3.Variant) -> [Element] {
+        return Digest.sha3(self, variant: variant)
+    }
 }
 
 extension Data {
@@ -86,6 +110,14 @@ extension Data {
     func sha512() -> Data {
         return Data(Digest.sha512(bytes))
     }
+
+    func sha2(_ variant: SHA2.Variant) -> Data {
+        return Data(Digest.sha2(bytes, variant: variant))
+    }
+
+    func sha3(_ variant: SHA3.Variant) -> Data {
+        return Data(Digest.sha3(bytes, variant: variant))
+    }
 }
 
 extension String {
@@ -104,47 +136,97 @@ extension String {
     func sha512() -> String {
         return self.bytes.sha512().toHexString()
     }
+
+    func sha2(_ variant: SHA2.Variant) -> String {
+        return self.bytes.sha2(variant).toHexString()
+    }
+
+    func sha3(_ variant: SHA3.Variant) -> String {
+        return self.bytes.sha3(variant).toHexString()
+    }
 }
 
 // --- tests ---
 
-func testArrays(harmlessArray: Array<UInt8>, passwdArray: Array<UInt8>) {
+func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, passwdArray: Array<UInt8>) {
     _ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
+    _ = MD5().calculate(for: phoneNumberArray) // BAD [NOT DETECTED]
     _ = MD5().calculate(for: passwdArray) // BAD
     _ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
+    _ = SHA1().calculate(for: phoneNumberArray) // BAD [NOT DETECTED]
     _ = SHA1().calculate(for: passwdArray) // BAD
     _ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
-    _ = SHA2(variant: .sha512).calculate(for: passwdArray) // GOOD
+    _ = SHA2(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
+    _ = SHA2(variant: .sha512).calculate(for: passwdArray) // BAD [NOT DETECTED]
+    _ = SHA3(variant: .sha512).calculate(for: harmlessArray) // GOOD
+    _ = SHA3(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
+    _ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD [NOT DETECTED]
 
     _ = Digest.md5(harmlessArray) // GOOD (not sensitive)
+    _ = Digest.md5(phoneNumberArray) // BAD [NOT DETECTED]
     _ = Digest.md5(passwdArray) // BAD
     _ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
+    _ = Digest.sha1(phoneNumberArray) // BAD [NOT DETECTED]
     _ = Digest.sha1(passwdArray) // BAD
-    _ = Digest.sha512(harmlessArray) // GOOD
-    _ = Digest.sha512(passwdArray) // GOOD
+    _ = Digest.sha512(harmlessArray) // GOOD (not sensitive)
+    _ = Digest.sha512(phoneNumberArray) // GOOD
+    _ = Digest.sha512(passwdArray) // BAD [NOT DETECTED]
+    _ = Digest.sha2(harmlessArray, variant: .sha512) // GOOD (not sensitive)
+    _ = Digest.sha2(phoneNumberArray, variant: .sha512) // GOOD
+    _ = Digest.sha2(passwdArray, variant: .sha512) // BAD [NOT DETECTED]
+    _ = Digest.sha3(harmlessArray, variant: .sha512) // GOOD (not sensitive)
+    _ = Digest.sha3(phoneNumberArray, variant: .sha512) // GOOD
+    _ = Digest.sha3(passwdArray, variant: .sha512) // BAD [NOT DETECTED]
 
     _ = harmlessArray.md5() // GOOD (not sensitive)
+    _ = phoneNumberArray.md5() // BAD [NOT DETECTED]
     _ = passwdArray.md5() // BAD
     _ = harmlessArray.sha1() // GOOD (not sensitive)
+    _ = phoneNumberArray.sha1() // BAD [NOT DETECTED]
     _ = passwdArray.sha1() // BAD
     _ = harmlessArray.sha512() // GOOD
-    _ = passwdArray.sha512() // GOOD
+    _ = phoneNumberArray.sha512() // GOOD
+    _ = passwdArray.sha512() // BAD [NOT DETECTED]
+    _ = harmlessArray.sha2(.sha512) // GOOD
+    _ = phoneNumberArray.sha2(.sha512) // GOOD
+    _ = passwdArray.sha2(.sha512) // BAD [NOT DETECTED]
+    _ = harmlessArray.sha3(.sha512) // GOOD
+    _ = phoneNumberArray.sha3(.sha512) // GOOD
+    _ = passwdArray.sha3(.sha512) // BAD [NOT DETECTED]
 }
 
-func testData(harmlessData: Data, passwdData: Data) {
+func testData(harmlessData: Data, medicalData: Data, passwdData: Data) {
     _ = harmlessData.md5() // GOOD (not sensitive)
+    _ = medicalData.md5() // BAD
     _ = passwdData.md5() // BAD
     _ = harmlessData.sha1() // GOOD (not sensitive)
+    _ = medicalData.sha1() // BAD
     _ = passwdData.sha1() // BAD
     _ = harmlessData.sha512() // GOOD
-    _ = passwdData.sha512() // GOOD
+    _ = medicalData.sha512() // GOOD
+    _ = passwdData.sha512() // BAD [NOT DETECTED]
+    _ = harmlessData.sha2(.sha512) // GOOD
+    _ = medicalData.sha2(.sha512) // GOOD
+    _ = passwdData.sha2(.sha512) // BAD [NOT DETECTED]
+    _ = harmlessData.sha3(.sha512) // GOOD
+    _ = medicalData.sha3(.sha512) // GOOD
+    _ = passwdData.sha3(.sha512) // BAD [NOT DETECTED]
 }
 
-func testStrings(passwd: String) {
+func testStrings(creditCardNumber: String, passwd: String) {
     _ = "harmless".md5() // GOOD (not sensitive)
+    _ = creditCardNumber.md5() // BAD
     _ = passwd.md5() // BAD
     _ = "harmless".sha1() // GOOD (not sensitive)
+    _ = creditCardNumber.sha1() // BAD
     _ = passwd.sha1() // BAD
     _ = "harmless".sha512() // GOOD
-    _ = passwd.sha512() // GOOD
+    _ = creditCardNumber.sha512() // GOOD
+    _ = passwd.sha512() // BAD [NOT DETECTED]
+    _ = "harmless".sha2(.sha512) // GOOD
+    _ = creditCardNumber.sha2(.sha512) // GOOD
+    _ = passwd.sha2(.sha512) // BAD [NOT DETECTED]
+    _ = "harmless".sha3(.sha512) // GOOD
+    _ = creditCardNumber.sha3(.sha512) // GOOD
+    _ = passwd.sha3(.sha512) // BAD [NOT DETECTED]
 }