Swift: Address a weakness in the sensitive data regexs.

Author: geoffw0

swift/ql/lib/codeql/swift/security/SensitiveExprs.qll

@@ -72,7 +72,8 @@ class SensitivePrivateInfo extends SensitiveDataType, TPrivateInfo {
         // Contact information, such as home addresses
         "post.?code|zip.?code|home.?addr|" +
         // and telephone numbers
-        "(mob(ile)?|home).?(num|no|tel|phone)|(tel|fax).?(num|no|phone)|" + "emergency.?contact|" +
+        "(mob(ile)?|home).?(num|no|tel|phone)|(tel|fax|phone).?(num|no)|telephone|" +
+        "emergency.?contact|" +
         // Geographic location - where the user is (or was)
         "l(atitude|ongitude)|nationality|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts

swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected

@@ -19,6 +19,12 @@ nodes
 | testCryptoKit.swift:142:32:142:32 | cert | semmle.label | cert |
 | testCryptoKit.swift:144:32:144:32 | account_no | semmle.label | account_no |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | semmle.label | credit_card_no |
+| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | semmle.label | phoneNumberArray |
+| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | semmle.label | phoneNumberArray |
+| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | semmle.label | phoneNumberArray |
+| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | semmle.label | phoneNumberArray |
+| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | semmle.label | phoneNumberArray |
+| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | semmle.label | phoneNumberArray |
 | testCryptoSwift.swift:200:9:200:9 | medicalData | semmle.label | medicalData |
 | testCryptoSwift.swift:203:9:203:9 | medicalData | semmle.label | medicalData |
 | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | semmle.label | creditCardNumber |
@@ -44,6 +50,12 @@ subpaths
 | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | testCryptoKit.swift:142:32:142:32 | cert | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:142:32:142:32 | cert | sensitive data (credential cert) |
 | testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | testCryptoKit.swift:144:32:144:32 | account_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:144:32:144:32 | account_no | sensitive data (private information account_no) |
 | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | testCryptoKit.swift:145:32:145:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:145:32:145:32 | credit_card_no | sensitive data (private information credit_card_no) |
+| testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:153:30:153:30 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
+| testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:156:31:156:31 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
+| testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:166:20:166:20 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
+| testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:169:21:169:21 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
+| testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:182:9:182:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
+| testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:185:9:185:9 | phoneNumberArray | sensitive data (private information phoneNumberArray) |
 | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | testCryptoSwift.swift:200:9:200:9 | medicalData | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:200:9:200:9 | medicalData | sensitive data (private information medicalData) |
 | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | testCryptoSwift.swift:203:9:203:9 | medicalData | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoSwift.swift:203:9:203:9 | medicalData | sensitive data (private information medicalData) |
 | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | Insecure hashing algorithm (MD5) depends on $@. | testCryptoSwift.swift:218:9:218:9 | creditCardNumber | sensitive data (private information creditCardNumber) |

swift/ql/test/query-tests/Security/CWE-328/testCryptoSwift.swift

@@ -150,10 +150,10 @@ extension String {
 
 func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, passwdArray: Array<UInt8>) {
     _ = MD5().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = MD5().calculate(for: phoneNumberArray) // BAD [NOT DETECTED]
+    _ = MD5().calculate(for: phoneNumberArray) // BAD
     _ = MD5().calculate(for: passwdArray) // BAD
     _ = SHA1().calculate(for: harmlessArray) // GOOD (not sensitive)
-    _ = SHA1().calculate(for: phoneNumberArray) // BAD [NOT DETECTED]
+    _ = SHA1().calculate(for: phoneNumberArray) // BAD
     _ = SHA1().calculate(for: passwdArray) // BAD
     _ = SHA2(variant: .sha512).calculate(for: harmlessArray) // GOOD
     _ = SHA2(variant: .sha512).calculate(for: phoneNumberArray) // GOOD
@@ -163,10 +163,10 @@ func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, pas
     _ = SHA3(variant: .sha512).calculate(for: passwdArray) // BAD [NOT DETECTED]
 
     _ = Digest.md5(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.md5(phoneNumberArray) // BAD [NOT DETECTED]
+    _ = Digest.md5(phoneNumberArray) // BAD
     _ = Digest.md5(passwdArray) // BAD
     _ = Digest.sha1(harmlessArray) // GOOD (not sensitive)
-    _ = Digest.sha1(phoneNumberArray) // BAD [NOT DETECTED]
+    _ = Digest.sha1(phoneNumberArray) // BAD
     _ = Digest.sha1(passwdArray) // BAD
     _ = Digest.sha512(harmlessArray) // GOOD (not sensitive)
     _ = Digest.sha512(phoneNumberArray) // GOOD
@@ -179,10 +179,10 @@ func testArrays(harmlessArray: Array<UInt8>, phoneNumberArray: Array<UInt8>, pas
     _ = Digest.sha3(passwdArray, variant: .sha512) // BAD [NOT DETECTED]
 
     _ = harmlessArray.md5() // GOOD (not sensitive)
-    _ = phoneNumberArray.md5() // BAD [NOT DETECTED]
+    _ = phoneNumberArray.md5() // BAD
     _ = passwdArray.md5() // BAD
     _ = harmlessArray.sha1() // GOOD (not sensitive)
-    _ = phoneNumberArray.sha1() // BAD [NOT DETECTED]
+    _ = phoneNumberArray.sha1() // BAD
     _ = passwdArray.sha1() // BAD
     _ = harmlessArray.sha512() // GOOD
     _ = phoneNumberArray.sha512() // GOOD