Swift: first draft of query targeting weak hashing

redsun82 · redsun82 · commit 19b13ee4e377 · 2022-09-07T15:58:35.000+02:00
diff --git a/swift/ql/lib/codeql/swift/elements/AstNode.qll b/swift/ql/lib/codeql/swift/elements/AstNode.qll
@@ -1,17 +1,30 @@
 private import codeql.swift.generated.AstNode
 private import codeql.swift.elements.decl.AbstractFunctionDecl
+private import codeql.swift.elements.decl.Decl
 private import codeql.swift.generated.ParentChild
 
-private Element getEnclosingFunctionStep(Element e) {
-  not e instanceof AbstractFunctionDecl and
-  result = getImmediateParent(e)
-}
+private module Cached {
+  private Element getEnclosingDeclStep(Element e) {
+    not e instanceof Decl and
+    result = getImmediateParent(e)
+  }
+
+  cached
+  Decl getEnclosingDecl(AstNode ast) { result = getEnclosingDeclStep*(getImmediateParent(ast)) }
 
-cached
-private AbstractFunctionDecl getEnclosingFunctionCached(AstNode ast) {
-  result = getEnclosingFunctionStep*(getImmediateParent(ast))
+  private Element getEnclosingFunctionStep(Element e) {
+    not e instanceof AbstractFunctionDecl and
+    result = getEnclosingDecl(e)
+  }
+
+  cached
+  AbstractFunctionDecl getEnclosingFunction(AstNode ast) {
+    result = getEnclosingFunctionStep*(getEnclosingDecl(ast))
+  }
 }
 
 class AstNode extends AstNodeBase {
-  final AbstractFunctionDecl getEnclosingFunction() { result = getEnclosingFunctionCached(this) }
+  final AbstractFunctionDecl getEnclosingFunction() { result = Cached::getEnclosingFunction(this) }
+
+  final Decl getEnclosingDecl() { result = Cached::getEnclosingDecl(this) }
 }
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp
@@ -0,0 +1,89 @@
+<!DOCTYPE qhelp PUBLIC
+        "-//Semmle//qhelp//EN"
+        "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Using a broken or weak cryptographic hash function can leave data
+            vulnerable, and should not be used in security related code.
+        </p>
+
+        <p>
+            A strong cryptographic hash function should be resistant to:
+        </p>
+        <ul>
+            <li>
+                pre-image attacks: if you know a hash value <code>h(x)</code>,
+                you should not be able to easily find the input <code>x</code>.
+            </li>
+            <li>
+                collision attacks: if you know a hash value <code>h(x)</code>,
+                you should not be able to easily find a different input
+                <code>y</code>
+                with the same hash value <code>h(x) = h(y)</code>.
+            </li>
+        </ul>
+        <!--<p>
+             In cases with a limited input space, such as for passwords, the hash
+             function also needs to be computationally expensive to be resistant to
+             brute-force attacks. Passwords should also have an unique salt applied
+             before hashing, but that is not considered by this query.
+        </p>-->
+
+        <p>
+            As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.
+        </p>
+
+        <p>
+            Since it's OK to use a weak cryptographic hash function in a non-security
+            context, this query only alerts when these are used to hash sensitive
+            data (such as passwords, certificates, usernames).
+        </p>
+
+    </overview>
+    <recommendation>
+
+        <p>
+            Ensure that you use a strong, modern cryptographic hash function:
+        </p>
+
+        <ul>
+            <li>
+                such as Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space.
+            </li>
+            <li>
+                such as SHA-2, or SHA-3 in other cases.
+            </li>
+        </ul>
+
+    </recommendation>
+    <example>
+
+        <p>
+            The following examples show a function for checking whether the hash
+            of a certificate matches a known value -- to prevent tampering.
+
+            In the first case the MD5 hashing algorithm is used that is known to be vulnerable to collision attacks.
+        </p>
+        <sample src="WeakSensitiveDataHashingBad.swift"/>
+        <p>
+
+            Here is the same function using SHA-512 that is a strong cryptographic hashing function.
+        </p>
+        <sample src="WeakSensitiveDataHashingGood.swift"/>
+
+    </example>
+    <references>
+        <li>
+            OWASP:
+            <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage
+                Cheat Sheet
+            </a>
+            and
+            <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html#use-strong-cryptographic-hashing-algorithms">
+                Transport Layer Protection Cheat Sheet
+            </a>
+        </li>
+    </references>
+
+</qhelp>
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
@@ -0,0 +1,57 @@
+/**
+ * @name Use of a broken or weak cryptographic hashing algorithm on sensitive data
+ * @description Using broken or weak cryptographic hashing algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id py/weak-sensitive-data-hashing
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ */
+
+import swift
+import codeql.swift.security.SensitiveExprs
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+class WeakHashingConfig extends TaintTracking::Configuration {
+  WeakHashingConfig() { this = "WeakHashingConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(SensitiveExpr e |
+      node.asExpr() = e and
+      not e.isProbablySafe()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof WeakHashingConfig::Sink }
+}
+
+module WeakHashingConfig {
+  class Sink extends DataFlow::Node {
+    string algorithm;
+
+    Sink() {
+      exists(ApplyExpr call, FuncDecl func |
+        call.getAnArgument().getExpr() = this.asExpr() and
+        call.getStaticTarget() = func and
+        func.getName().matches(["hash(%", "update(%"]) and
+        algorithm = func.getEnclosingDecl().(StructDecl).getName() and
+        algorithm = ["MD5", "SHA1"]
+      )
+    }
+
+    string getAlgorithm() { result = algorithm }
+  }
+}
+
+from WeakHashingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink, string algorithm
+where
+  config.hasFlowPath(source, sink) and
+  algorithm = sink.getNode().(WeakHashingConfig::Sink).getAlgorithm()
+select sink.getNode(), source, sink,
+  "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
+  "sensitive data"
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift
@@ -0,0 +1,5 @@
+typealias Hasher = Crypto.Insecure.MD5
+
+func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
+  return Hasher.hash(data: cert) == hash  // BAD
+}
diff --git a/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift b/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift
@@ -0,0 +1,4 @@
+typealias Hasher = Crypto.SHA512
+
+func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool
+  return Hasher.hash(data: cert) == hash  // GOOD
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected
@@ -0,0 +1,28 @@
+edges
+nodes
+| testCrypto.swift:25:47:25:47 | passwd | semmle.label | passwd |
+| testCrypto.swift:28:43:28:43 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:32:48:32:48 | passwd | semmle.label | passwd |
+| testCrypto.swift:35:44:35:44 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:40:23:40:23 | passwd | semmle.label | passwd |
+| testCrypto.swift:43:23:43:23 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:48:23:48:23 | passwd | semmle.label | passwd |
+| testCrypto.swift:51:23:51:23 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:56:32:56:32 | passwd | semmle.label | passwd |
+| testCrypto.swift:59:32:59:32 | credit_card_no | semmle.label | credit_card_no |
+| testCrypto.swift:64:32:64:32 | passwd | semmle.label | passwd |
+| testCrypto.swift:67:32:67:32 | credit_card_no | semmle.label | credit_card_no |
+subpaths
+#select
+| testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | testCrypto.swift:25:47:25:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:25:47:25:47 | passwd | sensitive data |
+| testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | testCrypto.swift:28:43:28:43 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:28:43:28:43 | credit_card_no | sensitive data |
+| testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | testCrypto.swift:32:48:32:48 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:32:48:32:48 | passwd | sensitive data |
+| testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | testCrypto.swift:35:44:35:44 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:35:44:35:44 | credit_card_no | sensitive data |
+| testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | testCrypto.swift:40:23:40:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:40:23:40:23 | passwd | sensitive data |
+| testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | testCrypto.swift:43:23:43:23 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:43:23:43:23 | credit_card_no | sensitive data |
+| testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | testCrypto.swift:48:23:48:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:48:23:48:23 | passwd | sensitive data |
+| testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | testCrypto.swift:51:23:51:23 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:51:23:51:23 | credit_card_no | sensitive data |
+| testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | testCrypto.swift:56:32:56:32 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:56:32:56:32 | passwd | sensitive data |
+| testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | testCrypto.swift:59:32:59:32 | credit_card_no | Insecure hashing algorithm (MD5) depends on $@. | testCrypto.swift:59:32:59:32 | credit_card_no | sensitive data |
+| testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | testCrypto.swift:64:32:64:32 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:64:32:64:32 | passwd | sensitive data |
+| testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | testCrypto.swift:67:32:67:32 | credit_card_no | Insecure hashing algorithm (SHA1) depends on $@. | testCrypto.swift:67:32:67:32 | credit_card_no | sensitive data |
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref b/swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.qlref
@@ -0,0 +1 @@
+queries/Security/CWE-328/WeakSensitiveDataHashing.ql
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift b/swift/ql/test/query-tests/Security/CWE-328/testCrypto.swift
@@ -0,0 +1,68 @@
+//codeql-extractor-options: -module-name Crypto
+
+enum Insecure {
+    struct MD5 {
+        static func hash<D>(data: D) -> [UInt8] {
+            return []
+        }
+
+        func update<D>(data: D) {}
+        func update(bufferPointer: UnsafeRawBufferPointer) {}
+        func finalize() -> [UInt8] { return [] }
+    }
+    struct SHA1 {
+        static func hash<D>(data: D) -> [UInt8] {
+            return []
+        }
+
+        func update<D>(data: D) {}
+        func update(bufferPointer: UnsafeRawBufferPointer) {}
+        func finalize() -> [UInt8] { return [] }
+    }
+}
+
+func test1(passwd : UnsafeRawBufferPointer, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.Insecure.MD5.hash(data: passwd)  // BAD
+    hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
+    hash = Crypto.Insecure.MD5.hash(data: account_no)   // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
+}
+
+func test2(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.Insecure.SHA1.hash(data: passwd)  // BAD
+    hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
+    hash = Crypto.Insecure.SHA1.hash(data: account_no)   // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.SHA1.hash(data: credit_card_no)   // BAD
+}
+
+func test3(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.Insecure.MD5()
+    hash.update(data: passwd)  // BAD
+    hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
+    hash.update(data: account_no)   // BAD [NOT DETECTED]
+    hash.update(data: credit_card_no)   // BAD
+}
+
+func test4(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
+    var hash = Crypto.Insecure.SHA1()
+    hash.update(data: passwd)  // BAD
+    hash.update(data: encrypted_passwd)  // GOOD  (not sensitive)
+    hash.update(data: account_no)   // BAD [NOT DETECTED]
+    hash.update(data: credit_card_no)   // BAD
+}
+
+func test5(passwd : UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+    var hash = Crypto.Insecure.MD5()
+    hash.update(bufferPointer: passwd)  // BAD
+    hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
+    hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
+    hash.update(bufferPointer: credit_card_no)   // BAD
+}
+
+func test6(passwd : UnsafeRawBufferPointer, encrypted_passwd : UnsafeRawBufferPointer, account_no : UnsafeRawBufferPointer, credit_card_no : UnsafeRawBufferPointer) {
+    var hash = Crypto.Insecure.SHA1()
+    hash.update(bufferPointer: passwd)  // BAD
+    hash.update(bufferPointer: encrypted_passwd)  // GOOD  (not sensitive)
+    hash.update(bufferPointer: account_no)   // BAD [NOT DETECTED]
+    hash.update(bufferPointer: credit_card_no)   // BAD
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/Security/CWE-328/WeakSensitiveDataHashing.ql`