Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4b7cb70

Browse files
karimhamdanalikarimhamdanali
committed
fix error in checking # of iterations
plus also simplify the pattern matching of the sink classes
1 parent 0d2e7d4 commit 4b7cb70

1 file changed

Lines changed: 8 additions & 15 deletions

File tree

swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql

Lines changed: 8 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ abstract class IterationsSource extends Expr { }
2424
* A literal integer that is 1000 or less is a source of taint for iterations.
2525
*/
2626
class IntLiteralSource extends IterationsSource instanceof IntegerLiteralExpr {
27-
IntLiteralSource() { this.getStringValue().toInt() >= 1000 }
27+
IntLiteralSource() { this.getStringValue().toInt() < 1000 }
2828
}
2929

3030
/**
@@ -33,20 +33,13 @@ class IntLiteralSource extends IterationsSource instanceof IntegerLiteralExpr {
3333
class InsufficientHashIterationsSink extends Expr {
3434
InsufficientHashIterationsSink() {
3535
// `iterations` arg in `init` is a sink
36-
exists(ClassOrStructDecl c, AbstractFunctionDecl f, CallExpr call |
37-
c.getFullName() = "PKCS5.PBKDF1" and
36+
exists(ClassOrStructDecl c, AbstractFunctionDecl f, CallExpr call, int arg |
37+
c.getFullName() = ["PBKDF1", "PBKDF2"] and
3838
c.getAMember() = f and
3939
f.getName().matches("init(%iterations:%") and
4040
call.getStaticTarget() = f and
41-
call.getArgument(2).getExpr() = this
42-
)
43-
or
44-
exists(ClassOrStructDecl c, AbstractFunctionDecl f, CallExpr call |
45-
c.getFullName() = "PKCS5.PBKDF2" and
46-
c.getAMember() = f and
47-
f.getName().matches("init(%iterations:%") and
48-
call.getStaticTarget() = f and
49-
call.getArgument(3).getExpr() = this
41+
f.getParam(pragma[only_bind_into](arg)).getName() = "iterations" and
42+
call.getArgument(pragma[only_bind_into](arg)).getExpr() = this
5043
)
5144
}
5245
}
@@ -71,6 +64,6 @@ from
7164
DataFlow::PathNode sinkNode
7265
where config.hasFlowPath(sourceNode, sinkNode)
7366
select sinkNode.getNode(), sourceNode, sinkNode,
74-
"The hash function '" + sinkNode.getNode().toString() +
75-
"' has been initialized with an insufficient number of iterations from $@.", sourceNode,
76-
sourceNode.getNode().toString()
67+
"The variable '" + sinkNode.getNode().toString() +
68+
"' is an insufficient number of iterations, which is not secure for hash functions.",
69+
sourceNode, sourceNode.getNode().toString()

0 commit comments

Comments
 (0)