Swift: Fill the simple gaps in modelling.

geoffw0 · geoffw0 · commit f962eac9145e · 2026-05-27T11:20:00.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
@@ -54,12 +54,15 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
         // CryptoKit
         // (SHA-256, SHA-384 and SHA-512 are all variants of the SHA-2 algorithm)
         ";SHA256;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA256",
+        ";SHA256;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA256;true;update(data:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA256;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA256",
         ";SHA384;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA384",
+        ";SHA384;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA384;true;update(data:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA384;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA384",
         ";SHA512;true;hash(data:);;;Argument[0];weak-password-hash-input-SHA512",
+        ";SHA512;true;hash(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
         ";SHA512;true;update(data:);;;Argument[0];weak-password-hash-input-SHA512",
         ";SHA512;true;update(bufferPointer:);;;Argument[0];weak-password-hash-input-SHA512",
         // CryptoSwift
@@ -122,7 +125,7 @@ private class WeakPasswordHashingMetatypeSink extends WeakPasswordHashingSink {
       c.getAnArgument().getExpr() = this.asExpr() and
       algorithm = ["SHA256", "SHA384", "SHA512"] and
       c.getQualifier().getType().getFullName() = algorithm + ["", ".Type"] and
-      c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
+      c.getStaticTarget().getName() = ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
     )
   }
 
diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
@@ -40,9 +40,11 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {
       [
         // CryptoKit
         ";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",
+        ";Insecure.MD5;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",
         ";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",
+        ";Insecure.SHA1;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",
         ";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",
         // CryptoSwift
@@ -88,7 +90,7 @@ private class WeakSenitiveDataHashingMetatypeSink extends WeakSensitiveDataHashi
       c.getAnArgument().getExpr() = this.asExpr() and
       algorithm = ["MD5", "SHA1"] and
       c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and
-      c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]
+      c.getStaticTarget().getName() = ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
     )
   }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected b/swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected
@@ -3,11 +3,17 @@ edges
 | testCryptoKit.swift:224:38:224:53 | .utf8 | testCryptoKit.swift:224:33:224:57 | call to Data.init(_:) | provenance |  |
 nodes
 | testCryptoKit.swift:84:47:84:47 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:85:52:85:52 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:91:36:91:36 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:92:45:92:45 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:98:44:98:44 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:99:53:99:53 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:105:37:105:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:106:46:106:46 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:112:37:112:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:113:46:113:46 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:119:37:119:37 | passwd | semmle.label | passwd |
+| testCryptoKit.swift:120:46:120:46 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:129:23:129:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:138:23:138:23 | passwd | semmle.label | passwd |
 | testCryptoKit.swift:147:23:147:23 | passwd | semmle.label | passwd |
@@ -49,11 +55,17 @@ nodes
 subpaths
 #select
 | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | testCryptoKit.swift:84:47:84:47 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:84:47:84:47 | passwd | password (passwd) |
+| testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | testCryptoKit.swift:85:52:85:52 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:85:52:85:52 | passwd | password (passwd) |
 | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | testCryptoKit.swift:91:36:91:36 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:91:36:91:36 | passwd | password (passwd) |
+| testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | testCryptoKit.swift:92:45:92:45 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:92:45:92:45 | passwd | password (passwd) |
 | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | testCryptoKit.swift:98:44:98:44 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:98:44:98:44 | passwd | password (passwd) |
+| testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | testCryptoKit.swift:99:53:99:53 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:99:53:99:53 | passwd | password (passwd) |
 | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | testCryptoKit.swift:105:37:105:37 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:105:37:105:37 | passwd | password (passwd) |
+| testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | testCryptoKit.swift:106:46:106:46 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:106:46:106:46 | passwd | password (passwd) |
 | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | testCryptoKit.swift:112:37:112:37 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:112:37:112:37 | passwd | password (passwd) |
+| testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | testCryptoKit.swift:113:46:113:46 | passwd | Insecure hashing algorithm (SHA384) depends on $@. | testCryptoKit.swift:113:46:113:46 | passwd | password (passwd) |
 | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | testCryptoKit.swift:119:37:119:37 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:119:37:119:37 | passwd | password (passwd) |
+| testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | testCryptoKit.swift:120:46:120:46 | passwd | Insecure hashing algorithm (SHA512) depends on $@. | testCryptoKit.swift:120:46:120:46 | passwd | password (passwd) |
 | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | testCryptoKit.swift:129:23:129:23 | passwd | Insecure hashing algorithm (MD5) depends on $@. | testCryptoKit.swift:129:23:129:23 | passwd | password (passwd) |
 | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | testCryptoKit.swift:138:23:138:23 | passwd | Insecure hashing algorithm (SHA1) depends on $@. | testCryptoKit.swift:138:23:138:23 | passwd | password (passwd) |
 | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | testCryptoKit.swift:147:23:147:23 | passwd | Insecure hashing algorithm (SHA256) depends on $@. | testCryptoKit.swift:147:23:147:23 | passwd | password (passwd) |
diff --git a/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift b/swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift
@@ -82,42 +82,42 @@ enum Insecure {
 
 func testHashMethods(passwd : UnsafeRawBufferPointer, cert: String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
     var hash = Crypto.Insecure.MD5.hash(data: passwd)  // BAD
-    hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd)  // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.MD5.hash(bufferPointer: passwd)  // BAD
     hash = Crypto.Insecure.MD5.hash(data: cert)   // BAD
     hash = Crypto.Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash = Crypto.Insecure.MD5.hash(data: account_no)   // BAD
     hash = Crypto.Insecure.MD5.hash(data: credit_card_no)   // BAD
 
     hash = Insecure.MD5.hash(data: passwd)  // BAD
-    hash = Insecure.MD5.hash(bufferPointer: passwd)  // BAD [NOT DETECTED]
+    hash = Insecure.MD5.hash(bufferPointer: passwd)  // BAD
     hash = Insecure.MD5.hash(data: cert)   // BAD
     hash = Insecure.MD5.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash = Insecure.MD5.hash(data: account_no)   // BAD
     hash = Insecure.MD5.hash(data: credit_card_no)   // BAD
 
     hash = Crypto.Insecure.SHA1.hash(data: passwd)  // BAD
-    hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd)  // BAD [NOT DETECTED]
+    hash = Crypto.Insecure.SHA1.hash(bufferPointer: passwd)  // BAD
     hash = Crypto.Insecure.SHA1.hash(data: cert)   // BAD
     hash = Crypto.Insecure.SHA1.hash(data: encrypted_passwd)  // GOOD  (not sensitive)
     hash = Crypto.Insecure.SHA1.hash(data: account_no)   // BAD
     hash = Crypto.Insecure.SHA1.hash(data: credit_card_no)   // BAD
 
     hash = Crypto.SHA256.hash(data: passwd)   // BAD, not a computationally expensive hash
-    hash = Crypto.SHA256.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash = Crypto.SHA256.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash
     hash = Crypto.SHA256.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA256.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA256.hash(data: account_no)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA256.hash(data: credit_card_no)   // GOOD, computationally expensive hash not required
 
     hash = Crypto.SHA384.hash(data: passwd)   // BAD, not a computationally expensive hash
-    hash = Crypto.SHA384.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash = Crypto.SHA384.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash
     hash = Crypto.SHA384.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA384.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA384.hash(data: account_no)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA384.hash(data: credit_card_no)   // GOOD, computationally expensive hash not required
 
     hash = Crypto.SHA512.hash(data: passwd)   // BAD, not a computationally expensive hash
-    hash = Crypto.SHA512.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash [NOT DETECTED]
+    hash = Crypto.SHA512.hash(bufferPointer: passwd)   // BAD, not a computationally expensive hash
     hash = Crypto.SHA512.hash(data: cert)   // GOOD, computationally expensive hash not required
     hash = Crypto.SHA512.hash(data: encrypted_passwd)   // GOOD, not sensitive
     hash = Crypto.SHA512.hash(data: account_no)   // GOOD, computationally expensive hash not required

Original file line number	Diff line number	Diff line change
`@@ -40,9 +40,11 @@ private class WeakSensitiveDataHashingSinks extends SinkModelCsv {`
`40`	`40`	`[`
`41`	`41`	`// CryptoKit`
`42`	`42`	`";Insecure.MD5;true;hash(data:);;;Argument[0];weak-hash-input-MD5",`
	`43`	`+ ";Insecure.MD5;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-MD5",`
`43`	`44`	`";Insecure.MD5;true;update(data:);;;Argument[0];weak-hash-input-MD5",`
`44`	`45`	`";Insecure.MD5;true;update(bufferPointer:);;;Argument[0];weak-hash-input-MD5",`
`45`	`46`	`";Insecure.SHA1;true;hash(data:);;;Argument[0];weak-hash-input-SHA1",`
	`47`	`+ ";Insecure.SHA1;true;hash(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",`
`46`	`48`	`";Insecure.SHA1;true;update(data:);;;Argument[0];weak-hash-input-SHA1",`
`47`	`49`	`";Insecure.SHA1;true;update(bufferPointer:);;;Argument[0];weak-hash-input-SHA1",`
`48`	`50`	`// CryptoSwift`
`@@ -88,7 +90,7 @@ private class WeakSenitiveDataHashingMetatypeSink extends WeakSensitiveDataHashi`
`88`	`90`	`c.getAnArgument().getExpr() = this.asExpr() and`
`89`	`91`	`algorithm = ["MD5", "SHA1"] and`
`90`	`92`	`c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and`
`91`		`- c.getStaticTarget().getName() = ["hash(data:)", "update(data:)", "update(bufferPointer:)"]`
	`93`	`+ c.getStaticTarget().getName() = ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]`
`92`	`94`	`)`
`93`	`95`	`}`
`94`	`96`