Skip to content

Swift: Improve documentation and examples that use encryption #17126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geoffw0 merged 6 commits into from
Aug 2, 2024
Merged

Swift: Improve documentation and examples that use encryption #17126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d66e407
Swift: Improve the encryption in examples for swift/cleartext-* queries.
geoffw0 Jul 29, 2024
41c3d1b
Swift: Mention key management in the .qhelp + add a reference about k…
geoffw0 Jul 29, 2024
3d6a889
Swift: Make use of CBC blockmode in examples and tests mode accurate.
geoffw0 Jul 30, 2024
2486c84
Swift: Correct mistakes.
geoffw0 Aug 1, 2024
d3cdffe
Apply suggestions from code review
geoffw0 Aug 2, 2024
5a5fdb2
Swift: I missed the commas.
geoffw0 Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
</recommendation>
<example>

<p>The following example shows three cases of storing information using the Core Data library. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
<p>The following example shows three cases of storing information using the Core Data library. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>

<sample src="CleartextStorageDatabase.swift" />

Expand All @@ -23,6 +23,10 @@
OWASP Top 10:2021:
<a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
</li>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>

</references>
</qhelp>
10 changes: 8 additions & 2 deletions swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
import CryptoKit

func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String) {
private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
return sealedBox.combined!.base64EncodedString()
}

func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
// ...

// GOOD: not sensitive information
Expand All @@ -9,7 +15,7 @@ func storeMyData(databaseObject : NSManagedObject, faveSong : String, creditCard
databaseObject.setValue(creditCardNo, forKey: "myCreditCardNo")

// GOOD: encrypted sensitive information saved
databaseObject.setValue(encrypt(creditCardNo), forKey: "myCreditCardNo")
databaseObject.setValue(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")

// ...
}
6 changes: 5 additions & 1 deletion swift/ql/src/queries/Security/CWE-311/CleartextTransmission.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
</recommendation>
<example>

<p>The following example shows three cases of transmitting information. In the 'BAD' case, the data transmitted is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
<p>The following example shows three cases of transmitting information. In the 'BAD' case, the data transmitted is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>

<sample src="CleartextTransmission.swift" />

Expand All @@ -23,6 +23,10 @@
OWASP Top 10:2021:
<a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
</li>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>

</references>
</qhelp>
10 changes: 8 additions & 2 deletions swift/ql/src/queries/Security/CWE-311/CleartextTransmission.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
import CryptoKit

func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String) {
private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
return sealedBox.combined!.base64EncodedString()
}

func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
// ...

// GOOD: not sensitive information
Expand All @@ -9,7 +15,7 @@ func transmitMyData(connection : NWConnection, faveSong : String, creditCardNo :
connection.send(content: creditCardNo, completion: .idempotent)

// GOOD: encrypted sensitive information saved
connection.send(content: encrypt(creditCardNo), completion: .idempotent)
connection.send(content: encrypt(creditCardNo, encryptionKey), completion: .idempotent)

// ...
}
6 changes: 5 additions & 1 deletion swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
</recommendation>
<example>

<p>The following example shows three cases of storing information using UserDefaults. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption.</p>
<p>The following example shows three cases of storing information using UserDefaults. In the 'BAD' case, the data that is stored is sensitive (a credit card number) and is not encrypted. In the 'GOOD' cases, the data is either not sensitive, or is protected with encryption. When encryption is used, take care to select a secure modern encryption algorithm, and put suitable key management practices into place.</p>

<sample src="CleartextStoragePreferences.swift" />

Expand All @@ -26,6 +26,10 @@
<li>
Apple Developer Documentation: <a href="https://developer.apple.com/documentation/foundation/userdefaults">UserDefaults</a>, <a href="https://developer.apple.com/documentation/foundation/nsubiquitouskeyvaluestore">NSUbiquitousKeyValueStore</a>
</li>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>

</references>
</qhelp>
10 changes: 8 additions & 2 deletions swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
import CryptoKit

func storeMyData(faveSong : String, creditCardNo : String) {
private func encrypt(_ text: String, _ encryptionKey: SymmetricKey) -> String {
let sealedBox = try! AES.GCM.seal(Data(text.utf8), using: encryptionKey)
return sealedBox.combined!.base64EncodedString()
}

func storeMyData(faveSong : String, creditCardNo : String, encryptionKey: SymmetricKey) {
// ...

// GOOD: not sensitive information
Expand All @@ -9,7 +15,7 @@ func storeMyData(faveSong : String, creditCardNo : String) {
UserDefaults.standard.set(creditCardNo, forKey: "myCreditCardNo")

// GOOD: encrypted sensitive information saved
UserDefaults.standard.set(encrypt(creditCardNo), forKey: "myCreditCardNo")
UserDefaults.standard.set(encrypt(creditCardNo, encryptionKey), forKey: "myCreditCardNo")

// ...
}
8 changes: 4 additions & 4 deletions swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ func encrypt(padding : Padding) {
let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05]
let keyString = "this is a constant string"
let ivString = getRandomIV()
_ = try AES(key: key, blockMode: CBC(), padding: padding)
_ = try AES(key: key, blockMode: CBC(AES.randomIV(AES.blockSize)), padding: padding)
_ = try AES(key: keyString, iv: ivString)
_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
_ = try Blowfish(key: key, blockMode: CBC(Blowfish.randomIV(Blowfish.blockSize)), padding: padding)
_ = try Blowfish(key: keyString, iv: ivString)


Expand All @@ -18,9 +18,9 @@ func encrypt(padding : Padding) {
if status == errSecSuccess {
let keyString = String(cString: key)
let ivString = getRandomIV()
_ = try AES(key: key, blockMode: CBC(), padding: padding)
_ = try AES(key: key, blockMode: CBC(AES.randomIV(AES.blockSize)), padding: padding)
_ = try AES(key: keyString, iv: ivString)
_ = try Blowfish(key: key, blockMode: CBC(), padding: padding)
_ = try Blowfish(key: key, blockMode: CBC(Blowfish.randomIV(Blowfish.blockSize)), padding: padding)
_ = try Blowfish(key: keyString, iv: ivString)
}

Expand Down
9 changes: 5 additions & 4 deletions swift/ql/src/queries/Security/CWE-327/ECBEncryption.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ func encrypt(key : Key, padding : Padding) {
_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)

// GOOD: ECB is not used for block mode
let blockMode = CBC()
_ = try AES(key: key, blockMode: blockMode, padding: padding)
_ = try AES(key: key, blockMode: blockMode)
_ = try Blowfish(key: key, blockMode: blockMode, padding: padding)
let aesBlockMode = CBC(iv: AES.randomIV(AES.blockSize))
let blowfishBlockMode = CBC(iv: Blowfish.randomIV(Blowfish.blockSize))
_ = try AES(key: key, blockMode: aesBlockMode, padding: padding)
_ = try AES(key: key, blockMode: aesBlockMode)
_ = try Blowfish(key: key, blockMode: blowfishBlockMode, padding: padding)

// ...
}
Loading