diff --git a/rules/swift/security/blowfish-hardcoded-secret-swift.yml b/rules/swift/security/blowfish-hardcoded-secret-swift.yml new file mode 100644 index 00000000..52ebabff --- /dev/null +++ b/rules/swift/security/blowfish-hardcoded-secret-swift.yml @@ -0,0 +1,295 @@ +id: blowfish-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_pattern_try_expression_directly: + kind: try_expression + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + + match_pattern_Blowfish_statement_directly: + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_Blowfish_expression_with_instance: + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + has: + stopBy: end + kind: navigation_expression + all: + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: end + kind: navigation_suffix + has: + stopBy: end + kind: simple_identifier + regex: '^utf8$' + + match_pattern_Blowfish_expression_with_utf8: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: '^utf8$' + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_Blowfish_statement_directly + - matches: match_pattern_Blowfish_expression_with_instance + - matches: match_pattern_Blowfish_expression_with_utf8 \ No newline at end of file diff --git a/rules/swift/security/chacha20-hardcoded-secret-swift.yml b/rules/swift/security/chacha20-hardcoded-secret-swift.yml new file mode 100644 index 00000000..9ff8217f --- /dev/null +++ b/rules/swift/security/chacha20-hardcoded-secret-swift.yml @@ -0,0 +1,295 @@ +id: chacha20-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_pattern_try_expression_directly: + kind: try_expression + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + + match_pattern_ChaCha20_statement_directly: + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_ChaCha20_expression_with_instance: + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: end + kind: call_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + has: + stopBy: end + kind: navigation_expression + all: + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: end + kind: navigation_suffix + has: + stopBy: end + kind: simple_identifier + regex: '^utf8$' + + match_pattern_ChaCha20_expression_with_utf8: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: '^utf8$' + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_ChaCha20_statement_directly + - matches: match_pattern_ChaCha20_expression_with_instance + - matches: match_pattern_ChaCha20_expression_with_utf8 \ No newline at end of file diff --git a/rules/swift/security/hkdf-hardcoded-secret-swift.yml b/rules/swift/security/hkdf-hardcoded-secret-swift.yml new file mode 100644 index 00000000..affcbc32 --- /dev/null +++ b/rules/swift/security/hkdf-hardcoded-secret-swift.yml @@ -0,0 +1,309 @@ +id: hkdf-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + + match_pattern_HKDF_expression_with_instance: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^password$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^password$' + - has: + stopBy: end + kind: simple_identifier + nthChild: 2 + pattern: $R + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array("$$$".utf8) + + match_pattern_HKDF_expression_directly: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_directly: + kind: try_expression + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + + match_pattern_HKDF_expression_with_utf8: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: '^utf8$' + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_with_utf8: + kind: try_expression + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^HKDF$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^password$' + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Array$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: '^utf8$' + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + - kind: call_expression + any: + - matches: match_pattern_HKDF_expression_directly + - matches: match_pattern_HKDF_expression_with_instance + - matches: match_pattern_HKDF_expression_with_utf8 diff --git a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..7d3b07a5 --- /dev/null +++ b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,335 @@ +id: blowfish-hardcoded-secret-swift +snapshots: + ? | + Blowfish(key: "hello", iv: "123") + : labels: + - source: 'Blowfish(key: "hello", iv: "123")' + style: primary + start: 0 + end: 33 + - source: Blowfish + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 15 + end: 20 + - source: '"hello"' + style: secondary + start: 14 + end: 21 + - source: 'key: "hello"' + style: secondary + start: 9 + end: 21 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + ? | + Blowfish(key: Array("hello".utf8)); + : labels: + - source: 'Blowfish(key: Array("hello".utf8))' + style: primary + start: 0 + end: 34 + - source: Blowfish + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 21 + end: 26 + - source: '"hello"' + style: secondary + start: 20 + end: 27 + - source: 'key: Array("hello".utf8)' + style: secondary + start: 9 + end: 33 + - source: '(key: Array("hello".utf8))' + style: secondary + start: 8 + end: 34 + - source: '(key: Array("hello".utf8))' + style: secondary + start: 8 + end: 34 + ? | + let password = Array("s33krit".utf8) + Blowfish(key: password, iv: "123") + : labels: + - source: 'Blowfish(key: password, iv: "123")' + style: primary + start: 37 + end: 71 + - source: Blowfish + style: secondary + start: 37 + end: 45 + - source: key + style: secondary + start: 46 + end: 49 + - source: password + style: secondary + start: 51 + end: 59 + - source: 'key: password' + style: secondary + start: 46 + end: 59 + - source: '(key: password, iv: "123")' + style: secondary + start: 45 + end: 71 + - source: '(key: password, iv: "123")' + style: secondary + start: 45 + end: 71 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 15 + end: 36 + - source: let password = Array("s33krit".utf8) + style: secondary + start: 0 + end: 36 + ? | + let password: Array = Array("s33krit".utf8) + try Blowfish(key: password, iv: "123") + : labels: + - source: 'try Blowfish(key: password, iv: "123")' + style: primary + start: 51 + end: 89 + - source: Blowfish + style: secondary + start: 55 + end: 63 + - source: key + style: secondary + start: 64 + end: 67 + - source: password + style: secondary + start: 69 + end: 77 + - source: 'key: password' + style: secondary + start: 64 + end: 77 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: 'Blowfish(key: password, iv: "123")' + style: secondary + start: 55 + end: 89 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + ? | + try Blowfish(key: "hello", iv: "123") + : labels: + - source: 'try Blowfish(key: "hello", iv: "123")' + style: primary + start: 0 + end: 37 + - source: Blowfish + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: hello + style: secondary + start: 19 + end: 24 + - source: '"hello"' + style: secondary + start: 18 + end: 25 + - source: 'key: "hello"' + style: secondary + start: 13 + end: 25 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: 'Blowfish(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 37 + ? "try Blowfish(key: Array(\"12345\".utf8), iv: \"initialization\") \n" + : labels: + - source: 'try Blowfish(key: Array("12345".utf8), iv: "initialization")' + style: primary + start: 0 + end: 60 + - source: Blowfish + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: Array + style: secondary + start: 18 + end: 23 + - source: '12345' + style: secondary + start: 25 + end: 30 + - source: '"12345"' + style: secondary + start: 24 + end: 31 + - source: utf8 + style: secondary + start: 32 + end: 36 + - source: .utf8 + style: secondary + start: 31 + end: 36 + - source: '"12345".utf8' + style: secondary + start: 24 + end: 36 + - source: '"12345".utf8' + style: secondary + start: 24 + end: 36 + - source: ("12345".utf8) + style: secondary + start: 23 + end: 37 + - source: Array("12345".utf8) + style: secondary + start: 18 + end: 37 + - source: 'key: Array("12345".utf8)' + style: secondary + start: 13 + end: 37 + - source: '(key: Array("12345".utf8), iv: "initialization")' + style: secondary + start: 12 + end: 60 + - source: 'Blowfish(key: Array("12345".utf8), iv: "initialization")' + style: secondary + start: 4 + end: 60 + 'try Blowfish(key: Array("testpassword".utf8), iv: "123abc")': + labels: + - source: 'try Blowfish(key: Array("testpassword".utf8), iv: "123abc")' + style: primary + start: 0 + end: 59 + - source: Blowfish + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: Array + style: secondary + start: 18 + end: 23 + - source: testpassword + style: secondary + start: 25 + end: 37 + - source: '"testpassword"' + style: secondary + start: 24 + end: 38 + - source: utf8 + style: secondary + start: 39 + end: 43 + - source: .utf8 + style: secondary + start: 38 + end: 43 + - source: '"testpassword".utf8' + style: secondary + start: 24 + end: 43 + - source: '"testpassword".utf8' + style: secondary + start: 24 + end: 43 + - source: ("testpassword".utf8) + style: secondary + start: 23 + end: 44 + - source: Array("testpassword".utf8) + style: secondary + start: 18 + end: 44 + - source: 'key: Array("testpassword".utf8)' + style: secondary + start: 13 + end: 44 + - source: '(key: Array("testpassword".utf8), iv: "123abc")' + style: secondary + start: 12 + end: 59 + - source: 'Blowfish(key: Array("testpassword".utf8), iv: "123abc")' + style: secondary + start: 4 + end: 59 diff --git a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..4ce925b7 --- /dev/null +++ b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,336 @@ +id: chacha20-hardcoded-secret-swift +snapshots: + ? | + ChaCha20(key: "hello", iv: "123") + : labels: + - source: 'ChaCha20(key: "hello", iv: "123")' + style: primary + start: 0 + end: 33 + - source: ChaCha20 + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 15 + end: 20 + - source: '"hello"' + style: secondary + start: 14 + end: 21 + - source: 'key: "hello"' + style: secondary + start: 9 + end: 21 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + ? | + ChaCha20(key: Array("hello".utf8)); + : labels: + - source: 'ChaCha20(key: Array("hello".utf8))' + style: primary + start: 0 + end: 34 + - source: ChaCha20 + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 21 + end: 26 + - source: '"hello"' + style: secondary + start: 20 + end: 27 + - source: 'key: Array("hello".utf8)' + style: secondary + start: 9 + end: 33 + - source: '(key: Array("hello".utf8))' + style: secondary + start: 8 + end: 34 + - source: '(key: Array("hello".utf8))' + style: secondary + start: 8 + end: 34 + ? | + let password = Array("s33krit".utf8) + ChaCha20(key: password, iv: "123") + : labels: + - source: 'ChaCha20(key: password, iv: "123")' + style: primary + start: 37 + end: 71 + - source: ChaCha20 + style: secondary + start: 37 + end: 45 + - source: key + style: secondary + start: 46 + end: 49 + - source: password + style: secondary + start: 51 + end: 59 + - source: 'key: password' + style: secondary + start: 46 + end: 59 + - source: '(key: password, iv: "123")' + style: secondary + start: 45 + end: 71 + - source: '(key: password, iv: "123")' + style: secondary + start: 45 + end: 71 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 15 + end: 36 + - source: let password = Array("s33krit".utf8) + style: secondary + start: 0 + end: 36 + ? | + let password: Array = Array("s33krit".utf8) + try ChaCha20(key: password, iv: "123") + : labels: + - source: 'try ChaCha20(key: password, iv: "123")' + style: primary + start: 51 + end: 89 + - source: ChaCha20 + style: secondary + start: 55 + end: 63 + - source: key + style: secondary + start: 64 + end: 67 + - source: password + style: secondary + start: 69 + end: 77 + - source: 'key: password' + style: secondary + start: 64 + end: 77 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: 'ChaCha20(key: password, iv: "123")' + style: secondary + start: 55 + end: 89 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + ? | + try ChaCha20(key: "hello", iv: "123") + : labels: + - source: 'try ChaCha20(key: "hello", iv: "123")' + style: primary + start: 0 + end: 37 + - source: ChaCha20 + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: hello + style: secondary + start: 19 + end: 24 + - source: '"hello"' + style: secondary + start: 18 + end: 25 + - source: 'key: "hello"' + style: secondary + start: 13 + end: 25 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: 'ChaCha20(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 37 + ? "try ChaCha20(key: Array(\"12345\".utf8), iv: \"initialization\") \n" + : labels: + - source: 'try ChaCha20(key: Array("12345".utf8), iv: "initialization")' + style: primary + start: 0 + end: 60 + - source: ChaCha20 + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: Array + style: secondary + start: 18 + end: 23 + - source: '12345' + style: secondary + start: 25 + end: 30 + - source: '"12345"' + style: secondary + start: 24 + end: 31 + - source: utf8 + style: secondary + start: 32 + end: 36 + - source: .utf8 + style: secondary + start: 31 + end: 36 + - source: '"12345".utf8' + style: secondary + start: 24 + end: 36 + - source: '"12345".utf8' + style: secondary + start: 24 + end: 36 + - source: ("12345".utf8) + style: secondary + start: 23 + end: 37 + - source: Array("12345".utf8) + style: secondary + start: 18 + end: 37 + - source: 'key: Array("12345".utf8)' + style: secondary + start: 13 + end: 37 + - source: '(key: Array("12345".utf8), iv: "initialization")' + style: secondary + start: 12 + end: 60 + - source: 'ChaCha20(key: Array("12345".utf8), iv: "initialization")' + style: secondary + start: 4 + end: 60 + ? | + try ChaCha20(key: Array("testpassword".utf8), iv: "123abc") + : labels: + - source: 'try ChaCha20(key: Array("testpassword".utf8), iv: "123abc")' + style: primary + start: 0 + end: 59 + - source: ChaCha20 + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: Array + style: secondary + start: 18 + end: 23 + - source: testpassword + style: secondary + start: 25 + end: 37 + - source: '"testpassword"' + style: secondary + start: 24 + end: 38 + - source: utf8 + style: secondary + start: 39 + end: 43 + - source: .utf8 + style: secondary + start: 38 + end: 43 + - source: '"testpassword".utf8' + style: secondary + start: 24 + end: 43 + - source: '"testpassword".utf8' + style: secondary + start: 24 + end: 43 + - source: ("testpassword".utf8) + style: secondary + start: 23 + end: 44 + - source: Array("testpassword".utf8) + style: secondary + start: 18 + end: 44 + - source: 'key: Array("testpassword".utf8)' + style: secondary + start: 13 + end: 44 + - source: '(key: Array("testpassword".utf8), iv: "123abc")' + style: secondary + start: 12 + end: 59 + - source: 'ChaCha20(key: Array("testpassword".utf8), iv: "123abc")' + style: secondary + start: 4 + end: 59 diff --git a/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..38289653 --- /dev/null +++ b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,322 @@ +id: hkdf-hardcoded-secret-swift +snapshots: + ? | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 66 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: '123' + style: secondary + start: 16 + end: 19 + - source: '"123"' + style: secondary + start: 15 + end: 20 + - source: 'password: "123"' + style: secondary + start: 5 + end: 20 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + ? | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 80 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: Array + style: secondary + start: 15 + end: 20 + - source: hello + style: secondary + start: 22 + end: 27 + - source: '"hello"' + style: secondary + start: 21 + end: 28 + - source: utf8 + style: secondary + start: 29 + end: 33 + - source: .utf8 + style: secondary + start: 28 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: Array("hello".utf8) + style: secondary + start: 15 + end: 34 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 5 + end: 34 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + ? | + let password = Array("s33krit".utf8) + let key = HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 47 + end: 116 + - source: HKDF + style: secondary + start: 47 + end: 51 + - source: password + style: secondary + start: 62 + end: 70 + - source: password + style: secondary + start: 62 + end: 70 + - source: 'password: password' + style: secondary + start: 52 + end: 70 + - source: '(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 51 + end: 116 + - source: '(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 51 + end: 116 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 15 + end: 36 + - source: let password = Array("s33krit".utf8) + style: secondary + start: 0 + end: 36 + - source: 'let key = HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()' + style: secondary + start: 37 + end: 128 + ? | + let password: Array = Array("s33krit".utf8) + let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 61 + end: 134 + - source: HKDF + style: secondary + start: 65 + end: 69 + - source: password + style: secondary + start: 80 + end: 88 + - source: password + style: secondary + start: 80 + end: 88 + - source: 'password: password' + style: secondary + start: 70 + end: 88 + - source: '(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 69 + end: 134 + - source: '(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 69 + end: 134 + - source: 'HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 65 + end: 134 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: 'let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()' + style: secondary + start: 51 + end: 146 + ? | + try HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 70 + - source: HKDF + style: secondary + start: 4 + end: 8 + - source: password + style: secondary + start: 9 + end: 17 + - source: '123' + style: secondary + start: 20 + end: 23 + - source: '"123"' + style: secondary + start: 19 + end: 24 + - source: 'password: "123"' + style: secondary + start: 9 + end: 24 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 70 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 70 + - source: 'HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 70 + ? | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 84 + - source: HKDF + style: secondary + start: 4 + end: 8 + - source: password + style: secondary + start: 9 + end: 17 + - source: Array + style: secondary + start: 19 + end: 24 + - source: hello + style: secondary + start: 26 + end: 31 + - source: '"hello"' + style: secondary + start: 25 + end: 32 + - source: utf8 + style: secondary + start: 33 + end: 37 + - source: .utf8 + style: secondary + start: 32 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: Array("hello".utf8) + style: secondary + start: 19 + end: 38 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 9 + end: 38 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 84 diff --git a/tests/swift/blowfish-hardcoded-secret-swift-test.yml b/tests/swift/blowfish-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..11021790 --- /dev/null +++ b/tests/swift/blowfish-hardcoded-secret-swift-test.yml @@ -0,0 +1,21 @@ +id: blowfish-hardcoded-secret-swift +valid: + - | + try Blowfish(key: password, iv: "123") +invalid: + - | + let password: Array = Array("s33krit".utf8) + try Blowfish(key: password, iv: "123") + - | + try Blowfish(key: "hello", iv: "123") + - | + let password = Array("s33krit".utf8) + Blowfish(key: password, iv: "123") + - | + Blowfish(key: Array("hello".utf8)); + - | + try Blowfish(key: Array("12345".utf8), iv: "initialization") + - | + Blowfish(key: "hello", iv: "123") + - | + try Blowfish(key: Array("testpassword".utf8), iv: "123abc") \ No newline at end of file diff --git a/tests/swift/chacha20-hardcoded-secret-swift-test.yml b/tests/swift/chacha20-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..eea5117c --- /dev/null +++ b/tests/swift/chacha20-hardcoded-secret-swift-test.yml @@ -0,0 +1,21 @@ +id: chacha20-hardcoded-secret-swift +valid: + - | + try ChaCha20(key: password, iv: "123") +invalid: + - | + let password: Array = Array("s33krit".utf8) + try ChaCha20(key: password, iv: "123") + - | + try ChaCha20(key: "hello", iv: "123") + - | + let password = Array("s33krit".utf8) + ChaCha20(key: password, iv: "123") + - | + ChaCha20(key: Array("hello".utf8)); + - | + try ChaCha20(key: Array("12345".utf8), iv: "initialization") + - | + ChaCha20(key: "hello", iv: "123") + - | + try ChaCha20(key: Array("testpassword".utf8), iv: "123abc") diff --git a/tests/swift/hkdf-hardcoded-secret-swift-test.yml b/tests/swift/hkdf-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..c445615f --- /dev/null +++ b/tests/swift/hkdf-hardcoded-secret-swift-test.yml @@ -0,0 +1,19 @@ +id: hkdf-hardcoded-secret-swift +valid: + - | + let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + let password: Array = Array("s33krit".utf8) + let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + let password = Array("s33krit".utf8) + let key = HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()