Skip to content

Commit b6f4108

Browse files
ESS-ENNESS-ENN
committed
pkcs5-hardcoded-secret-swift
1 parent 3560c16 commit b6f4108

File tree

3 files changed

+213
-0
lines changed

3 files changed

+213
-0
lines changed

rules/swift/security/pkcs5-hardcoded-secret-swift.yml

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
id: pkcs5-hardcoded-secret-swift
2+
language: swift
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[REFERENCES]
13+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
utils:
15+
match_with_try:
16+
kind: call_expression
17+
all:
18+
- has:
19+
stopBy: end
20+
kind: try_expression
21+
all:
22+
- has:
23+
stopBy: end
24+
kind: navigation_expression
25+
has:
26+
stopBy: end
27+
kind: simple_identifier
28+
regex: "^PKCS5$"
29+
- has:
30+
stopBy: end
31+
kind: call_suffix
32+
has:
33+
stopBy: end
34+
kind: value_argument
35+
all:
36+
- has:
37+
stopBy: end
38+
kind: simple_identifier
39+
field: name
40+
regex: "^password$"
41+
- has:
42+
field: value
43+
kind: simple_identifier
44+
pattern: $R
45+
follows:
46+
stopBy: end
47+
kind: property_declaration
48+
has:
49+
stopBy: end
50+
kind: pattern
51+
has:
52+
stopBy: end
53+
kind: simple_identifier
54+
pattern: $R
55+
56+
match_call_expression:
57+
kind: call_expression
58+
has:
59+
stopBy: end
60+
kind: navigation_expression
61+
all:
62+
- has:
63+
stopBy: end
64+
kind: simple_identifier
65+
regex: "^PKCS5$"
66+
- has:
67+
stopBy: end
68+
kind: value_argument
69+
all:
70+
- has:
71+
stopBy: end
72+
kind: simple_identifier
73+
regex: "^password$"
74+
- has:
75+
stopBy: end
76+
kind: line_string_literal
77+
has:
78+
stopBy: end
79+
kind: line_str_text
80+
81+
match_without_try:
82+
kind: call_expression
83+
all:
84+
- has:
85+
stopBy: end
86+
kind: navigation_expression
87+
has:
88+
stopBy: end
89+
kind: simple_identifier
90+
regex: "^PKCS5$"
91+
- has:
92+
stopBy: end
93+
kind: call_suffix
94+
has:
95+
stopBy: end
96+
kind: value_argument
97+
all:
98+
- has:
99+
stopBy: end
100+
kind: simple_identifier
101+
field: name
102+
regex: "^password$"
103+
- has:
104+
stopBy: end
105+
kind: simple_identifier
106+
field: value
107+
pattern: $T
108+
- follows:
109+
stopBy: end
110+
kind: property_declaration
111+
has:
112+
kind: pattern
113+
has:
114+
stopBy: end
115+
kind: simple_identifier
116+
pattern: $T
117+
118+
rule:
119+
any:
120+
- matches: match_call_expression
121+
- matches: match_with_try
122+
- matches: match_without_try

tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
id: pkcs5-hardcoded-secret-swift
2+
snapshots:
3+
? |
4+
PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()
5+
: labels:
6+
- source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()'
7+
style: primary
8+
start: 0
9+
end: 89
10+
- source: PKCS5
11+
style: secondary
12+
start: 0
13+
end: 5
14+
- source: password
15+
style: secondary
16+
start: 13
17+
end: 21
18+
- source: '123'
19+
style: secondary
20+
start: 24
21+
end: 27
22+
- source: '"123"'
23+
style: secondary
24+
start: 23
25+
end: 28
26+
- source: 'password: "123"'
27+
style: secondary
28+
start: 13
29+
end: 28
30+
- source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate'
31+
style: secondary
32+
start: 0
33+
end: 87
34+
? |
35+
let password: Array<UInt8> = Array("s33krit".utf8)
36+
try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()
37+
: labels:
38+
- source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()'
39+
style: primary
40+
start: 51
41+
end: 147
42+
- source: PKCS5
43+
style: secondary
44+
start: 55
45+
end: 60
46+
- source: PKCS5.PBKDF2
47+
style: secondary
48+
start: 55
49+
end: 67
50+
- source: password
51+
style: secondary
52+
start: 68
53+
end: 76
54+
- source: password
55+
style: secondary
56+
start: 78
57+
end: 86
58+
- source: 'password: password'
59+
style: secondary
60+
start: 68
61+
end: 86
62+
- source: '(password: password, salt: salt, iterations: 4096, variant: .sha256)'
63+
style: secondary
64+
start: 67
65+
end: 135
66+
- source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256)'
67+
style: secondary
68+
start: 51
69+
end: 135
70+
- source: password
71+
style: secondary
72+
start: 4
73+
end: 12
74+
- source: password
75+
style: secondary
76+
start: 4
77+
end: 12
78+
- source: 'let password: Array<UInt8> = Array("s33krit".utf8)'
79+
style: secondary
80+
start: 0
81+
end: 50

tests/swift/pkcs5-hardcoded-secret-swift-test.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
id: pkcs5-hardcoded-secret-swift
2+
valid:
3+
- |
4+
PKCS5.PBKDF2(password: password1, salt: salt, iterations: 4096, variant: .sha256).calculate()
5+
invalid:
6+
- |
7+
let password: Array<UInt8> = Array("s33krit".utf8)
8+
try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()
9+
- |
10+
PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()

0 commit comments

Comments
 (0)