Skip to content

Add rules for detecting hard-coded secrets in Swift applications #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Add rules for detecting hard-coded secrets in Swift applications #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3560c16
scrypt-hardcoded-secret-swift
ESS-ENN Oct 24, 2024
b6f4108
pkcs5-hardcoded-secret-swift
ESS-ENN Oct 24, 2024
fcd7e4b
Merge branch 'main' into two-swift-rules-24Oct2024
ESS-ENN Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 122 additions & 0 deletions rules/swift/security/pkcs5-hardcoded-secret-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
id: pkcs5-hardcoded-secret-swift
language: swift
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798]: Use of Hard-coded Credentials
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_with_try:
kind: call_expression
all:
- has:
stopBy: end
kind: try_expression
all:
- has:
stopBy: end
kind: navigation_expression
has:
stopBy: end
kind: simple_identifier
regex: "^PKCS5$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
field: name
regex: "^password$"
- has:
field: value
kind: simple_identifier
pattern: $R
follows:
stopBy: end
kind: property_declaration
has:
stopBy: end
kind: pattern
has:
stopBy: end
kind: simple_identifier
pattern: $R

match_call_expression:
kind: call_expression
has:
stopBy: end
kind: navigation_expression
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^PKCS5$"
- has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^password$"
- has:
stopBy: end
kind: line_string_literal
has:
stopBy: end
kind: line_str_text

match_without_try:
kind: call_expression
all:
- has:
stopBy: end
kind: navigation_expression
has:
stopBy: end
kind: simple_identifier
regex: "^PKCS5$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: simple_identifier
field: value
pattern: $T
- follows:
stopBy: end
kind: property_declaration
has:
kind: pattern
has:
stopBy: end
kind: simple_identifier
pattern: $T

rule:
any:
- matches: match_call_expression
- matches: match_with_try
- matches: match_without_try
67 changes: 67 additions & 0 deletions rules/swift/security/scrypt-hardcoded-secret-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
id: scrypt-hardcoded-secret-swift
language: swift
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[OWASP A07:2021]:Identification and Authentication Failures
[CWE-798]: Use of Hard-coded Credentials
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_property_declaration:
kind: property_declaration
all:
- has:
stopBy: end
kind: call_expression
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: simple_identifier
field: value
pattern: $R
- follows:
stopBy: end
kind: property_declaration
has:
stopBy: end
kind: pattern
has:
kind: simple_identifier
pattern: $R
match_call_expression:
kind: call_expression
has:
stopBy: end
kind: navigation_expression
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^password$"
- has:
stopBy: end
kind: line_string_literal
has:
stopBy: end
kind: line_str_text
rule:
any:
- matches: match_property_declaration
- matches: match_call_expression
81 changes: 81 additions & 0 deletions tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
id: pkcs5-hardcoded-secret-swift
snapshots:
? |
PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()
: labels:
- source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()'
style: primary
start: 0
end: 89
- source: PKCS5
style: secondary
start: 0
end: 5
- source: password
style: secondary
start: 13
end: 21
- source: '123'
style: secondary
start: 24
end: 27
- source: '"123"'
style: secondary
start: 23
end: 28
- source: 'password: "123"'
style: secondary
start: 13
end: 28
- source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate'
style: secondary
start: 0
end: 87
? |
let password: Array<UInt8> = Array("s33krit".utf8)
try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()
: labels:
- source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()'
style: primary
start: 51
end: 147
- source: PKCS5
style: secondary
start: 55
end: 60
- source: PKCS5.PBKDF2
style: secondary
start: 55
end: 67
- source: password
style: secondary
start: 68
end: 76
- source: password
style: secondary
start: 78
end: 86
- source: 'password: password'
style: secondary
start: 68
end: 86
- source: '(password: password, salt: salt, iterations: 4096, variant: .sha256)'
style: secondary
start: 67
end: 135
- source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256)'
style: secondary
start: 51
end: 135
- source: password
style: secondary
start: 4
end: 12
- source: password
style: secondary
start: 4
end: 12
- source: 'let password: Array<UInt8> = Array("s33krit".utf8)'
style: secondary
start: 0
end: 50
65 changes: 65 additions & 0 deletions tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
id: scrypt-hardcoded-secret-swift
snapshots:
? |
let ishan: Array<UInt8> = Array("s33krit".utf8)
let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()
: labels:
- source: 'let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()'
style: primary
start: 48
end: 142
- source: password
style: secondary
start: 69
end: 77
- source: ishan
style: secondary
start: 79
end: 84
- source: 'password: ishan'
style: secondary
start: 69
end: 84
- source: 'try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()'
style: secondary
start: 58
end: 142
- source: ishan
style: secondary
start: 4
end: 9
- source: ishan
style: secondary
start: 4
end: 9
- source: 'let ishan: Array<UInt8> = Array("s33krit".utf8)'
style: secondary
start: 0
end: 47
? |
try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()
: labels:
- source: 'try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()'
style: primary
start: 0
end: 84
- source: password
style: secondary
start: 11
end: 19
- source: '123'
style: secondary
start: 22
end: 25
- source: '"123"'
style: secondary
start: 21
end: 26
- source: 'password: "123"'
style: secondary
start: 11
end: 26
- source: 'try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate'
style: secondary
start: 0
end: 82
10 changes: 10 additions & 0 deletions tests/swift/pkcs5-hardcoded-secret-swift-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
id: pkcs5-hardcoded-secret-swift
valid:
- |
PKCS5.PBKDF2(password: password1, salt: salt, iterations: 4096, variant: .sha256).calculate()
invalid:
- |
let password: Array<UInt8> = Array("s33krit".utf8)
try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()
- |
PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()
10 changes: 10 additions & 0 deletions tests/swift/scrypt-hardcoded-secret-swift-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
id: scrypt-hardcoded-secret-swift
valid:
- |
try Scrypt(password: config, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()
invalid:
- |
let ishan: Array<UInt8> = Array("s33krit".utf8)
let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()
- |
try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()