diff --git a/rules/swift/security/pkcs5-hardcoded-secret-swift.yml b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml new file mode 100644 index 00000000..8dfb063b --- /dev/null +++ b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml @@ -0,0 +1,122 @@ +id: pkcs5-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_with_try: + kind: call_expression + all: + - has: + stopBy: end + kind: try_expression + all: + - has: + stopBy: end + kind: navigation_expression + has: + stopBy: end + kind: simple_identifier + regex: "^PKCS5$" + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + field: name + regex: "^password$" + - has: + field: value + kind: simple_identifier + pattern: $R + follows: + stopBy: end + kind: property_declaration + has: + stopBy: end + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + + match_call_expression: + kind: call_expression + has: + stopBy: end + kind: navigation_expression + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^PKCS5$" + - has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + + match_without_try: + kind: call_expression + all: + - has: + stopBy: end + kind: navigation_expression + has: + stopBy: end + kind: simple_identifier + regex: "^PKCS5$" + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: simple_identifier + field: value + pattern: $T + - follows: + stopBy: end + kind: property_declaration + has: + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $T + +rule: + any: + - matches: match_call_expression + - matches: match_with_try + - matches: match_without_try diff --git a/rules/swift/security/scrypt-hardcoded-secret-swift.yml b/rules/swift/security/scrypt-hardcoded-secret-swift.yml new file mode 100644 index 00000000..7f272b3b --- /dev/null +++ b/rules/swift/security/scrypt-hardcoded-secret-swift.yml @@ -0,0 +1,67 @@ +id: scrypt-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [OWASP A07:2021]:Identification and Authentication Failures + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_property_declaration: + kind: property_declaration + all: + - has: + stopBy: end + kind: call_expression + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: simple_identifier + field: value + pattern: $R + - follows: + stopBy: end + kind: property_declaration + has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + match_call_expression: + kind: call_expression + has: + stopBy: end + kind: navigation_expression + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + - has: + stopBy: end + kind: line_string_literal + has: + stopBy: end + kind: line_str_text +rule: + any: + - matches: match_property_declaration + - matches: match_call_expression diff --git a/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..cd10c815 --- /dev/null +++ b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,81 @@ +id: pkcs5-hardcoded-secret-swift +snapshots: + ? | + PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() + : labels: + - source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate()' + style: primary + start: 0 + end: 89 + - source: PKCS5 + style: secondary + start: 0 + end: 5 + - source: password + style: secondary + start: 13 + end: 21 + - source: '123' + style: secondary + start: 24 + end: 27 + - source: '"123"' + style: secondary + start: 23 + end: 28 + - source: 'password: "123"' + style: secondary + start: 13 + end: 28 + - source: 'PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate' + style: secondary + start: 0 + end: 87 + ? | + let password: Array = Array("s33krit".utf8) + try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + : labels: + - source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate()' + style: primary + start: 51 + end: 147 + - source: PKCS5 + style: secondary + start: 55 + end: 60 + - source: PKCS5.PBKDF2 + style: secondary + start: 55 + end: 67 + - source: password + style: secondary + start: 68 + end: 76 + - source: password + style: secondary + start: 78 + end: 86 + - source: 'password: password' + style: secondary + start: 68 + end: 86 + - source: '(password: password, salt: salt, iterations: 4096, variant: .sha256)' + style: secondary + start: 67 + end: 135 + - source: 'try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256)' + style: secondary + start: 51 + end: 135 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 diff --git a/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..9a757ae7 --- /dev/null +++ b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,65 @@ +id: scrypt-hardcoded-secret-swift +snapshots: + ? | + let ishan: Array = Array("s33krit".utf8) + let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()' + style: primary + start: 48 + end: 142 + - source: password + style: secondary + start: 69 + end: 77 + - source: ishan + style: secondary + start: 79 + end: 84 + - source: 'password: ishan' + style: secondary + start: 69 + end: 84 + - source: 'try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()' + style: secondary + start: 58 + end: 142 + - source: ishan + style: secondary + start: 4 + end: 9 + - source: ishan + style: secondary + start: 4 + end: 9 + - source: 'let ishan: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 47 + ? | + try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()' + style: primary + start: 0 + end: 84 + - source: password + style: secondary + start: 11 + end: 19 + - source: '123' + style: secondary + start: 22 + end: 25 + - source: '"123"' + style: secondary + start: 21 + end: 26 + - source: 'password: "123"' + style: secondary + start: 11 + end: 26 + - source: 'try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate' + style: secondary + start: 0 + end: 82 diff --git a/tests/swift/pkcs5-hardcoded-secret-swift-test.yml b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..6111538d --- /dev/null +++ b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml @@ -0,0 +1,10 @@ +id: pkcs5-hardcoded-secret-swift +valid: + - | + PKCS5.PBKDF2(password: password1, salt: salt, iterations: 4096, variant: .sha256).calculate() +invalid: + - | + let password: Array = Array("s33krit".utf8) + try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + - | + PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() diff --git a/tests/swift/scrypt-hardcoded-secret-swift-test.yml b/tests/swift/scrypt-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..c8be624d --- /dev/null +++ b/tests/swift/scrypt-hardcoded-secret-swift-test.yml @@ -0,0 +1,10 @@ +id: scrypt-hardcoded-secret-swift +valid: + - | + try Scrypt(password: config, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + let ishan: Array = Array("s33krit".utf8) + let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()