diff --git a/rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml b/rules/python/security/python-neo4j-hardcoded-secret-python.yml similarity index 100% rename from rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml rename to rules/python/security/python-neo4j-hardcoded-secret-python.yml diff --git a/rules/swift/security/hdkf-hardcoded-secret-swift.yml b/rules/swift/security/hdkf-hardcoded-secret-swift.yml new file mode 100644 index 00000000..989fb1de --- /dev/null +++ b/rules/swift/security/hdkf-hardcoded-secret-swift.yml @@ -0,0 +1,416 @@ +id: hkdf-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + match_pattern_HKDF_expression_with_instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - any: + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_HKDF_expression_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: end + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: end + kind: value_arguments + has: + kind: value_argument + all: + - has: + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + + match_pattern_HKDF_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + - kind: call_expression + any: + - matches: match_pattern_HKDF_expression_directly + - matches: match_pattern_HKDF_expression_with_instance + - matches: match_pattern_HKDF_expression_with_utf8 +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text diff --git a/rules/swift/security/pkcs5-hardcoded-secret-swift.yml b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml new file mode 100644 index 00000000..faeafb4a --- /dev/null +++ b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml @@ -0,0 +1,242 @@ +id: pkcs5-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + tryPKCS5.$FUNC(password:""): + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: line_string_literal + has: + kind: line_str_text + + PKCS5.$FUNC(password:""): + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: line_string_literal + has: + kind: line_str_text + + tryPKCS5.$FUNC(password:Array("...".utf8)): + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + PKCS5.$FUNC(password:Array("...".utf8)): + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + tryPKCS5.$FUNC(password:"")_with_Instance: + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $PSWD + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $PSWD + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + PKCS5.$FUNC(password:"")_with_Instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $PSWD + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $PSWD + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + +rule: + any: + - matches: tryPKCS5.$FUNC(password:"") + - matches: PKCS5.$FUNC(password:"") + - matches: tryPKCS5.$FUNC(password:Array("...".utf8)) + - matches: PKCS5.$FUNC(password:Array("...".utf8)) + - matches: tryPKCS5.$FUNC(password:"")_with_Instance + - matches: PKCS5.$FUNC(password:"")_with_Instance diff --git a/rules/swift/security/scrypt-hardcoded-secret-swift.yml b/rules/swift/security/scrypt-hardcoded-secret-swift.yml new file mode 100644 index 00000000..942442f1 --- /dev/null +++ b/rules/swift/security/scrypt-hardcoded-secret-swift.yml @@ -0,0 +1,417 @@ +id: scrypt-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [OWASP A07:2021]:Identification and Authentication Failures + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + match_pattern_Scrypt_expression_with_instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - any: + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_Scrypt_expression_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + kind: value_argument + all: + - has: + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + + match_pattern_Scrypt_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + - kind: call_expression + any: + - matches: match_pattern_Scrypt_expression_directly + - matches: match_pattern_Scrypt_expression_with_instance + - matches: match_pattern_Scrypt_expression_with_utf8 +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text diff --git a/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..412e99fc --- /dev/null +++ b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,175 @@ +id: hkdf-hardcoded-secret-swift +snapshots: + ? | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 66 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: '123' + style: secondary + start: 16 + end: 19 + - source: '"123"' + style: secondary + start: 15 + end: 20 + - source: 'password: "123"' + style: secondary + start: 5 + end: 20 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + ? | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 80 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: Array + style: secondary + start: 15 + end: 20 + - source: hello + style: secondary + start: 22 + end: 27 + - source: '"hello"' + style: secondary + start: 21 + end: 28 + - source: utf8 + style: secondary + start: 29 + end: 33 + - source: .utf8 + style: secondary + start: 28 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: Array("hello".utf8) + style: secondary + start: 15 + end: 34 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 5 + end: 34 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + ? | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 84 + - source: HKDF + style: secondary + start: 4 + end: 8 + - source: password + style: secondary + start: 9 + end: 17 + - source: Array + style: secondary + start: 19 + end: 24 + - source: hello + style: secondary + start: 26 + end: 31 + - source: '"hello"' + style: secondary + start: 25 + end: 32 + - source: utf8 + style: secondary + start: 33 + end: 37 + - source: .utf8 + style: secondary + start: 32 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: Array("hello".utf8) + style: secondary + start: 19 + end: 38 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 9 + end: 38 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 84 diff --git a/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..e366644b --- /dev/null +++ b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,2 @@ +id: pkcs5-hardcoded-secret-swift +snapshots: {} diff --git a/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml b/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml deleted file mode 100644 index 110188d4..00000000 --- a/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml +++ /dev/null @@ -1,276 +0,0 @@ -id: python-neo4j-hardcoded-secret-python -snapshots: - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - password = "NEO4J_PASSWORD" - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, password)) - : labels: - - source: basic_auth(username, password) - style: primary - start: 157 - end: 187 - - source: password - style: secondary - start: 83 - end: 91 - - source: '"' - style: secondary - start: 94 - end: 95 - - source: NEO4J_PASSWORD - style: secondary - start: 95 - end: 109 - - source: '"' - style: secondary - start: 109 - end: 110 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 94 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password - style: secondary - start: 178 - end: 186 - - source: (username, password) - style: secondary - start: 167 - end: 187 - - source: basic_auth - style: secondary - start: 157 - end: 167 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, "NEO4J_PASSWORD")) - : labels: - - source: basic_auth(username, "NEO4J_PASSWORD") - style: primary - start: 127 - end: 165 - - source: '"' - style: secondary - start: 148 - end: 149 - - source: NEO4J_PASSWORD - style: secondary - start: 149 - end: 163 - - source: '"' - style: secondary - start: 163 - end: 164 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 148 - end: 164 - - source: (username, "NEO4J_PASSWORD") - style: secondary - start: 137 - end: 165 - - source: basic_auth - style: secondary - start: 127 - end: 137 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) - : labels: - - source: bearer_auth("token") - style: primary - start: 122 - end: 142 - - source: '"' - style: secondary - start: 134 - end: 135 - - source: token - style: secondary - start: 135 - end: 140 - - source: '"' - style: secondary - start: 140 - end: 141 - - source: '"token"' - style: secondary - start: 134 - end: 141 - - source: ("token") - style: secondary - start: 133 - end: 142 - - source: bearer_auth - style: secondary - start: 122 - end: 133 - - source: bearer_auth - style: secondary - start: 47 - end: 58 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? "from neo4j import (\nbasic_auth,\nkerberos_auth,\nbearer_auth,\nAsyncGraphDatabase,\n)\nuri = \"neo4j://example.com:7687\" \ndriver = GraphDatabase.driver(uri, auth=kerberos_auth(\"token\"))\n" - : labels: - - source: kerberos_auth("token") - style: primary - start: 156 - end: 178 - - source: '"' - style: secondary - start: 170 - end: 171 - - source: token - style: secondary - start: 171 - end: 176 - - source: '"' - style: secondary - start: 176 - end: 177 - - source: '"token"' - style: secondary - start: 170 - end: 177 - - source: ("token") - style: secondary - start: 169 - end: 178 - - source: kerberos_auth - style: secondary - start: 156 - end: 169 - - source: kerberos_auth - style: secondary - start: 32 - end: 45 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 diff --git a/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..d5fc76ad --- /dev/null +++ b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,2 @@ +id: scrypt-hardcoded-secret-swift +snapshots: {} diff --git a/tests/swift/hdkf-hardcoded-secret-swift-test.yml b/tests/swift/hdkf-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..f62690a9 --- /dev/null +++ b/tests/swift/hdkf-hardcoded-secret-swift-test.yml @@ -0,0 +1,11 @@ +id: hkdf-hardcoded-secret-swift +valid: + - | + let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() diff --git a/tests/swift/pkcs5-hardcoded-secret-swift-test.yml b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..72dd3bd1 --- /dev/null +++ b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml @@ -0,0 +1,38 @@ +id: pkcs5-hardcoded-secret-swift +valid: + - | + PKCS5.PBKDF2(password: password1, salt: salt, iterations: 4096, variant: .sha256).calculate() +invalid: + - | + let password: Array = Array("s33krit".utf8) + try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + - | + PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() + - | + import Foundation + import CryptoSwift + func main() { + do { + let password = Array("s33krit".utf8) + let salt: Array = Array("nacllcan".utf8) + try PKCS5.h(password: password) + } catch { + print("Error: \(error)") + } + } + main() + - | + import Foundation + import CryptoSwift + func main() { + do { + let password = Array("s33krit".utf8) + let salt: Array = Array("nacllcan".utf8) + PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + } catch { + print("Error: \(error)") + } + } + main() + - | + try PKCS5.ggg(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() diff --git a/tests/swift/scrypt-hardcoded-secret-swift-test.yml b/tests/swift/scrypt-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..c8be624d --- /dev/null +++ b/tests/swift/scrypt-hardcoded-secret-swift-test.yml @@ -0,0 +1,10 @@ +id: scrypt-hardcoded-secret-swift +valid: + - | + try Scrypt(password: config, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + let ishan: Array = Array("s33krit".utf8) + let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate()