From 6bb084c60d921a24fc990c358f0818757707e635 Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 12:37:59 -0700 Subject: [PATCH 1/6] Adding semgrep to PR workflow --- .github/workflows/semgrep.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/semgrep.yaml diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml new file mode 100644 index 0000000..30a67f7 --- /dev/null +++ b/.github/workflows/semgrep.yaml @@ -0,0 +1,31 @@ +name: Scanning Code with Semgrep + +on: [pull_request] + +jobs: + git-secrets-check: + name: Run Semgrep scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Semgrep + run: | + python -m pip install --upgrade pip + pip install semgrep + + - name: Run Semgrep + run: semgrep --config p/ci + + - name: Upload Semgrep results + if: always() + uses: actions/upload-artifact@v2 + with: + name: semgrep-results + path: semgrep.sarif From 736abcd9999c8481f9076dcbfd44187264c9d01b Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 13:09:52 -0700 Subject: [PATCH 2/6] Adding fake security vulnerability --- .../Sources/Core/Models/TestSemgrep.swift | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift diff --git a/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift b/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift new file mode 100644 index 0000000..0592fc6 --- /dev/null +++ b/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift @@ -0,0 +1,13 @@ +import Foundation + +class DatabaseConnection { + func connect() { + let username = "admin" + let password = "secretPassword123" // Hardcoded password, potential security risk + // Code to establish a database connection + print("Connecting with username \(username) and password \(password)") + } +} + +let dbConnection = DatabaseConnection() +dbConnection.connect() \ No newline at end of file From fae675eb73abf5e6e95d0bbfaac838a78ddfde0c Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 13:17:37 -0700 Subject: [PATCH 3/6] added more violations --- .../Sources/Core/Models/TestSemgrep.swift | 197 +++++++++++++++++- 1 file changed, 188 insertions(+), 9 deletions(-) diff --git a/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift b/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift index 0592fc6..56e67d4 100644 --- a/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift +++ b/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift @@ -1,13 +1,192 @@ +import CryptoKit import Foundation -class DatabaseConnection { - func connect() { - let username = "admin" - let password = "secretPassword123" // Hardcoded password, potential security risk - // Code to establish a database connection - print("Connecting with username \(username) and password \(password)") - } +let password = "some password here" +let saltData = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) + +let keyLength = 16 +let rounds = 50000 +let algorithm = CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA1) + +var a = 139999 +var rounds1 = UInt32(a) + +CCKeyDerivationPBKDF( + CCPBKDFAlgorithm(kCCPBKDF2), + password, + passData.count, + // ruleid: hardcoded-salt + saltData, + saltData.count, + algorithm, + rounds1, + keyBuf, + count) + + let someStr = "my salt & pepper" + let mySalt: Data = someStr.data(using:String.Encoding.utf8)! +CCKeyDerivationPBKDF( + CCPBKDFAlgorithm(kCCPBKDF2), + NSString(string: "foobar").UTF8String, + passData.count, + // ruleid: hardcoded-salt + mySalt, + mySalt.count, + algorithm, + UInt32(13099), + keyBuf, + count) + +rounds1 = 1600000 + +CCKeyDerivationPBKDF( + CCPBKDFAlgorithm(kCCPBKDF2), + password, + passData.count, + // ruleid: hardcoded-salt + saltData, + saltData.count, + algorithm, + UInt32(rounds1), + keyBuf, + count) + +var someSalt = "I want some crypto".data(using: .utf8)! +let somePrivateKey = Curve25519.KeyAgreement.PrivateKey() +let somePublicKey = somePrivateKey.publicKey + +let samePrivateKey = Curve25519.KeyAgreement.PrivateKey() +let samePublicKey = samePrivateKey.publicKey + +let someSharedSecret = try! somePrivateKey.sharedSecretFromKeyAgreement(with: samePublicKey) +let sSymmetricKey = someSharedSecret.hkdfDerivedSymmetricKey(using: SHA256.self, + // ruleid: hardcoded-salt + salt: someSalt, + sharedInfo: Data(), + outputByteCount: 32) + +let plaintext = "Lorem ipsum dolor".data(using: .utf8)! + +let ciphertext = try! ChaChaPoly.seal(plaintext, using: sSymmetricKey, +// ruleid: hardcoded-salt +nonce: someSalt).combined + +let sameSharedSecret = try! samePrivateKey.sharedSecretFromKeyAgreement(with: somePublicKey) +let sameSymmetricKey = sameSharedSecret.hkdfDerivedSymmetricKey(using: SHA256.self, + // ruleid: hardcoded-salt + salt: someSalt, + sharedInfo: Data(), + outputByteCount: 32) + +let sealedBox = try! ChaChaPoly.SealedBox(combined: encryptedData) +let decryptedData = try! ChaChaPoly.open(sealedBox, using: sameSymmetricKey) +let decryptedPlaintext = String(data: decryptedData, encoding: .utf8)! + + +// AES-GCM +let nonce = try! AES.GCM.Nonce(data: Data(base64Encoded: "foobarNonce==")!) +let tag = Data(base64Encoded: "fYj==")! + +let sealedBox = try! AES.GCM.seal( + plain.data(using: .utf8)!, + using: key, + // ruleid: hardcoded-salt + nonce: nonce, + authenticating: tag) + +let c = [] +for i in 1...16 { + let randomInt = Int.random(in: 0..<256) + c.append(randomInt) } -let dbConnection = DatabaseConnection() -dbConnection.connect() \ No newline at end of file +let otherNonce = Data(bytes: c) + +let otherNonce = try! AES.GCM.Nonce(data: otherNonce) +let tag = Data(base64Encoded: "fYj==")! + +let sealedBox = try! AES.GCM.seal( + plain.data(using: .utf8)!, + using: key, + // ok: hardcoded-salt + nonce: otherNonce, + authenticating: tag) + + +let prefs = WKPreferences() +// ruleid: swift-webview-config-allows-js-open-windows +prefs.JavaScriptCanOpenWindowsAutomatically = true +let config = WKWebViewConfiguration() +config.defaultWebpagePreferences = prefs + +WKWebView(frame: .zero, configuration: config) + +let prefs2 = WKPreferences() +prefs2.JavaScriptCanOpenWindowsAutomatically = true +// okid: swift-webview-config-allows-js-open-windows +prefs2.JavaScriptCanOpenWindowsAutomatically = false +let config = WKWebViewConfiguration() +config.defaultWebpagePreferences = prefs2 + +WKWebView(frame: .zero, configuration: config) + + + +// Generate a random encryption key +var key = Data(count: 64) +_ = key.withUnsafeMutableBytes { (pointer: UnsafeMutableRawBufferPointer) in + SecRandomCopyBytes(kSecRandomDefault, 64, pointer.baseAddress!) } +// Configure for an encrypted realm +// ok: swift-hardcoded-realm-key +var config = Realm.Configuration(encryptionKey: key) +do { + // Open the encrypted realm + let realm = try Realm(configuration: config) + // ... use the realm as normal ... +} catch let error as NSError { + // If the encryption key is wrong, `error` will say that it's an invalid database + fatalError("Error opening realm: \(error.localizedDescription)") +} + +let plaintext = "Lorem ipsum dolor".data(using: .utf8)! + +let keyData = Data(base64Encoded: "foobarNonce==")! + + +// ruleid: swift-hardcoded-realm-key +var config = Realm.Configuration(encryptionKey: keyData) + +let i = generateRandomKeyDataBase64() +let keyData2 = Data(base64Encoded: i)! + +// ok: swift-hardcoded-realm-key +var config2 = Realm.Configuration(encryptionKey: keyData2) + + + +// ruleid: swift-hardcoded-realm-key +var config = Realm.Configuration(encryptionKey: plaintext) + + +let newKey = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) + + +// ruleid: swift-hardcoded-realm-key +var config = Realm.Configuration(encryptionKey: newKey) + + +let c = [] +for i in 1...16 { + let randomInt = Int.random(in: 0..<256) + c.append(randomInt) +} + +let anotherKey = Data(bytes: c) +// ok: swift-hardcoded-realm-key +var config = Realm.Configuration(encryptionKey: anotherKey) + +let newKey = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) + +var config = Realm.Configuration() +// ruleid: swift-hardcoded-realm-key +config.encryptionKey = newKey \ No newline at end of file From 9215f4203ec5ab1b6b98d84ab5dac5c72cf13d14 Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 13:37:27 -0700 Subject: [PATCH 4/6] debug semgrep --- .github/workflows/semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index 30a67f7..24cb2ad 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -21,7 +21,7 @@ jobs: pip install semgrep - name: Run Semgrep - run: semgrep --config p/ci + run: semgrep --config p/ci --output semgrep.sarif --sarif --debug - name: Upload Semgrep results if: always() From a776ca28eee2b71a1decfce0a3b25f03da955fa2 Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 13:44:48 -0700 Subject: [PATCH 5/6] failing on scan fail --- .github/workflows/semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index 24cb2ad..8a39c4e 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -21,7 +21,7 @@ jobs: pip install semgrep - name: Run Semgrep - run: semgrep --config p/ci --output semgrep.sarif --sarif --debug + run: semgrep --config p/ci --output semgrep.sarif --sarif --error - name: Upload Semgrep results if: always() From 6a3680a33a92b3a07afe6950729d1c0afc45fcbb Mon Sep 17 00:00:00 2001 From: Michael Liao Date: Wed, 22 May 2024 13:48:14 -0700 Subject: [PATCH 6/6] Removing semgrep test file --- .../Sources/Core/Models/TestSemgrep.swift | 192 ------------------ 1 file changed, 192 deletions(-) delete mode 100644 AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift diff --git a/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift b/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift deleted file mode 100644 index 56e67d4..0000000 --- a/AmazonConnectChatIOS/Sources/Core/Models/TestSemgrep.swift +++ /dev/null @@ -1,192 +0,0 @@ -import CryptoKit -import Foundation - -let password = "some password here" -let saltData = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) - -let keyLength = 16 -let rounds = 50000 -let algorithm = CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA1) - -var a = 139999 -var rounds1 = UInt32(a) - -CCKeyDerivationPBKDF( - CCPBKDFAlgorithm(kCCPBKDF2), - password, - passData.count, - // ruleid: hardcoded-salt - saltData, - saltData.count, - algorithm, - rounds1, - keyBuf, - count) - - let someStr = "my salt & pepper" - let mySalt: Data = someStr.data(using:String.Encoding.utf8)! -CCKeyDerivationPBKDF( - CCPBKDFAlgorithm(kCCPBKDF2), - NSString(string: "foobar").UTF8String, - passData.count, - // ruleid: hardcoded-salt - mySalt, - mySalt.count, - algorithm, - UInt32(13099), - keyBuf, - count) - -rounds1 = 1600000 - -CCKeyDerivationPBKDF( - CCPBKDFAlgorithm(kCCPBKDF2), - password, - passData.count, - // ruleid: hardcoded-salt - saltData, - saltData.count, - algorithm, - UInt32(rounds1), - keyBuf, - count) - -var someSalt = "I want some crypto".data(using: .utf8)! -let somePrivateKey = Curve25519.KeyAgreement.PrivateKey() -let somePublicKey = somePrivateKey.publicKey - -let samePrivateKey = Curve25519.KeyAgreement.PrivateKey() -let samePublicKey = samePrivateKey.publicKey - -let someSharedSecret = try! somePrivateKey.sharedSecretFromKeyAgreement(with: samePublicKey) -let sSymmetricKey = someSharedSecret.hkdfDerivedSymmetricKey(using: SHA256.self, - // ruleid: hardcoded-salt - salt: someSalt, - sharedInfo: Data(), - outputByteCount: 32) - -let plaintext = "Lorem ipsum dolor".data(using: .utf8)! - -let ciphertext = try! ChaChaPoly.seal(plaintext, using: sSymmetricKey, -// ruleid: hardcoded-salt -nonce: someSalt).combined - -let sameSharedSecret = try! samePrivateKey.sharedSecretFromKeyAgreement(with: somePublicKey) -let sameSymmetricKey = sameSharedSecret.hkdfDerivedSymmetricKey(using: SHA256.self, - // ruleid: hardcoded-salt - salt: someSalt, - sharedInfo: Data(), - outputByteCount: 32) - -let sealedBox = try! ChaChaPoly.SealedBox(combined: encryptedData) -let decryptedData = try! ChaChaPoly.open(sealedBox, using: sameSymmetricKey) -let decryptedPlaintext = String(data: decryptedData, encoding: .utf8)! - - -// AES-GCM -let nonce = try! AES.GCM.Nonce(data: Data(base64Encoded: "foobarNonce==")!) -let tag = Data(base64Encoded: "fYj==")! - -let sealedBox = try! AES.GCM.seal( - plain.data(using: .utf8)!, - using: key, - // ruleid: hardcoded-salt - nonce: nonce, - authenticating: tag) - -let c = [] -for i in 1...16 { - let randomInt = Int.random(in: 0..<256) - c.append(randomInt) -} - -let otherNonce = Data(bytes: c) - -let otherNonce = try! AES.GCM.Nonce(data: otherNonce) -let tag = Data(base64Encoded: "fYj==")! - -let sealedBox = try! AES.GCM.seal( - plain.data(using: .utf8)!, - using: key, - // ok: hardcoded-salt - nonce: otherNonce, - authenticating: tag) - - -let prefs = WKPreferences() -// ruleid: swift-webview-config-allows-js-open-windows -prefs.JavaScriptCanOpenWindowsAutomatically = true -let config = WKWebViewConfiguration() -config.defaultWebpagePreferences = prefs - -WKWebView(frame: .zero, configuration: config) - -let prefs2 = WKPreferences() -prefs2.JavaScriptCanOpenWindowsAutomatically = true -// okid: swift-webview-config-allows-js-open-windows -prefs2.JavaScriptCanOpenWindowsAutomatically = false -let config = WKWebViewConfiguration() -config.defaultWebpagePreferences = prefs2 - -WKWebView(frame: .zero, configuration: config) - - - -// Generate a random encryption key -var key = Data(count: 64) -_ = key.withUnsafeMutableBytes { (pointer: UnsafeMutableRawBufferPointer) in - SecRandomCopyBytes(kSecRandomDefault, 64, pointer.baseAddress!) } -// Configure for an encrypted realm -// ok: swift-hardcoded-realm-key -var config = Realm.Configuration(encryptionKey: key) -do { - // Open the encrypted realm - let realm = try Realm(configuration: config) - // ... use the realm as normal ... -} catch let error as NSError { - // If the encryption key is wrong, `error` will say that it's an invalid database - fatalError("Error opening realm: \(error.localizedDescription)") -} - -let plaintext = "Lorem ipsum dolor".data(using: .utf8)! - -let keyData = Data(base64Encoded: "foobarNonce==")! - - -// ruleid: swift-hardcoded-realm-key -var config = Realm.Configuration(encryptionKey: keyData) - -let i = generateRandomKeyDataBase64() -let keyData2 = Data(base64Encoded: i)! - -// ok: swift-hardcoded-realm-key -var config2 = Realm.Configuration(encryptionKey: keyData2) - - - -// ruleid: swift-hardcoded-realm-key -var config = Realm.Configuration(encryptionKey: plaintext) - - -let newKey = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) - - -// ruleid: swift-hardcoded-realm-key -var config = Realm.Configuration(encryptionKey: newKey) - - -let c = [] -for i in 1...16 { - let randomInt = Int.random(in: 0..<256) - c.append(randomInt) -} - -let anotherKey = Data(bytes: c) -// ok: swift-hardcoded-realm-key -var config = Realm.Configuration(encryptionKey: anotherKey) - -let newKey = Data(bytes: [0x13, 0x37, 0x37, 0x13, 0x90, 0x90, 0x90, 0x1]) - -var config = Realm.Configuration() -// ruleid: swift-hardcoded-realm-key -config.encryptionKey = newKey \ No newline at end of file