Swift: Update the new metatype sinks to not rely on name matching '.Type'.

geoffw0 · geoffw0 · commit f8ab76e1baff · 2026-05-28T12:14:10.000+01:00
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
@@ -121,12 +121,23 @@ private class WeakPasswordHashingMetatypeSink extends WeakPasswordHashingSink {
   string algorithm;
 
   WeakPasswordHashingMetatypeSink() {
-    exists(CallExpr c |
-      c.getAnArgument().getExpr() = this.asExpr() and
+    exists(CallExpr ce, Type t |
+      // call target
+      ce.getStaticTarget().getName() =
+        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"] and
+      // argument
+      ce.getAnArgument().getExpr() = this.asExpr() and
+      // qualifier
+      t = ce.getQualifier().getType() and
       algorithm = ["SHA256", "SHA384", "SHA512"] and
-      c.getQualifier().getType().getFullName() = algorithm + ["", ".Type"] and
-      c.getStaticTarget().getName() =
-        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
+      (
+        t.getFullName() = algorithm
+        or
+        exists(TypeDecl td |
+          td.getInterfaceType() = t and
+          td.getFullName() = algorithm
+        )
+      )
     )
   }
 
diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll
@@ -86,12 +86,23 @@ private class WeakSensitiveDataHashingMetatypeSink extends WeakSensitiveDataHash
   string algorithm;
 
   WeakSensitiveDataHashingMetatypeSink() {
-    exists(CallExpr c |
-      c.getAnArgument().getExpr() = this.asExpr() and
+    exists(CallExpr ce, Type t |
+      // call target
+      ce.getStaticTarget().getName() =
+        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"] and
+      // argument
+      ce.getAnArgument().getExpr() = this.asExpr() and
+      // qualifier
+      t = ce.getQualifier().getType() and
       algorithm = ["MD5", "SHA1"] and
-      c.getQualifier().getType().getFullName() = "Insecure." + algorithm + ["", ".Type"] and
-      c.getStaticTarget().getName() =
-        ["hash(data:)", "hash(bufferPointer:)", "update(data:)", "update(bufferPointer:)"]
+      (
+        t.getFullName() = "Insecure." + algorithm
+        or
+        exists(TypeDecl td |
+          td.getInterfaceType() = t and
+          td.getFullName() = "Insecure." + algorithm
+        )
+      )
     )
   }
 
