hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

add symm to the single config; still seems to work

Browse Source
This commit is contained in:
Jami Cogswell
2022-10-12 08:51:22 -04:00
parent 29de0c6748
commit 01c2a8cbba
3 changed files with 28 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
View File

@@ -8,13 +8,17 @@ import semmle.code.java.dataflow.TaintTracking
//import semmle.code.java.dataflow.FlowSources //import semmle.code.java.dataflow.FlowSources
//import semmle.code.java.dataflow.internal.DataFlowNodes //import semmle.code.java.dataflow.internal.DataFlowNodes
/** /**
* An Asymmetric (RSA, DSA, DH) key length data flow tracking configuration. * A key length data flow tracking configuration.
*/ */
class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration { class KeyTrackingConfiguration extends DataFlow::Configuration {
AsymmetricKeyTrackingConfiguration() { this = "AsymmetricKeyTrackingConfiguration" } KeyTrackingConfiguration() { this = "KeyTrackingConfiguration" }
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) { override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
//state instanceof DataFlow::FlowStateEmpty and //state instanceof DataFlow::FlowStateEmpty and
// SYMMETRIC
source.asExpr().(IntegerLiteral).getIntValue() < 128 and state = "128"
or
// ASYMMETRIC
source.asExpr().(IntegerLiteral).getIntValue() < 2048 and state = "2048" source.asExpr().(IntegerLiteral).getIntValue() < 2048 and state = "2048"
or or
source.asExpr().(IntegerLiteral).getIntValue() < 256 and state = "256" source.asExpr().(IntegerLiteral).getIntValue() < 256 and state = "256"
@@ -23,6 +27,16 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
} }
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) { override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
// SYMMETRIC
exists(MethodAccess ma, JavaxCryptoKeyGenerator jcg |
ma.getMethod() instanceof KeyGeneratorInitMethod and
jcg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = "AES" and
DataFlow::localExprFlow(jcg, ma.getQualifier()) and
sink.asExpr() = ma.getArgument(0) and
state = "128"
)
or
// ASYMMETRIC
exists(MethodAccess ma, JavaSecurityKeyPairGenerator jpg | exists(MethodAccess ma, JavaSecurityKeyPairGenerator jpg |
ma.getMethod() instanceof KeyPairGeneratorInitMethod and ma.getMethod() instanceof KeyPairGeneratorInitMethod and
( (
@@ -67,6 +81,7 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
) )
} }
// ! FlowStates seem to work without even including a step like the below... hmmm
override predicate isAdditionalFlowStep( override predicate isAdditionalFlowStep(
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2, DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
DataFlow::FlowState state2 DataFlow::FlowState state2
@@ -76,7 +91,6 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
state2 = intLiteral.toString() and state2 = intLiteral.toString() and
node1.asExpr() = intLiteral and node1.asExpr() = intLiteral and
node2.asExpr() = intLiteral node2.asExpr() = intLiteral
//intLiteral.toString().toInt() = 64 // test viability of this craziness
) )
} }
} }

7
java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
View File

@@ -16,10 +16,9 @@ import semmle.code.java.security.InsufficientKeySizeQuery
import DataFlow::PathGraph import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink from DataFlow::PathNode source, DataFlow::PathNode sink
where where exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) //or
or
// exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or // exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
// exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or // exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink)) // exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
select sink.getNode(), source, sink, "This $@ is too small.", source.getNode(), "key size" select sink.getNode(), source, sink, "This $@ is too small.", source.getNode(), "key size"

10
java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
View File

@@ -1,8 +1,8 @@
import java import java
import TestUtilities.InlineExpectationsTest import TestUtilities.InlineExpectationsTest
import semmle.code.java.security.InsufficientKeySizeQuery import semmle.code.java.security.InsufficientKeySizeQuery
import DataFlow::PathGraph
//import DataFlow::PathGraph // Note: importing this messes up tests - adds edges and nodes to actual file...
class InsufficientKeySizeTest extends InlineExpectationsTest { class InsufficientKeySizeTest extends InlineExpectationsTest {
InsufficientKeySizeTest() { this = "InsufficientKeySize" } InsufficientKeySizeTest() { this = "InsufficientKeySize" }
@@ -11,12 +11,12 @@ class InsufficientKeySizeTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) { override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasInsufficientKeySize" and tag = "hasInsufficientKeySize" and
exists(DataFlow::PathNode source, DataFlow::PathNode sink | exists(DataFlow::PathNode source, DataFlow::PathNode sink |
exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
or |
//or
// exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or // exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
// exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or // exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink)) //exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
|
sink.getNode().getLocation() = location and sink.getNode().getLocation() = location and
element = sink.getNode().toString() and element = sink.getNode().toString() and
value = "" value = ""