hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10116 from atorralba/atorralba/static-init-vector-fix

Browse Source 
Java: Improve Static Initialization Vector query
This commit is contained in:
Tony Torralba
2022-08-23 11:38:41 +02:00
committed by GitHub
parent e3c1101b79 da3288fced
commit 085c12a51f
2 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
View File

@@ -54,10 +54,25 @@ private class ArrayUpdate extends Expr {
ma = this and
ma.getArgument(0) = array
|
m.hasQualifiedName("java.io", "InputStream", "read") or
m.getAnOverride*().hasQualifiedName("java.io", ["InputStream", "RandomAccessFile"], "read") or
m.getAnOverride*().hasQualifiedName("java.io", "DataInput", "readFully") or
m.hasQualifiedName("java.nio", "ByteBuffer", "get") or
m.hasQualifiedName("java.security", "SecureRandom", "nextBytes") or
m.hasQualifiedName("java.util", "Random", "nextBytes")
m.hasQualifiedName("java.util", "Random", "nextBytes") or
m.hasQualifiedName("java.util.zip", "Inflater", "inflate") or
m.hasQualifiedName("io.netty.buffer", "ByteBuf", "readBytes") or
m.getAnOverride*().hasQualifiedName("org.bouncycastle.crypto", "Digest", "doFinal")
)
or
exists(MethodAccess ma, Method m |
m = ma.getMethod() and
ma = this and
ma.getArgument(1) = array
|
m.hasQualifiedName("org.apache.commons.io", "IOUtils", ["read", "readFully"]) or
m.hasQualifiedName("io.netty.buffer", "ByteBuf", "getBytes") or
m.hasQualifiedName("org.bouncycastle.crypto.generators",
any(string s | s.matches("%BytesGenerator")), "generateBytes")
)
}
@@ -95,17 +110,15 @@ private class StaticInitializationVectorSource extends DataFlow::Node {
}
/**
* A sink that initializes a cipher for encryption with unsafe parameters.
* A sink that initializes a cipher with unsafe parameters.
*/
private class EncryptionInitializationSink extends DataFlow::Node {
EncryptionInitializationSink() {
exists(MethodAccess ma, Method m, FieldRead fr | m = ma.getMethod() |
exists(MethodAccess ma, Method m | m = ma.getMethod() |
m.hasQualifiedName("javax.crypto", "Cipher", "init") and
m.getParameterType(2)
.(RefType)
.hasQualifiedName("java.security.spec", "AlgorithmParameterSpec") and
fr.getField().hasQualifiedName("javax.crypto", "Cipher", "ENCRYPT_MODE") and
DataFlow::localExprFlow(fr, ma.getArgument(0)) and
ma.getArgument(2) = this.asExpr()
)
}

4
java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.