From 157b7ceaffaaf705cbd9538b9cea626ce7fca65f Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 12 Apr 2023 13:12:17 -0400 Subject: [PATCH] Refactor TimingAttackAgainstHeader --- .../CWE/CWE-208/TimingAttackAgainstHeader.ql | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql index 1f92d09693f..452eefab790 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking -import DataFlow::PathGraph +import NonConstantTimeComparisonFlow::PathGraph /** A static method that uses a non-constant-time algorithm for comparing inputs. */ private class NonConstantTimeComparisonCall extends StaticMethodAccess { @@ -54,20 +54,18 @@ class ClientSuppliedIpTokenCheck extends DataFlow::Node { } } -class NonConstantTimeComparisonConfig extends TaintTracking::Configuration { - NonConstantTimeComparisonConfig() { this = "NonConstantTimeComparisonConfig" } +module NonConstantTimeComparisonConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedIpTokenCheck } - override predicate isSource(DataFlow::Node source) { - source instanceof ClientSuppliedIpTokenCheck - } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { isNonConstantEqualsCallArgument(sink.asExpr()) or isNonConstantComparisonCallArgument(sink.asExpr()) } } -from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf -where conf.hasFlowPath(source, sink) +module NonConstantTimeComparisonFlow = TaintTracking::Global; + +from NonConstantTimeComparisonFlow::PathNode source, NonConstantTimeComparisonFlow::PathNode sink +where NonConstantTimeComparisonFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", source.getNode(), "client-supplied token"