Remove additional taint step

2026-04-30 11:15:13 +02:00 · 2021-01-08 13:02:57 +00:00
parent b56fe2b25f
commit 39103af718
2 changed files with 11 additions and 20 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
@@ -50,13 +50,13 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) {
    exists(
-      MethodAccess mda, MethodAccess mua // invoke `md.digest()` with only one call of `md.update(password)`, that is, without the call of `md.update(digest)`
+      MethodAccess mua, MethodAccess mda // invoke `md.digest()` with only one call of `md.update(password)`, that is, without the call of `md.update(digest)`
    |
-      sink.asExpr() = mda.getQualifier() and
+      sink.asExpr() = mua.getArgument(0) and
+      mua.getMethod() instanceof MDUpdateMethod and // md.update(password)
      mda.getMethod() instanceof MDDigestMethod and
      mda.getNumArgument() = 0 and // md.digest()
-      mua.getMethod() instanceof MDUpdateMethod and // md.update(password)
-      mua.getQualifier() = mda.getQualifier().(VarAccess).getVariable().getAnAccess() and
+      mda.getQualifier() = mua.getQualifier().(VarAccess).getVariable().getAnAccess() and
      not exists(MethodAccess mua2 |
        mua2.getMethod() instanceof MDUpdateMethod and // md.update(salt)
        mua2.getQualifier() = mua.getQualifier().(VarAccess).getVariable().getAnAccess() and
@@ -66,7 +66,7 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
    or
    // invoke `md.digest(password)` without another call of `md.update(salt)`
    exists(MethodAccess mda |
-      sink.asExpr() = mda and
+      sink.asExpr() = mda.getArgument(0) and
      mda.getMethod() instanceof MDDigestMethod and // md.digest(password)
      mda.getNumArgument() = 1 and
      not exists(MethodAccess mua |
@@ -75,15 +75,6 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
      )
    )
  }
-
-  /** Holds for additional steps that flow to additional method calls of the type `java.security.MessageDigest`. */
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      ma.getMethod().getDeclaringType() instanceof MessageDigest and
-      pred.asExpr() = ma.getAnArgument() and
-      (succ.asExpr() = ma or succ.asExpr() = ma.getQualifier())
-    )
-  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, HashWithoutSaltConfiguration c
--- a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected
@@ -1,11 +1,11 @@
 edges
-| HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:26:9:55 | digest(...) |
-| HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:16:26:16:27 | md |
+| HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:36:9:54 | getBytes(...) |
+| HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:15:13:15:31 | getBytes(...) |
 nodes
-| HashWithoutSalt.java:9:26:9:55 | digest(...) | semmle.label | digest(...) |
 | HashWithoutSalt.java:9:36:9:43 | password : String | semmle.label | password : String |
+| HashWithoutSalt.java:9:36:9:54 | getBytes(...) | semmle.label | getBytes(...) |
 | HashWithoutSalt.java:15:13:15:20 | password : String | semmle.label | password : String |
-| HashWithoutSalt.java:16:26:16:27 | md | semmle.label | md |
+| HashWithoutSalt.java:15:13:15:31 | getBytes(...) | semmle.label | getBytes(...) |
 #select
-| HashWithoutSalt.java:9:26:9:55 | digest(...) | HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:26:9:55 | digest(...) | $@ is hashed without a salt. | HashWithoutSalt.java:9:36:9:43 | password | The password |
-| HashWithoutSalt.java:16:26:16:27 | md | HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:16:26:16:27 | md | $@ is hashed without a salt. | HashWithoutSalt.java:15:13:15:20 | password | The password |
+| HashWithoutSalt.java:9:36:9:54 | getBytes(...) | HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:36:9:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:9:36:9:43 | password | The password |
+| HashWithoutSalt.java:15:13:15:31 | getBytes(...) | HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:15:13:15:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:15:13:15:20 | password | The password |