don't include mode-of-operation into the algorithm names

2026-04-30 11:15:13 +02:00 · 2021-11-03 14:54:50 +01:00
parent 5975e19f53
commit 523c15cd72
3 changed files with 14 additions and 28 deletions
--- a/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
+++ b/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
@@ -31,22 +31,14 @@ private module AlgorithmNames {
  }

  predicate isStrongEncryptionAlgorithm(string name) {
-    name = [appendMode("AES"), "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
-  }
-
-  /**
-   * Gets the name with a mode of operation added as a suffix.
-   */
-  bindingset[name]
-  private string appendMode(string name) {
-    result = name + ["", "CBC", "ECB", "CFB", "OFB", "CTR", "GCM"]
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
  }

  predicate isWeakEncryptionAlgorithm(string name) {
    name =
      [
-        appendMode("DES"), appendMode("3DES"), "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2",
-        "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5"
+        "DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
+        "ARC5", "RC5"
      ]
  }

@@ -93,11 +85,12 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {

  /**
   * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
+   * white space, dashes, underscores, and anything after a dash in the name.
   */
  bindingset[name]
  predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+    name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1).regexpReplaceAll("[-_ ]", "") =
+      getName()
  }

  /**