C#: Re-factor SymmetricKeyTaintTrackingConfiguration to use the new API.

2026-04-21 06:55:31 +02:00 · 2023-03-27 11:45:55 +02:00
parent 0acca2ba76
commit 5278bbcaaa
2 changed files with 26 additions and 5 deletions
--- a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
@@ -64,9 +64,11 @@ class SymmetricEncryptionCreateDecryptorSink extends SymmetricEncryptionKeySink
 }

 /**
+ * DEPRECATED: Use `SymmetricKey` instead.
+ *
 * Symmetric Key Data Flow configuration.
 */
-class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuration {
+deprecated class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuration {
  SymmetricKeyTaintTrackingConfiguration() { this = "SymmetricKeyTaintTracking" }

  /** Holds if the node is a key source. */
@@ -78,3 +80,22 @@ class SymmetricKeyTaintTrackingConfiguration extends TaintTracking::Configuratio
  /** Holds if the node is a key sanitizer. */
  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
 }
+
+/**
+ * Symmetric Key Data Flow configuration.
+ */
+private module SymmetricKeyConfig implements DataFlow::ConfigSig {
+  /** Holds if the node is a key source. */
+  predicate isSource(DataFlow::Node src) { src instanceof KeySource }
+
+  /** Holds if the node is a symmetric encryption key sink. */
+  predicate isSink(DataFlow::Node sink) { sink instanceof SymmetricEncryptionKeySink }
+
+  /** Holds if the node is a key sanitizer. */
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+}
+
+/**
+ * Symmetric Key Data Flow configuration.
+ */
+module SymmetricKey = TaintTracking::Global<SymmetricKeyConfig>;
--- a/Features/CWE-321/HardcodedEncryptionKey.ql
+++ b/Features/CWE-321/HardcodedEncryptionKey.ql
@@ -15,7 +15,7 @@

 import csharp
 import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlowQuery
-import DataFlow::PathGraph
+import SymmetricKey::PathGraph

 /**
 * The creation of a literal byte array.
@@ -38,10 +38,10 @@ class StringLiteralSource extends KeySource {
 }

 from
-  SymmetricKeyTaintTrackingConfiguration keyFlow, DataFlow::PathNode source,
-  DataFlow::PathNode sink, KeySource srcNode, SymmetricEncryptionKeySink sinkNode
+  SymmetricKey::PathNode source, SymmetricKey::PathNode sink, KeySource srcNode,
+  SymmetricEncryptionKeySink sinkNode
 where
-  keyFlow.hasFlowPath(source, sink) and
+  SymmetricKey::flowPath(source, sink) and
  source.getNode() = srcNode and
  sink.getNode() = sinkNode
 select sink.getNode(), source, sink,