Merge pull request #632 from asger-semmle/pseudo-random-bytes

JS: add crypto.pseudoRandomBytes as source in InsecureRandomness.ql
2026-05-01 19:55:15 +02:00 · 2018-12-13 08:14:40 +00:00
parent df42707050 4fc27aaa51
commit 54bb9d185f
4 changed files with 11 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
@@ -68,7 +68,7 @@ module InsecureRandomness {
   * A simple random number generator that is not cryptographically secure.
   */
  class DefaultSource extends Source, DataFlow::ValueNode {
-    override CallExpr astNode;
+    override InvokeExpr astNode;

    DefaultSource() {
      exists(DataFlow::ModuleImportNode mod, string name | mod.getPath() = name |
@@ -98,6 +98,9 @@ module InsecureRandomness {
      or
      // (new require('chance')).<name>()
      this = DataFlow::moduleImport("chance").getAnInstantiation().getAMemberInvocation(_)
+      or
+      // require('crypto').pseudoRandomBytes()
+      this = DataFlow::moduleMember("crypto", "pseudoRandomBytes").getAnInvocation()
    }
  }

--- a/javascript/ql/test/library-tests/Security/CWE-338/InsecureRandomnessSource.expected
+++ b/javascript/ql/test/library-tests/Security/CWE-338/InsecureRandomnessSource.expected
@@ -6,3 +6,5 @@
 | tst.js:15:1:15:12 | randomSeed() |
 | tst.js:18:1:18:14 | uniqueRandom() |
 | tst.js:22:1:22:12 | chance.XYZ() |
+| tst.js:25:1:25:29 | crypto. ... es(100) |
+| tst.js:26:1:26:33 | new cry ... es(100) |
--- a/javascript/ql/test/library-tests/Security/CWE-338/tst.js
+++ b/javascript/ql/test/library-tests/Security/CWE-338/tst.js
@@ -20,3 +20,7 @@ uniqueRandom();
 var Chance = require('chance'),
    chance = new Chance();
 chance.XYZ();
+
+let crypto = require('crypto');
+crypto.pseudoRandomBytes(100);
+new crypto.pseudoRandomBytes(100);