Try different ways of passing taint through a field

2026-01-29 22:32:58 +01:00 · 2020-06-23 12:14:49 +03:00
parent 4ab929a656
commit 56727b220b
2 changed files with 21 additions and 7 deletions
--- a/ql/src/experimental/CWE-327/InsecureTLS.ql
+++ b/ql/src/experimental/CWE-327/InsecureTLS.ql
@@ -130,13 +130,9 @@ class TlsInsecureCipherSuitesFlowConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) {
    // TODO: source can also be result of tls.InsecureCipherSuites()[0].ID
    source =
-      any(DataFlow::FieldReadNode fieldRead |
-        fieldRead.getBase().getAPredecessor*() =
-          any(Function insecureCipherSuites |
-            insecureCipherSuites.hasQualifiedName("crypto/tls", "InsecureCipherSuites")
-          ).getACall().getResult() and
-        fieldRead.getFieldName() = "ID"
-      )
+      any(Function insecureCipherSuites |
+        insecureCipherSuites.hasQualifiedName("crypto/tls", "InsecureCipherSuites")
+      ).getACall().getResult()
    or
    source =
      any(DataFlow::ValueEntity val |
--- a/ql/test/experimental/CWE-327/UnsafeTLS.go
+++ b/ql/test/experimental/CWE-327/UnsafeTLS.go
@@ -178,6 +178,24 @@ func cipherSuites() {
 			config.CipherSuites = append(config.CipherSuites, v.ID) // BAD
 		}
 	}
+	{
+		config := &tls.Config{}
+		cipherSuites := make([]uint16, 0)
+		insecureSuites := tls.InsecureCipherSuites()
+		for _, v := range insecureSuites {
+			cipherSuites = append(cipherSuites, v.ID)
+		}
+		config.CipherSuites = cipherSuites // BAD
+	}
+	{
+		config := &tls.Config{}
+		cipherSuites := make([]uint16, 0)
+		insecureSuites := tls.InsecureCipherSuites()
+		for i := range insecureSuites {
+			cipherSuites = append(cipherSuites, insecureSuites[i].ID)
+		}
+		config.CipherSuites = cipherSuites // BAD
+	}
 }

 func good(version string) {