Merge pull request #14040 from egregius313/egregius313/weak-hashing-properties

Java: Add support for algorithm names specified in `.properties` files to `java/potentially-weak-cryptographic-algorithm`
2026-04-30 19:26:02 +02:00 · 2023-12-18 09:38:58 -05:00
parent d5f47a3d75 0524289a73
commit 56921a6e21
7 changed files with 78 additions and 7 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Properties.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Properties.qll
@@ -2,6 +2,8 @@

 import semmle.code.java.Type
 private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.configfiles.ConfigFiles
+private import semmle.code.java.dataflow.RangeUtils

 /**
 * The `java.util.Properties` class.
@@ -43,3 +45,22 @@ class PropertiesStoreMethod extends Method {
    (this.getName().matches("store%") or this.getName() = "save")
  }
 }
+
+/**
+ * A call to the `getProperty` method of the class `java.util.Properties`.
+ */
+class PropertiesGetPropertyMethodCall extends MethodCall {
+  PropertiesGetPropertyMethodCall() { this.getMethod() instanceof PropertiesGetPropertyMethod }
+
+  private ConfigPair getPair() {
+    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
+  }
+
+  /**
+   * Get the potential string values that can be associated with the given property name.
+   */
+  string getPropertyValue() {
+    result = this.getPair().getValueElement().getValue() or
+    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -3,9 +3,12 @@
 */

 import java
+private import semmle.code.configfiles.ConfigFiles
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.RangeUtils
 private import semmle.code.java.dispatch.VirtualDispatch
+private import semmle.code.java.frameworks.Properties

 private class ShortStringLiteral extends StringLiteral {
  ShortStringLiteral() { this.getValue().length() < 100 }
@@ -38,7 +41,15 @@ private predicate objectToString(MethodCall ma) {
 * A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
 */
 module InsecureCryptoConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
+  predicate isSource(DataFlow::Node n) {
+    n.asExpr() instanceof InsecureAlgoLiteral
+    or
+    exists(PropertiesGetPropertyMethodCall mc | n.asExpr() = mc |
+      // Since properties pairs are not included in the java/weak-crypto-algorithm,
+      // The check for values from properties files can be less strict than `InsecureAlgoLiteral`.
+      not mc.getPropertyValue().regexpMatch(getSecureAlgorithmRegex())
+    )
+  }

  predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }