Merge pull request #1124 from jbj/weak-cryptographic-algorithm-perf

C++: Fix performance of BrokenCryptoAlgorithm.ql
2026-05-05 05:35:13 +02:00 · 2019-03-20 18:01:58 +00:00
parent 8a693699fc 76ff250593
commit 5a56740ee6
2 changed files with 23 additions and 10 deletions
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -16,9 +16,14 @@ abstract class InsecureCryptoSpec extends Locatable {
  abstract string description();
 }

+Function getAnInsecureFunction() {
+  result.getName().regexpMatch(algorithmBlacklistRegex()) and
+  exists(result.getACallToThisFunction())
+}
+
 class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
  InsecureFunctionCall() {
-    this.getTarget().getName().regexpMatch(algorithmBlacklistRegex())
+    this.getTarget() = getAnInsecureFunction()
  }

  override string description() { result = "function call" }
@@ -27,9 +32,14 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
  override Location getLocation() { result = FunctionCall.super.getLocation() }
 }

+Macro getAnInsecureMacro() {
+  result.getName().regexpMatch(algorithmBlacklistRegex()) and
+  exists(result.getAnInvocation())
+}
+
 class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
  InsecureMacroSpec() {
-    this.getMacro().getName().regexpMatch(algorithmBlacklistRegex())
+    this.getMacro() = getAnInsecureMacro()
  }

  override string description() { result = "macro invocation" }
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -20,14 +20,17 @@ string hashAlgorithmBlacklist() {

 /** A regex for matching strings that look like they contain a blacklisted algorithm */
 string algorithmBlacklistRegex() {
-  // algorithms usually appear in names surrounded by characters that are not
-  // alphabetical characters in the same case. This handles the upper and lower
-  // case cases
-  result = "(^|.*[^A-Z])" + algorithmBlacklist() + "([^A-Z].*|$)"
-  // for lowercase, we want to be careful to avoid being confused by camelCase
-  // hence we require two preceding uppercase letters to be sure of a case switch,
-  // or a preceding non-alphabetic character
-  or result = "(^|.*[A-Z]{2}|.*[^a-zA-Z])" + algorithmBlacklist().toLowerCase() + "([^a-z].*|$)"
+  result =
+    // algorithms usually appear in names surrounded by characters that are not
+    // alphabetical characters in the same case. This handles the upper and lower
+    // case cases
+    "(^|.*[^A-Z])(" + strictconcat(algorithmBlacklist(), "|") + ")([^A-Z].*|$)" +
+    "|" +
+    // for lowercase, we want to be careful to avoid being confused by camelCase
+    // hence we require two preceding uppercase letters to be sure of a case switch,
+    // or a preceding non-alphabetic character
+    "(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(algorithmBlacklist().toLowerCase(), "|") +
+    ")([^a-z].*|$)"
 }

 /** A whitelist of algorithms that are known to be secure */