hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Timing attack

Browse Source
This commit is contained in:
root
2022-06-27 12:18:45 -04:00
parent 861a368734
commit 655b9d4262
17 changed files with 552 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/test/experimental/query-tests/Security/CWE-208/PossibleTimingAttackAgainstSignature.expected Normal file
View File

@@ -0,0 +1,8 @@
edges
| TimingAttackAgainstSignature.py:13:12:13:47 | ControlFlowNode for Attribute() | TimingAttackAgainstSignature.py:19:19:19:48 | ControlFlowNode for sign() |
nodes
| TimingAttackAgainstSignature.py:13:12:13:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
| TimingAttackAgainstSignature.py:19:19:19:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() |
subpaths
#select
| TimingAttackAgainstSignature.py:19:19:19:48 | ControlFlowNode for sign() | TimingAttackAgainstSignature.py:13:12:13:47 | ControlFlowNode for Attribute() | TimingAttackAgainstSignature.py:19:19:19:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstSignature.py:13:12:13:47 | ControlFlowNode for Attribute() | TimingAttackAgainstSignature.py:13:12:13:47 | ControlFlowNode for Attribute() |

1
python/ql/test/experimental/query-tests/Security/CWE-208/PossibleTimingAttackAgainstSignature.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql

6
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeader.expected Normal file
View File

@@ -0,0 +1,6 @@
edges
nodes
| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
subpaths
#select
| TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | Timing attack against $@ validation. | TimingAttackAgainstHeader.py:14:12:14:46 | ControlFlowNode for Attribute() | client-supplied token |

26
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeader.py Normal file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
"""
@Desc Timing Attack Against Header
"""
from flask import Flask
from flask import request
from django.utils.crypto import constant_time_compare
app = Flask(__name__)
@app.route('/bad')
def bad1():
if not request.headers.get('X-Auth-Token') == "key":
raise Exception('bad token')
return 'bad1'
@app.route('/good')
def good1():
if not constant_time_compare(Secret, "token"):
raise Exception('bad token')
return 'good1'
if __name__ == '__main__':
app.debug = True
app.run()

1
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHeader.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql

6
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo.expected Normal file
View File

@@ -0,0 +1,6 @@
edges
nodes
| TimingAttackAgainstSensitiveInfo.py:15:16:15:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
subpaths
#select
| TimingAttackAgainstSensitiveInfo.py:15:16:15:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:16:15:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:15:16:15:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:15:16:15:23 | ControlFlowNode for password | client-supplied token |

36
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo.py Normal file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
"""
@Desc timing attack against Secret
"""
from flask import Flask
from flask import request
app = Flask(__name__)
@app.route('/bad')
def check_credentials():
if request.method == 'POST':
password = request.form['pwd']
return password == "token"
@app.route('/good')
def check_credentials(password):
if request.method == 'POST':
password = request.form['pwd']
return constant_time_string_compare(password, "token")
def constant_time_string_compare(a, b):
if len(a) != len(b):
return False
result = 0
for x, y in zip(a, b):
result |= ord(x) ^ ord(y)
return result == 0
if __name__ == '__main__':
app.debug = True
app.run()

1
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-208/TimingAttackAgainstSensitiveInfo.ql

19
python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSignature.py Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
"""
@Desc Timing Attack Against Signature
"""
import hashlib
import hmac
from django.utils.crypto import constant_time_compare
key = "e179017a-62b0-4996-8a38-e91aa9f1"
def sign(pre_key, msg, alg):
return hmac.new(pre_key, msg, alg).digest()
def verify1(msg, sig):
return constant_time_string_compare(sig, sign(key, msg, hashlib.sha256)) #good
def verify2(msg, sig):
return sig == sign(key, msg, hashlib.sha256) #bad