Move weak hashing into MaybeBrokenCryptoAlgorithm

2026-04-30 19:26:02 +02:00 · 2023-11-15 13:02:23 -05:00
parent fbc2a33597
commit 83c6ece405
7 changed files with 34 additions and 123 deletions
--- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -3,9 +3,12 @@
 */

 import java
+private import semmle.code.configfiles.ConfigFiles
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.RangeUtils
 private import semmle.code.java.dispatch.VirtualDispatch
+private import semmle.code.java.frameworks.Properties

 private class ShortStringLiteral extends StringLiteral {
  ShortStringLiteral() { this.getValue().length() < 100 }
@@ -34,11 +37,38 @@ private predicate objectToString(MethodCall ma) {
  )
 }

+private class GetPropertyMethodCall extends MethodCall {
+  GetPropertyMethodCall() { this.getMethod() instanceof PropertiesGetPropertyMethod }
+
+  private ConfigPair getPair() {
+    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
+  }
+
+  string getPropertyValue() {
+    result = this.getPair().getValueElement().getValue() or
+    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
+  }
+}
+
+string insecureAlgorithmName(DataFlow::Node algo) {
+  result = algo.asExpr().(StringLiteral).getValue()
+  or
+  result = algo.asExpr().(GetPropertyMethodCall).getPropertyValue()
+}
+
 /**
 * A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
 */
 module InsecureCryptoConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
+  predicate isSource(DataFlow::Node n) {
+    n.asExpr() instanceof InsecureAlgoLiteral
+    or
+    exists(GetPropertyMethodCall mc | n.asExpr() = mc |
+      // Since properties pairs are not included in the java/weak-crypto-algorithm,
+      // The check for values from properties files can be less strict than `InsecureAlgoLiteral`.
+      not mc.getPropertyValue().regexpMatch(getSecureAlgorithmRegex())
+    )
+  }

  predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }

--- a/java/ql/lib/semmle/code/java/security/WeakHashingAlgorithmPropertyQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakHashingAlgorithmPropertyQuery.qll
@@ -1,54 +0,0 @@
-/** Provides classes and predicates to reason about property files and weak hashing algorithms. */
-
-import java
-private import semmle.code.configfiles.ConfigFiles
-private import semmle.code.java.dataflow.DataFlow
-private import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.security.Encryption
-private import semmle.code.java.frameworks.Properties
-private import semmle.code.java.dataflow.RangeUtils
-
-private class GetPropertyMethodCall extends MethodCall {
-  GetPropertyMethodCall() { this.getMethod() instanceof PropertiesGetPropertyMethod }
-
-  private ConfigPair getPair() {
-    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
-  }
-
-  string getPropertyValue() {
-    result = this.getPair().getValueElement().getValue() or
-    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
-  }
-}
-
-/**
- * Get the name of the weak cryptographic algorithm represented by `node`.
- */
-string getWeakHashingAlgorithmName(DataFlow::Node node) {
-  exists(MethodCall mc, ConfigPair pair |
-    node.asExpr() = mc and mc.getMethod() instanceof PropertiesGetPropertyMethod
-  |
-    mc.getArgument(0).(ConstantStringExpr).getStringValue() = pair.getNameElement().getName() and
-    pair.getValueElement().getValue() = result and
-    not pair.getValueElement().getValue().regexpMatch(getSecureAlgorithmRegex())
-  )
-}
-
-/**
- * Dataflow configuration from a configuration pair in a properties file to the use of a cryptographic algorithm.
- */
-module InsecureAlgorithmPropertyConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) {
-    exists(GetPropertyMethodCall mc, string algo | n.asExpr() = mc |
-      algo = mc.getPropertyValue() and
-      not algo.regexpMatch(getSecureAlgorithmRegex())
-    )
-  }
-
-  predicate isSink(DataFlow::Node n) { n.asExpr() = any(CryptoAlgoSpec c).getAlgoSpec() }
-}
-
-/**
- * Dataflow from a configuration pair in a properties file to the use of a cryptographic algorithm.
- */
-module InsecureAlgorithmPropertyFlow = TaintTracking::Global<InsecureAlgorithmPropertyConfig>;