diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll index d0e4d56f630..90fb4b4ffa5 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll @@ -19,7 +19,23 @@ import BrokenCryptoAlgorithmCustomizations::BrokenCryptoAlgorithm * added either by extending the relevant class, or by subclassing this configuration itself, * and amending the sources and sinks. */ -class Configuration extends TaintTracking::Configuration { +module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** + * Taint tracking flow for sensitive information in broken or weak cryptographic algorithms. + */ +module BrokenCryptoAlgorithmFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `BrokenCryptoAlgorithmFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "BrokenCryptoAlgorithm" } override predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql index 9826ebefe5f..755effd3113 100644 --- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql +++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql @@ -14,11 +14,11 @@ import javascript import semmle.javascript.security.dataflow.BrokenCryptoAlgorithmQuery import semmle.javascript.security.SensitiveActions -import DataFlow::PathGraph +import BrokenCryptoAlgorithmFlow::PathGraph -from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink +from BrokenCryptoAlgorithmFlow::PathNode source, BrokenCryptoAlgorithmFlow::PathNode sink where - cfg.hasFlowPath(source, sink) and + BrokenCryptoAlgorithmFlow::flowPath(source, sink) and not source.getNode() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash select sink.getNode(), source, sink, "A broken or weak cryptographic algorithm depends on $@.", source.getNode(), "sensitive data from " + source.getNode().(Source).describe() diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected index 1938b020355..b565021866b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected @@ -1,30 +1,15 @@ -nodes -| tst.js:3:5:3:24 | secretText | -| tst.js:3:18:3:24 | trusted | -| tst.js:3:18:3:24 | trusted | -| tst.js:11:17:11:26 | secretText | -| tst.js:11:17:11:26 | secretText | -| tst.js:11:17:11:26 | secretText | -| tst.js:17:17:17:25 | o.trusted | -| tst.js:17:17:17:25 | o.trusted | -| tst.js:17:17:17:25 | o.trusted | -| tst.js:19:17:19:24 | password | -| tst.js:19:17:19:24 | password | -| tst.js:19:17:19:24 | password | -| tst.js:22:21:22:30 | secretText | -| tst.js:22:21:22:30 | secretText | -| tst.js:22:21:22:30 | secretText | edges | tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText | -| tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText | -| tst.js:3:5:3:24 | secretText | tst.js:22:21:22:30 | secretText | | tst.js:3:5:3:24 | secretText | tst.js:22:21:22:30 | secretText | | tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText | -| tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText | -| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | -| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | -| tst.js:19:17:19:24 | password | tst.js:19:17:19:24 | password | -| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | +nodes +| tst.js:3:5:3:24 | secretText | semmle.label | secretText | +| tst.js:3:18:3:24 | trusted | semmle.label | trusted | +| tst.js:11:17:11:26 | secretText | semmle.label | secretText | +| tst.js:17:17:17:25 | o.trusted | semmle.label | o.trusted | +| tst.js:19:17:19:24 | password | semmle.label | password | +| tst.js:22:21:22:30 | secretText | semmle.label | secretText | +subpaths #select | tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted | | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:11:17:11:26 | secretText | sensitive data from an access to secretText |