hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Generelize MaybeBrokenCryptoAlgorithmQuery.qll

Browse Source
This commit is contained in:
Tony Torralba
2023-12-22 10:15:40 +01:00
parent 8051cfcef5
commit 8ad787f3b8
2 changed files with 29 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
View File

@@ -10,6 +10,12 @@ private import semmle.code.java.dataflow.RangeUtils
private import semmle.code.java.dispatch.VirtualDispatch
private import semmle.code.java.frameworks.Properties
/** A reference to an insecure cryptographic algorithm. */
abstract class InsecureAlgorithm extends Expr {
/** Gets the string representation of this insecure cryptographic algorithm. */
abstract string getStringValue();
}
private class ShortStringLiteral extends StringLiteral {
ShortStringLiteral() { this.getValue().length() < 100 }
}
@@ -17,16 +23,34 @@ private class ShortStringLiteral extends StringLiteral {
/**
* A string literal that may refer to an insecure cryptographic algorithm.
*/
class InsecureAlgoLiteral extends ShortStringLiteral {
class InsecureAlgoLiteral extends InsecureAlgorithm, ShortStringLiteral {
InsecureAlgoLiteral() {
// Algorithm identifiers should be at least two characters.
this.getValue().length() > 1 and
exists(string s | s = this.getValue() |
// Algorithm identifiers should be at least two characters.
s.length() > 1 and
not s.regexpMatch(getSecureAlgorithmRegex()) and
// Exclude results covered by another query.
not s.regexpMatch(getInsecureAlgorithmRegex())
)
}
override string getStringValue() { result = this.getValue() }
}
/**
* A property access that may refer to an insecure cryptographic algorithm.
*/
class InsecureAlgoProperty extends InsecureAlgorithm, PropertiesGetPropertyMethodCall {
string value;
InsecureAlgoProperty() {
value = this.getPropertyValue() and
// Since properties pairs are not included in the java/weak-cryptographic-algorithm,
// the check for values from properties files can be less strict than `InsecureAlgoLiteral`.
not value.regexpMatch(getSecureAlgorithmRegex())
}
override string getStringValue() { result = value }
}
private predicate objectToString(MethodCall ma) {
@@ -41,17 +65,7 @@ private predicate objectToString(MethodCall ma) {
* A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
*/
module InsecureCryptoConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) {
n.asExpr() instanceof InsecureAlgoLiteral
or
exists(PropertiesGetPropertyMethodCall mc, string value |
n.asExpr() = mc and value = mc.getPropertyValue()
|
// Since properties pairs are not included in the java/weak-crypto-algorithm,
// The check for values from properties files can be less strict than `InsecureAlgoLiteral`.
not value.regexpMatch(getSecureAlgorithmRegex())
)
}
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgorithm }
predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }