add draft code to find algo type to replace tainttracking configs

2025-12-24 04:36:35 +01:00 · 2022-10-04 23:21:15 -04:00
parent d3b1a04c13
commit 8ffd2522e7
4 changed files with 26 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -252,6 +252,7 @@ string getASecureAlgorithmName() {
      "Blowfish", "ECIES" // ! Blowfish not actually secure based on https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 ??
      // ! hmm, other sources imply that it is secure...
      // ! also no DH here, etc.?
+      // ! also is ECB matched with AES?
    ]
 }

--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -155,6 +155,26 @@ private predicate hasShortAESKey(MethodAccess ma, string msg) {
 bindingset[type]
 private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  ma.getQualifier() instanceof JavaSecurityKeyPairGenerator and
+  ma.getQualifier().getBasicBlock() instanceof JavaSecurityKeyPairGenerator and
+  //ma.getQualifier().getBasicBlock().getNode(2) instanceof JavaSecurityKeyPairGenerator and
+  // ma.getQualifier()
+  //     .getBasicBlock()
+  //     .getANode()
+  //     .(JavaSecurityKeyPairGenerator)
+  //     .getAlgoSpec()
+  //     .(StringLiteral)
+  //     .getValue()
+  //     .toUpperCase() = type and
+  //ma.getQualifier().getBasicBlock().getAPredecessor() instanceof JavaSecurityKeyPairGenerator and
+  ma.getQualifier()
+      .getBasicBlock()
+      .getAPredecessor()
+      .(JavaSecurityKeyPairGenerator)
+      .getAlgoSpec()
+      .(StringLiteral)
+      .getValue()
+      .toUpperCase() = type and
  // flow needed to correctly determine algorithm type and
  // not match to ANY asymmetric algorithm
  exists(
--- a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -4,6 +4,7 @@
 *              allow an attacker to compromise security.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 7.5
 * @precision high
 * @id java/insufficient-key-size
 * @tags security
@@ -12,10 +13,12 @@

 import java
 import semmle.code.java.security.InsufficientKeySizeQuery
+import DataFlow::PathGraph

 // from Expr e, string msg
 // where hasInsufficientKeySize(e, msg)
 // select e, msg
 from AsymmetricKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink, source, sink, "The size of this RSA key should be at least 2048 bits."
+select sink.getNode(), source, sink, "The $@ of an asymmetric key should be at least 2048 bits.",
+  sink.getNode(), "size"
--- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
+++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
@@ -106,7 +106,7 @@ public class InsufficientKeySizeTest {
        test(keysize);
    }

-    public void test(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
+    public static void test(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
        KeyPairGenerator keyPairGen19 = KeyPairGenerator.getInstance("RSA");
        // BAD: Key size is less than 128
        keyPairGen19.initialize(keySize); // $ hasInsufficientKeySize