Weak Hashing Property initial query

2026-04-27 01:35:13 +02:00 · 2023-08-01 14:53:04 -04:00
parent dc9c538fcc
commit 93cf5b8eb9
4 changed files with 87 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/WeakHashingAlgorithmPropertyQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakHashingAlgorithmPropertyQuery.qll
@@ -0,0 +1,57 @@
+/** Provides classes and predicates to reason about property files and weak hashing algorithms. */
+
+import java
+private import semmle.code.configfiles.ConfigFiles
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.frameworks.Properties
+private import semmle.code.java.dataflow.RangeUtils
+
+class GetPropertyMethodAccess extends MethodAccess {
+  GetPropertyMethodAccess() { this.getMethod() instanceof PropertiesGetPropertyMethod }
+
+  private ConfigPair getPair() {
+    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
+  }
+
+  string getValue() {
+    result = this.getPair().getValueElement().getValue() or
+    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
+  }
+}
+
+string getWeakHashingAlgorithm(DataFlow::Node node) {
+/**
+ * Get the name of the weak cryptographic algorithm represented by `node`.
+ */
+string getWeakHashingAlgorithmName(DataFlow::Node node) {
+  exists(MethodAccess ma, ConfigPair pair |
+    node.asExpr() = ma and ma.getMethod() instanceof PropertiesGetPropertyMethod
+  |
+    ma.getArgument(0).(ConstantStringExpr).getStringValue() = pair.getNameElement().getName() and
+    pair.getValueElement().getValue() = result and
+    not pair.getValueElement().getValue().regexpMatch(getSecureAlgorithmRegex())
+  )
+}
+
+/**
+ * Dataflow configuration from a configuration pair in a properties file to the use of a cryptographic algorithm.
+ */
+module InsecureAlgorithmPropertyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) {
+    exists(MethodAccess ma, ConfigPair pair |
+      n.asExpr() = ma and ma.getMethod() instanceof PropertiesGetPropertyMethod
+    |
+      ma.getArgument(0).(ConstantStringExpr).getStringValue() = pair.getNameElement().getName() and
+      not pair.getValueElement().getValue().regexpMatch(getSecureAlgorithmRegex())
+    )
+  }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() = any(CryptoAlgoSpec c).getAlgoSpec() }
+}
+
+/**
+ * Dataflow from a configuration pair in a properties file to the use of a cryptographic algorithm.
+ */
+module InsecureAlgorithmPropertyFlow = TaintTracking::Global<InsecureAlgorithmPropertyConfig>;