mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Refactor instances and consumers + add JCA hashes
This commit is contained in:
Nicolas Will
@@ -3,10 +3,11 @@ import semmle.code.cpp.ir.IR
|
||||
import semmle.code.cpp.security.FlowSources as FlowSources
|
||||
private import cpp as Lang
|
||||
|
||||
|
||||
module CryptoInput implements InputSig<Lang::Location> {
|
||||
class DataFlowNode = DataFlow::Node;
|
||||
|
||||
class LocatableElement = Lang::Locatable;
|
||||
|
||||
class UnknownLocation = Lang::UnknownDefaultLocation;
|
||||
}
|
||||
|
||||
@@ -21,7 +22,6 @@ abstract class AdditionalFlowInputStep extends DataFlow::Node {
|
||||
final DataFlow::Node getInput() { result = this }
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Generic data source to node input configuration
|
||||
*/
|
||||
@@ -47,61 +47,44 @@ module GenericDataSourceUniversalFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
// // // TODO: I think this will be inefficient, no?
|
||||
// // class ConstantDataSource extends Crypto::GenericConstantOrAllocationSource instanceof Literal {
|
||||
// // override DataFlow::Node getOutputNode() {
|
||||
// // result.asExpr() = this
|
||||
// // override DataFlow::Node getOutputNode() {
|
||||
// // result.asExpr() = this
|
||||
// // }
|
||||
|
||||
// // override predicate flowsTo(Crypto::FlowAwareElement other) {
|
||||
// // // TODO: separate config to avoid blowing up data-flow analysis
|
||||
// // GenericDataSourceUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
|
||||
// // }
|
||||
|
||||
// // override string getAdditionalDescription() { result = this.toString() }
|
||||
// // }
|
||||
|
||||
// /**
|
||||
// * Definitions of various generic data sources
|
||||
// */
|
||||
// // final class DefaultFlowSource = SourceNode;
|
||||
|
||||
// // final class DefaultRemoteFlowSource = RemoteFlowSource;
|
||||
|
||||
// // class GenericLocalDataSource extends Crypto::GenericLocalDataSource {
|
||||
// // GenericLocalDataSource() {
|
||||
// // any(DefaultFlowSource src | not src instanceof DefaultRemoteFlowSource).asExpr() = this
|
||||
// // }
|
||||
|
||||
// // override DataFlow::Node getOutputNode() { result.asExpr() = this }
|
||||
|
||||
// // override predicate flowsTo(Crypto::FlowAwareElement other) {
|
||||
// // GenericDataSourceUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
|
||||
// // }
|
||||
|
||||
// // override string getAdditionalDescription() { result = this.toString() }
|
||||
// // }
|
||||
|
||||
// // class GenericRemoteDataSource extends Crypto::GenericRemoteDataSource {
|
||||
// // GenericRemoteDataSource() { any(DefaultRemoteFlowSource src).asExpr() = this }
|
||||
|
||||
// // override DataFlow::Node getOutputNode() { result.asExpr() = this }
|
||||
|
||||
// // override predicate flowsTo(Crypto::FlowAwareElement other) {
|
||||
// // GenericDataSourceUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
|
||||
// // }
|
||||
|
||||
// // override string getAdditionalDescription() { result = this.toString() }
|
||||
// // }
|
||||
|
||||
|
||||
// module GenericDataSourceUniversalFlow = DataFlow::Global<GenericDataSourceUniversalFlowConfig>;
|
||||
|
||||
module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source = any(Crypto::ArtifactElement artifact).getOutputNode()
|
||||
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
@@ -120,12 +103,13 @@ module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
|
||||
node1.(AdditionalFlowInputStep).getOutput() = node2
|
||||
}
|
||||
}
|
||||
|
||||
module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
|
||||
|
||||
abstract class CipherOutputArtifact extends Crypto::CipherOutputArtifactInstance {
|
||||
override predicate flowsTo(Crypto::FlowAwareElement other) {
|
||||
ArtifactUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
import OpenSSL.OpenSSL
|
||||
|
||||
@@ -6,7 +6,7 @@ class EVP_Cipher_Initializer_Algorithm_Consumer extends Crypto::AlgorithmConsume
|
||||
{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
|
||||
override Crypto::AlgorithmElement getAKnownAlgorithmSource() {
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLCipherConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,26 +2,29 @@ import EVPHashInitializer
|
||||
import EVPHashOperation
|
||||
import EVPHashAlgorithmSource
|
||||
|
||||
class EVP_Digest_Initializer_Algorithm_Consumer extends Crypto::AlgorithmConsumer instanceof EVPDigestInitializerAlgorithmArgument{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
class EVP_Digest_Initializer_Algorithm_Consumer extends Crypto::AlgorithmValueConsumer instanceof EVPDigestInitializerAlgorithmArgument
|
||||
{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
|
||||
override Crypto::AlgorithmElement getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
}
|
||||
|
||||
class EVP_Q_Digest_Algorithm_Consumer extends Crypto::AlgorithmConsumer instanceof EVP_Q_Digest_Algorithm_Argument{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
class EVP_Q_Digest_Algorithm_Consumer extends Crypto::AlgorithmValueConsumer instanceof EVP_Q_Digest_Algorithm_Argument
|
||||
{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
|
||||
override Crypto::AlgorithmElement getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
}
|
||||
|
||||
class EVP_Digest_Algorithm_Consumer extends Crypto::AlgorithmConsumer instanceof EVP_Digest_Algorithm_Argument{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
class EVP_Digest_Algorithm_Consumer extends Crypto::AlgorithmValueConsumer instanceof EVP_Digest_Algorithm_Argument
|
||||
{
|
||||
override DataFlow::Node getInputNode() { result.asExpr() = this }
|
||||
|
||||
override Crypto::AlgorithmElement getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
}
|
||||
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
|
||||
result.(KnownOpenSSLHashConstantAlgorithmInstance).getConsumer() = this
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user