Merge branch 'main' into henrymercer/merge-back-rc-3.16

2026-04-24 08:15:14 +02:00 · 2024-12-04 13:39:10 +00:00
parent f63f80ab68 80d466ffea
commit 963f084d87
1843 changed files with 40911 additions and 32058 deletions
--- a/java/ql/src/change-notes/2024-10-29-weak-crypto-hash.md
+++ b/java/ql/src/change-notes/2024-10-29-weak-crypto-hash.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/weak-cryptographic-algorithm` query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. The `java/potentially-weak-cryptographic-algorithm` query has been updated to report these uses instead.
--- a/java/ql/src/change-notes/2024-11-22-sha3.md
+++ b/java/ql/src/change-notes/2024-11-22-sha3.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
--- a/java/ql/src/change-notes/2024-11-24-sha2.md
+++ b/java/ql/src/change-notes/2024-11-24-sha2.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384.
--- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
@@ -95,7 +95,7 @@ private class ProduceCiphertextCall extends ProduceCryptoCall {
 }

 /** Holds if `fromNode` to `toNode` is a dataflow step that updates a cryptographic operation. */
-private predicate updateCryptoOperationStep(DataFlow2::Node fromNode, DataFlow2::Node toNode) {
+private predicate updateCryptoOperationStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
  exists(MethodCall call, Method m |
    m = call.getMethod() and
    call.getQualifier() = toNode.asExpr() and
@@ -111,7 +111,7 @@ private predicate updateCryptoOperationStep(DataFlow2::Node fromNode, DataFlow2:
 }

 /** Holds if `fromNode` to `toNode` is a dataflow step that creates a hash. */
-private predicate createMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::Node toNode) {
+private predicate createMessageDigestStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
  exists(MethodCall ma, Method m | m = ma.getMethod() |
    m.getDeclaringType().hasQualifiedName("java.security", "MessageDigest") and
    m.hasStringSignature("digest()") and
@@ -135,7 +135,7 @@ private predicate createMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N
 }

 /** Holds if `fromNode` to `toNode` is a dataflow step that updates a hash. */
-private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::Node toNode) {
+private predicate updateMessageDigestStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
  exists(MethodCall ma, Method m | m = ma.getMethod() |
    m.hasQualifiedName("java.security", "MessageDigest", "update") and
    ma.getArgument(0) = fromNode.asExpr() and
@@ -154,7 +154,7 @@ private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig {
    exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr())
  }

-  predicate isAdditionalFlowStep(DataFlow2::Node fromNode, DataFlow2::Node toNode) {
+  predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
    updateCryptoOperationStep(fromNode, toNode)
    or
    createMessageDigestStep(fromNode, toNode)
--- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
@@ -94,11 +94,11 @@ private class CompileRegexSink extends DataFlow::ExprNode {
 * A data flow configuration for regular expressions that include permissive dots.
 */
 private module PermissiveDotRegexConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PermissiveDotStr }

-  predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CompileRegexSink }

-  predicate isBarrier(DataFlow2::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
    exists(
      MethodCall ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
    |
--- a/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll
@@ -53,7 +53,7 @@ private class SpringViewUrlRedirectSink extends SpringUrlRedirectSink {
    )
    or
    exists(MethodCall ma, RedirectAppendCall rac |
-      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
+      DataFlow::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
      ma.getMethod().hasName("append") and
      ma.getArgument(0) = this.asExpr() and
      any(SpringRequestMappingMethod sqmm).polyCalls*(this.getEnclosingCallable())