Making various changes based on the feedback. Pending: 2 non-trivial fixes for Java & Python.

2026-04-28 02:05:14 +02:00 · 2022-07-11 13:25:35 -07:00
parent e5702d0e15
commit ac05577966
8 changed files with 51 additions and 39 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
@@ -14,11 +14,6 @@
  </recommendation>
  <example>

-    <p>The following example shows an HTTP request parameter being used directly in a forming a
-new request without validating the input, which facilitates SSRF attacks.
-It also shows how to remedy the problem by validating the user input against a known fixed string.
-</p>
-
    <sample src="UnsafeUsageOfClientSideEncryptionVersion.java" />

  </example>
@@ -26,6 +21,9 @@ It also shows how to remedy the problem by validating the user input against a k
    <li>
      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-PENDING">CVE-2022-PENDING</a>
+    </li>

  </references>
 </qhelp>
--- a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -13,7 +13,7 @@
 import java

 /**
- * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
 * that takes no arguments, which means that it is using V1 encryption
 */
 predicate isCreatingOutdatedAzureClientSideEncryptionObject(Call call, Class c) {
@@ -31,8 +31,8 @@ predicate isCreatingOutdatedAzureClientSideEncryptionObject(Call call, Class c)
  )
 }

-/** 
- * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+/**
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
 * that takes `versionArg` as the argument for the version.
 */
 predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c, Expr versionArg) {
@@ -47,7 +47,7 @@ predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c
 }

 /**
- * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
 * that takes `versionArg` as the argument for the version, and the version number is safe
 */
 predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
@@ -67,5 +67,4 @@ where
  )
  or
  isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
-select e,
-  "Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING). See http://aka.ms/azstorageclientencryptionblog"
+select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."