Making various changes based on the feedback. Pending: 2 non-trivial fixes for Java & Python.

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.py

@@ -1,7 +1,7 @@
 blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
-    blob_client.require_encryption = True
-    blob_client.key_encryption_key = kek
-    # GOOD: Must use `encryption_version` set to `2.0`
-    blob_client.encryption_version = '2.0'  # Use Version 2.0!
-   with open(“decryptedcontentfile.txt”, “rb”) as stream:
-        blob_client.upload_blob(stream, overwrite=OVERWRITE_EXISTING)
+blob_client.require_encryption = True
+blob_client.key_encryption_key = kek
+# GOOD: Must use `encryption_version` set to `2.0`
+blob_client.encryption_version = '2.0'  # Use Version 2.0!
+with open(“decryptedcontentfile.txt”, “rb”) as stream:
+    blob_client.upload_blob(stream, overwrite=OVERWRITE_EXISTING)

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -14,11 +14,6 @@
   </recommendation>
   <example>
 
-    <p>The following example shows an HTTP request parameter being used directly in a forming a
-new request without validating the input, which facilitates SSRF attacks.
-It also shows how to remedy the problem by validating the user input against a known fixed string.
-</p>
-
     <sample src="UnsafeUsageOfClientSideEncryptionVersion.py" />
 
   </example>
@@ -26,6 +21,9 @@ It also shows how to remedy the problem by validating the user input against a k
     <li>
       <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
     </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-PENDING">CVE-2022-PENDING</a>
+    </li>
 
   </references>
 </qhelp>

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -24,7 +24,7 @@ predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrN
     not astmt.getValue() instanceof None and
     not exists(AssignStmt astmt2, Attribute a2, AttrNode encryptionVersionSet, StrConst uc |
       uc = astmt2.getValue() and
-      uc.getLiteralValue().toString() in ["'2.0'", "2.0"] and
+      uc.getText() in ["'2.0'", "2.0"] and
       a2.getAttr() = "encryption_version" and
       a2.getAFlowNode() = encryptionVersionSet and
       encryptionVersionSet.strictlyReaches(ctrlFlowNode)
@@ -34,15 +34,13 @@ predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrN
 
 predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
   exists(Keyword k | k.getAFlowNode() = node |
-    call.getFunc().(Name).getId().toString() in [
-        "ContainerClient", "BlobClient", "BlobServiceClient"
-      ] and
+    call.getFunc().(Name).getId() in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
     k.getArg() = "key_encryption_key" and
     k = call.getANamedArg() and
     not k.getValue() instanceof None and
     not exists(Keyword k2 | k2 = call.getANamedArg() |
       k2.getArg() = "encryption_version" and
-      k2.getValue().(StrConst).getLiteralValue().toString() in ["'2.0'", "2.0"]
+      k2.getValue().(StrConst).getText() in ["'2.0'", "2.0"]
     )
   )
 }
@@ -51,5 +49,4 @@ from Call call, ControlFlowNode node
 where
   isUnsafeClientSideAzureStorageEncryptionViaAttributes(call, node) or
   isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(call, node)
-select node,
-  "Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING). See http://aka.ms/azstorageclientencryptionblog"
+select node, "Unsafe usage of v1 version of Azure Storage client-side encryption."