commit before adding taint flow back (since no taint flow doesn't capture all cases)

2026-03-26 17:28:29 +01:00 · 2022-10-05 09:48:51 -04:00
parent 8ffd2522e7
commit ac707198d5
2 changed files with 29 additions and 19 deletions
--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -155,8 +155,11 @@ private predicate hasShortAESKey(MethodAccess ma, string msg) {
 bindingset[type]
 private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
-  ma.getQualifier() instanceof JavaSecurityKeyPairGenerator and
-  ma.getQualifier().getBasicBlock() instanceof JavaSecurityKeyPairGenerator and
+  //ma.getQualifier() instanceof JavaSecurityKeyPairGenerator and
+  //ma.getQualifier().getBasicBlock() instanceof JavaSecurityKeyPairGenerator and
+  // * USE BELOW
+  ma.getQualifier().getBasicBlock().getAPredecessor() instanceof JavaSecurityKeyPairGenerator and
+  // * USE ABOVE
  //ma.getQualifier().getBasicBlock().getNode(2) instanceof JavaSecurityKeyPairGenerator and
  // ma.getQualifier()
  //     .getBasicBlock()
@@ -167,6 +170,7 @@ private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string
  //     .getValue()
  //     .toUpperCase() = type and
  //ma.getQualifier().getBasicBlock().getAPredecessor() instanceof JavaSecurityKeyPairGenerator and
+  // * USE BELOW
  ma.getQualifier()
      .getBasicBlock()
      .getAPredecessor()
@@ -175,17 +179,20 @@ private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string
      .(StringLiteral)
      .getValue()
      .toUpperCase() = type and
+  // * USE ABOVE
  // flow needed to correctly determine algorithm type and
  // not match to ANY asymmetric algorithm
-  exists(
-    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
-    DataFlow::PathNode source, DataFlow::PathNode dest
-  |
-    jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = type and
-    source.getNode().asExpr() = jpg and
-    dest.getNode().asExpr() = ma.getQualifier() and
-    kc.hasFlowPath(source, dest)
-  ) and
+  // * REMOVE BELOW
+  // exists(
+  //   JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
+  //   DataFlow::PathNode source, DataFlow::PathNode dest
+  // |
+  //   jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = type and
+  //   source.getNode().asExpr() = jpg and
+  //   dest.getNode().asExpr() = ma.getQualifier() and
+  //   kc.hasFlowPath(source, dest)
+  // ) and
+  // * REMOVE ABOVE
  // VarAccess case needed to handle FN of key-size stored in a variable
  // Note: cannot use CompileTimeConstantExpr since will miss cases when variable is not a compile-time constant
  // (e.g. not declared `final` in Java)
@@ -197,12 +204,12 @@ private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string
    )
    or
    ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048
-    or
-    exists(
-      AsymmetricKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-    |
-      cfg.hasFlowPath(source, sink)
-    )
+    // or
+    // exists(
+    //   AsymmetricKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+    // |
+    //   cfg.hasFlowPath(source, sink)
+    // )
  ) and
  msg = "Key size should be at least 2048 bits for " + type + " encryption."
 }