Add ThreadLocalRandom.current as another source

2026-04-21 06:55:31 +02:00 · 2023-07-11 17:42:34 -04:00
parent bf0123d6ae
commit b713efb711
2 changed files with 21 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -29,6 +29,9 @@ private class JavaRandomSource extends WeakRandomnessSource {
  }
 }

+/**
+ * A node representing a call to one of the methods of `org.apache.commons.lang.RandomStringUtils`.
+ */
 private class ApacheRandomStringUtilsMethodAccessSource extends WeakRandomnessSource {
  ApacheRandomStringUtilsMethodAccessSource() {
    exists(MethodAccess ma | this.asExpr() = ma |
@@ -44,6 +47,17 @@ private class ApacheRandomStringUtilsMethodAccessSource extends WeakRandomnessSo
  }
 }

+private class ThreadLocalRandomSource extends WeakRandomnessSource {
+  ThreadLocalRandomSource() {
+    exists(MethodAccess ma | this.asExpr() = ma |
+      ma.getMethod().hasName("current") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName("java.util.concurrent", "ThreadLocalRandom")
+    )
+  }
+}
+
 /**
 * The `random` method of `java.lang.Math`.
 */
@@ -123,7 +137,7 @@ module WeakRandomnessConfig implements DataFlow::ConfigSig {
    exists(MethodAccess ma, Method m |
      n1.asExpr() = ma.getQualifier() and
      ma.getMethod() = m and
-      m.getDeclaringType() instanceof TypeRandom and
+      m.getDeclaringType().getAnAncestor() instanceof TypeRandom and
      (
        m.hasName(["nextInt", "nextLong", "nextFloat", "nextDouble", "nextBoolean", "nextGaussian"]) and
        n2.asExpr() = ma
--- a/java/ql/test/query-tests/security/CWE-330/WeakRandomCookies.java
+++ b/java/ql/test/query-tests/security/CWE-330/WeakRandomCookies.java
@@ -1,5 +1,6 @@
 import java.io.IOException;
 import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
 import java.security.SecureRandom;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -36,5 +37,10 @@ public class WeakRandomCookies extends HttpServlet {
        // GOOD: The cookie value is unpredictable.
        Cookie cookie4 = new Cookie("name", new String(bytes2));
        response.addCookie(cookie4);
+
+        ThreadLocalRandom tlr = ThreadLocalRandom.current();
+
+        Cookie cookie5 = new Cookie("name", Integer.toString(tlr.nextInt()));
+        response.addCookie(cookie5); // $hasWeakRandomFlow
    }
 }