hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Better qldoc for timing attacks

Browse Source
This commit is contained in:
Fosstars
2021-08-01 10:18:37 +02:00
parent 44e52517ad
commit bd7e7b1371
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
View File

@@ -12,10 +12,10 @@ import semmle.code.java.dataflow.FlowSources
abstract private class ProduceCryptoCall extends MethodAccess {
Expr output;
/** Return the result of cryptographic operation. */
/** Gets the result of cryptographic operation. */
Expr output() { result = output }
/** Return a type of the result of cryptographic operation such as MAC, signature or ciphertext. */
/** Gets a type of cryptographic operation such as MAC, signature or ciphertext. */
abstract string getResultType();
}
@@ -186,6 +186,7 @@ class CryptoOperationSource extends DataFlow::Node {
)
}
/** Gets a method call that produces cryptographic result. */
ProduceCryptoCall getCall() { result = call }
}
@@ -198,7 +199,7 @@ private class NonConstantTimeEqualsCall extends MethodAccess {
}
}
/** Static methods that use a non-constant-time algorithm for comparing inputs. */
/** A static method that uses a non-constant-time algorithm for comparing inputs. */
private class NonConstantTimeComparisonCall extends StaticMethodAccess {
NonConstantTimeComparisonCall() {
getMethod().hasQualifiedName("java.util", "Arrays", ["equals", "deepEquals"]) or