hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use CryptoAlgoSpec rather than hadcoding Cipher.getInstance

Browse Source
This commit is contained in:
Joe Farebrother
2022-08-05 17:53:55 +01:00
parent 08b77493d2
commit c77b17574a
3 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
View File

@@ -1,14 +1,14 @@
/** Definitions for the RSE without OAEP query */
import java
import Encryption
import semmle.code.java.dataflow.DataFlow
/** Holds if `ma` is a call to `Cipher.getInstance` which initialises an RSA cipher without using OAEP padding. */
predicate rsaWithoutOaepCall(MethodAccess ma) {
ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "getInstance") and
/** Holds if `c` is a call which initialises an RSA cipher without using OAEP padding. */
predicate rsaWithoutOaepCall(CryptoAlgoSpec c) {
exists(CompileTimeConstantExpr specExpr, string spec |
specExpr.getStringValue() = spec and
DataFlow::localExprFlow(specExpr, ma.getArgument(0)) and
DataFlow::localExprFlow(specExpr, c.getAlgoSpec()) and
spec.matches("RSA/%") and
not spec.matches("%OAEP%")
)