hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Don't consider copyOf() and clone() in ArrayUpdate

Browse Source
This commit is contained in:
Fosstars
2021-08-25 12:11:34 +02:00
parent fbac5891b8
commit c80a1da483
2 changed files with 2 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/experimental/semmle/code/java/security/StaticInitializationVectorQuery.qll
View File

@@ -50,12 +50,6 @@ private class ArrayUpdate extends Expr {
ma.getArgument(2) = array
)
or
exists(StaticMethodAccess ma |
ma.getMethod().hasQualifiedName("java.util", "Arrays", ["copyOf", "copyOfRange"]) and
ma = this and
ma = array
)
or
exists(MethodAccess ma, Method m |
m = ma.getMethod() and
ma = this and
@@ -66,10 +60,6 @@ private class ArrayUpdate extends Expr {
m.hasQualifiedName("java.security", "SecureRandom", "nextBytes") or
m.hasQualifiedName("java.util", "Random", "nextBytes")
)
or
exists(MethodAccess ma, Method m | m = ma.getMethod() |
m.getDeclaringType().hasName("byte[]") and m.hasName("clone") and ma = this and ma = array
)
}
/** Returns the updated array. */

3
java/ql/test/experimental/query-tests/security/CWE-1204/StaticInitializationVector.java
View File

@@ -153,7 +153,8 @@ public class StaticInitializationVector {
byte[] randomBytes = new byte[16];
SecureRandom.getInstanceStrong().nextBytes(randomBytes);
byte[] iv = Arrays.copyOf(randomBytes, 16);
byte[] iv = new byte[16];
iv = Arrays.copyOf(randomBytes, 16);
GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");