Refactor InsufficientKeySize

2026-04-29 02:35:15 +02:00 · 2023-03-21 17:23:33 -04:00
parent fa2f0dbc3b
commit cae5637d8d
3 changed files with 37 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -3,8 +3,12 @@
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.InsufficientKeySize

-/** A data flow configuration for tracking key sizes used in cryptographic algorithms. */
-class KeySizeConfiguration extends DataFlow::Configuration {
+/**
+ * DEPRECATED: Use `KeySizeFlow` instead.
+ *
+ * A data flow configuration for tracking key sizes used in cryptographic algorithms.
+ */
+deprecated class KeySizeConfiguration extends DataFlow::Configuration {
  KeySizeConfiguration() { this = "KeySizeConfiguration" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
@@ -15,3 +19,30 @@ class KeySizeConfiguration extends DataFlow::Configuration {
    sink.(InsufficientKeySizeSink).hasState(state)
  }
 }
+
+/**
+ * A data flow configuration for tracking key sizes used in cryptographic algorithms.
+ */
+private module KeySizeConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowState;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+    source.(InsufficientKeySizeSource).hasState(state)
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    sink.(InsufficientKeySizeSink).hasState(state)
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) { none() }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+    DataFlow::FlowState state2
+  ) {
+    none()
+  }
+}
+
+/** Tracks key sizes used in cryptographic algorithms. */
+module KeySizeFlow = DataFlow::GlobalWithState<KeySizeConfig>;
--- a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -13,10 +13,10 @@

 import java
 import semmle.code.java.security.InsufficientKeySizeQuery
-import DataFlow::PathGraph
+import KeySizeFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink, KeySizeConfiguration cfg
-where cfg.hasFlowPath(source, sink)
+from KeySizeFlow::PathNode source, KeySizeFlow::PathNode sink
+where KeySizeFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
  "This $@ is less than the recommended key size of " + source.getState() + " bits.",
  source.getNode(), "key size"
--- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
+++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
@@ -9,7 +9,7 @@ class InsufficientKeySizeTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasInsufficientKeySize" and
-    exists(DataFlow::PathNode sink | exists(KeySizeConfiguration cfg | cfg.hasFlowPath(_, sink)) |
+    exists(KeySizeFlow::PathNode sink | KeySizeFlow::flowPath(_, sink) |
      sink.getNode().getLocation() = location and
      element = sink.getNode().toString() and
      value = ""