add insecureRandomness

python/ql/lib/semmle/python/security/dataflow/InsecureRandomness.qll

@@ -0,0 +1,37 @@
+/**
+ * Provides a taint tracking configuration for reasoning about random
+ * values that are not cryptographically secure.
+ *
+ * Note, for performance reasons: only import this file if
+ * `InsecureRandomness::Configuration` is needed, otherwise
+ * `InsecureRandomnessCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+
+/**
+ * A taint tracking configuration for random values that are not cryptographically secure.
+ */
+module InsecureRandomness {
+  import InsecureRandomnessCustomizations::InsecureRandomness
+  
+  /**
+   * A taint-tracking configuration for reasoning about random values that are
+   * not cryptographically secure.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "InsecureRandomness" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+    
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}

python/ql/lib/semmle/python/security/dataflow/InsecureRandomnessCustomizations.qll

@@ -0,0 +1,81 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about random values that are
+ * not cryptographically secure, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.ApiGraphs
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.internal.DataFlowPrivate
+
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about random values that are
+ * not cryptographically secure, as well as extension points for adding your own.
+ */
+module InsecureRandomness {
+  /**
+   * A data flow source for random values that are not cryptographically secure.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for random values that are not cryptographically secure.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for random values that are not cryptographically secure.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for random values that are not cryptographically secure.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A random source that is not sufficient for security use. So far this is only made up
+   * of the math package's rand function, more insufficient random sources can be added here.
+   */
+  class InsecureRandomSource extends Source { 
+    InsecureRandomSource() { 
+      this =
+        API::moduleImport("random")
+            .getMember([
+                "betavariate", "choice", "choices", "expovariate",
+                "gammavariate", "gauss", "getrandbits", "getstate",
+                "lognormvariate", "normalvariate", "paretovariate",
+                "randbytes", "randint", "random", "randrange",
+                "sample", "seed", "setstate", "shuffle",
+                "triangular", "uniform", "vonmisesvariate", "weibullvariate"
+              ])
+            .getACall()
+    }
+  }
+  
+  /**
+   * A use in a function that heuristically deals with passwords.
+   */
+  class PasswordFnSink extends Sink {
+    PasswordFnSink() {
+      exists(DataFlowCallable passwordFn |
+        passwordFn.getName().regexpMatch("(?i).*(gen(erate)?|salt|make|mk)Password.*")
+      |
+        this.getEnclosingCallable() = passwordFn
+      )
+    }
+  }
+
+  /**
+   * A cryptographic key, considered as a sink for random values that are not cryptographically
+   * secure.
+   */
+  class CryptoKeySink extends Sink {
+    CryptoKeySink() {
+      exists(Cryptography::CryptographicOperation operation |
+        this = operation.getAnInput()
+      )
+    }
+  }
+}