Merge pull request #9776 from raulgarciamsft/azure-sdk-client-encryption-version

New queries to detect unsafe client side encryption in Azure Storage
2025-12-21 03:06:31 +01:00 · 2022-07-16 14:59:51 -04:00
parent d50816a284 6b17890e4f
commit d4443592eb
9 changed files with 447 additions and 0 deletions
--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.py
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.py
@@ -0,0 +1,7 @@
+blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
+blob_client.require_encryption = True
+blob_client.key_encryption_key = kek
+# GOOD: Must use `encryption_version` set to `2.0`
+blob_client.encryption_version = '2.0'  # Use Version 2.0!
+with open("decryptedcontentfile.txt", "rb") as stream:
+    blob_client.upload_blob(stream, overwrite=OVERWRITE_EXISTING)
--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp
@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.py" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>
--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -0,0 +1,90 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption.
+ * @description Using version v1 of Azure Storage client-side encryption is insecure, and may enable an attacker to decrypt encrypted data
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id py/azure-storage/unsafe-client-side-encryption-in-use
+ * @problem.severity error
+ * @precision medium
+ */
+
+import python
+import semmle.python.ApiGraphs
+
+predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
+  exists(
+    API::Node n, API::Node n2, Attribute a, AssignStmt astmt, API::Node uploadBlob,
+    ControlFlowNode ctrlFlowNode, string s
+  |
+    s in ["key_encryption_key", "key_resolver_function"] and
+    n =
+      API::moduleImport("azure")
+          .getMember("storage")
+          .getMember("blob")
+          .getMember("BlobClient")
+          .getReturn()
+          .getMember(s) and
+    n2 =
+      API::moduleImport("azure")
+          .getMember("storage")
+          .getMember("blob")
+          .getMember("BlobClient")
+          .getReturn()
+          .getMember("upload_blob") and
+    n.getAValueReachableFromSource().asExpr() = a and
+    astmt.getATarget() = a and
+    a.getAFlowNode() = node and
+    uploadBlob =
+      API::moduleImport("azure")
+          .getMember("storage")
+          .getMember("blob")
+          .getMember("BlobClient")
+          .getReturn()
+          .getMember("upload_blob") and
+    uploadBlob.getACall().asExpr() = call and
+    ctrlFlowNode = call.getAFlowNode() and
+    node.strictlyReaches(ctrlFlowNode) and
+    node != ctrlFlowNode and
+    not exists(
+      AssignStmt astmt2, Attribute a2, AttrNode encryptionVersionSet, StrConst uc,
+      API::Node encryptionVersion
+    |
+      uc = astmt2.getValue() and
+      uc.getText() in ["'2.0'", "2.0"] and
+      encryptionVersion =
+        API::moduleImport("azure")
+            .getMember("storage")
+            .getMember("blob")
+            .getMember("BlobClient")
+            .getReturn()
+            .getMember("encryption_version") and
+      encryptionVersion.getAValueReachableFromSource().asExpr() = a2 and
+      astmt2.getATarget() = a2 and
+      a2.getAFlowNode() = encryptionVersionSet and
+      encryptionVersionSet.strictlyReaches(ctrlFlowNode)
+    )
+  )
+}
+
+predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
+  exists(API::Node c, string s, Keyword k | k.getAFlowNode() = node |
+    c.getACall().asExpr() = call and
+    c = API::moduleImport("azure").getMember("storage").getMember("blob").getMember(s) and
+    s in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
+    k.getArg() = "key_encryption_key" and
+    k = call.getANamedArg() and
+    not k.getValue() instanceof None and
+    not exists(Keyword k2 | k2 = call.getANamedArg() |
+      k2.getArg() = "encryption_version" and
+      k2.getValue().(StrConst).getText() in ["'2.0'", "2.0"]
+    )
+  )
+}
+
+from Call call, ControlFlowNode node
+where
+  isUnsafeClientSideAzureStorageEncryptionViaAttributes(call, node) or
+  isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(call, node)
+select node, "Unsafe usage of v1 version of Azure Storage client-side encryption."