hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Addressing feedback from the PR

Browse Source
This commit is contained in:
Raul Garcia
2022-07-11 15:45:15 -07:00
parent ac05577966
commit d5791e2d56
2 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
View File

@@ -11,6 +11,7 @@
*/ */
import java import java
import semmle.code.java.dataflow.DataFlow
/** /**
* Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
@@ -46,16 +47,37 @@ predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c
) )
} }
/**
* A config that tracks `EncryptedBlobClientBuilder.version` argument initialization.
*/
private class EncryptedBlobClientBuilderEncryptionVersionConfig extends DataFlow::Configuration {
EncryptedBlobClientBuilderEncryptionVersionConfig() {
this = "EncryptedBlobClientBuilderEncryptionVersionConfig"
}
override predicate isSource(DataFlow::Node source) {
exists(FieldRead fr, Field f | fr = source.asExpr() |
f.getAnAccess() = fr and
f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion",
"V2")
)
}
override predicate isSink(DataFlow::Node sink) {
isCreatingAzureClientSideEncryptionObjectNewVersion(_, _, sink.asExpr())
}
}
/** /**
* Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
* that takes `versionArg` as the argument for the version, and the version number is safe * that takes `versionArg` as the argument for the version, and the version number is safe
*/ */
predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) { predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
exists(FieldRead fr, Field f | exists(EncryptedBlobClientBuilderEncryptionVersionConfig config, DataFlow::Node sink |
fr = versionArg and sink.asExpr() = versionArg
f.getAnAccess() = fr and |
f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion", "V2") config.hasFlow(_, sink)
) )
} }

7
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
View File

@@ -11,6 +11,7 @@
*/ */
import python import python
import semmle.python.ApiGraphs
predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) { predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
exists(ControlFlowNode ctrlFlowNode, AssignStmt astmt, Attribute a | exists(ControlFlowNode ctrlFlowNode, AssignStmt astmt, Attribute a |
@@ -33,8 +34,10 @@ predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrN
} }
predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) { predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
exists(Keyword k | k.getAFlowNode() = node | exists(API::Node c, string s, Keyword k | k.getAFlowNode() = node |
call.getFunc().(Name).getId() in ["ContainerClient", "BlobClient", "BlobServiceClient"] and c.getACall().asExpr() = call and
c = API::moduleImport("azure").getMember("storage").getMember("blob").getMember(s) and
s in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
k.getArg() = "key_encryption_key" and k.getArg() = "key_encryption_key" and
k = call.getANamedArg() and k = call.getANamedArg() and
not k.getValue() instanceof None and not k.getValue() instanceof None and