Addressing feedback from the PR

2025-12-20 18:56:32 +01:00 · 2022-07-11 15:45:15 -07:00
parent ac05577966
commit d5791e2d56
2 changed files with 31 additions and 6 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -11,6 +11,7 @@
 */

 import java
+import semmle.code.java.dataflow.DataFlow

 /**
 * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
@@ -46,16 +47,37 @@ predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c
  )
 }

+/**
+ * A config that tracks `EncryptedBlobClientBuilder.version` argument initialization.
+ */
+private class EncryptedBlobClientBuilderEncryptionVersionConfig extends DataFlow::Configuration {
+  EncryptedBlobClientBuilderEncryptionVersionConfig() {
+    this = "EncryptedBlobClientBuilderEncryptionVersionConfig"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(FieldRead fr, Field f | fr = source.asExpr() |
+      f.getAnAccess() = fr and
+      f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion",
+        "V2")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    isCreatingAzureClientSideEncryptionObjectNewVersion(_, _, sink.asExpr())
+  }
+}
+
 /**
 * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
 * that takes `versionArg` as the argument for the version, and the version number is safe
 */
 predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
  isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
-  exists(FieldRead fr, Field f |
-    fr = versionArg and
-    f.getAnAccess() = fr and
-    f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion", "V2")
+  exists(EncryptedBlobClientBuilderEncryptionVersionConfig config, DataFlow::Node sink |
+    sink.asExpr() = versionArg
+  |
+    config.hasFlow(_, sink)
  )
 }

--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -11,6 +11,7 @@
 */

 import python
+import semmle.python.ApiGraphs

 predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
  exists(ControlFlowNode ctrlFlowNode, AssignStmt astmt, Attribute a |
@@ -33,8 +34,10 @@ predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrN
 }

 predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
-  exists(Keyword k | k.getAFlowNode() = node |
-    call.getFunc().(Name).getId() in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
+  exists(API::Node c, string s, Keyword k | k.getAFlowNode() = node |
+    c.getACall().asExpr() = call and
+    c = API::moduleImport("azure").getMember("storage").getMember("blob").getMember(s) and
+    s in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
    k.getArg() = "key_encryption_key" and
    k = call.getANamedArg() and
    not k.getValue() instanceof None and