From e1fae3d16d72254f2ab9603614f0ddd551c71d83 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 5 Oct 2023 09:21:25 +0200 Subject: [PATCH] JS: Port InsufficientPasswordHash --- .../dataflow/InsufficientPasswordHashQuery.qll | 18 +++++++++++++++++- .../CWE-916/InsufficientPasswordHash.ql | 6 +++--- .../CWE-916/InsufficientPasswordHash.expected | 18 +++++------------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll index 40bfcc1072b..d01e46360fd 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsufficientPasswordHashQuery.qll @@ -19,7 +19,23 @@ import InsufficientPasswordHashCustomizations::InsufficientPasswordHash * added either by extending the relevant class, or by subclassing this configuration itself, * and amending the sources and sinks. */ -class Configuration extends TaintTracking::Configuration { +module InsufficientPasswordHashConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** + * Taint tracking for password hashing with insufficient computational effort. + */ +module InsufficientPasswordHashFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `InsufficientPasswordHashFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "InsufficientPasswordHash" } override predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql index a40689f41df..1cfc3111ad9 100644 --- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql +++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql @@ -12,9 +12,9 @@ import javascript import semmle.javascript.security.dataflow.InsufficientPasswordHashQuery -import DataFlow::PathGraph +import InsufficientPasswordHashFlow::PathGraph -from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from InsufficientPasswordHashFlow::PathNode source, InsufficientPasswordHashFlow::PathNode sink +where InsufficientPasswordHashFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.", source.getNode(), source.getNode().(Source).describe() diff --git a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected index 40cd78138e4..231a4025138 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected +++ b/javascript/ql/test/query-tests/Security/CWE-916/InsufficientPasswordHash.expected @@ -1,17 +1,9 @@ -nodes -| tst.js:5:48:5:55 | password | -| tst.js:5:48:5:55 | password | -| tst.js:5:48:5:55 | password | -| tst.js:7:46:7:53 | password | -| tst.js:7:46:7:53 | password | -| tst.js:7:46:7:53 | password | -| tst.js:9:43:9:50 | password | -| tst.js:9:43:9:50 | password | -| tst.js:9:43:9:50 | password | edges -| tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | -| tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | -| tst.js:9:43:9:50 | password | tst.js:9:43:9:50 | password | +nodes +| tst.js:5:48:5:55 | password | semmle.label | password | +| tst.js:7:46:7:53 | password | semmle.label | password | +| tst.js:9:43:9:50 | password | semmle.label | password | +subpaths #select | tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | tst.js:5:48:5:55 | password | Password from $@ is hashed insecurely. | tst.js:5:48:5:55 | password | an access to password | | tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | tst.js:7:46:7:53 | password | Password from $@ is hashed insecurely. | tst.js:7:46:7:53 | password | an access to password |