hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Port changes to Ruby.

Browse Source
This commit is contained in:
Max Schaefer
2023-10-26 15:06:45 +01:00
parent 741735cc83
commit f42bd28ca9
5 changed files with 55 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ruby/ql/lib/codeql/ruby/frameworks/core/Digest.qll
View File

@@ -18,15 +18,21 @@ private API::Node digest(Cryptography::HashingAlgorithm algo) {
private class DigestCall extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
{
Cryptography::HashingAlgorithm algo;
API::Node digestNode;
DigestCall() {
this = digest(algo).getAMethodCall(["hexdigest", "base64digest", "bubblebabble"])
or
this = digest(algo).getAMethodCall("file") // it's directly hashing the contents of a file, but that's close enough for us.
or
this = digest(algo).getInstance().getAMethodCall(["digest", "update", "<<"])
digestNode = digest(algo) and
(
this = digestNode.getAMethodCall(["hexdigest", "base64digest", "bubblebabble"])
or
this = digestNode.getAMethodCall("file") // it's directly hashing the contents of a file, but that's close enough for us.
or
this = digestNode.getInstance().getAMethodCall(["digest", "update", "<<"])
)
}
override DataFlow::Node getInitialization() { result = digestNode.asSource() }
override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
override DataFlow::Node getAnInput() { result = super.getArgument(0) }

6
ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll
View File

@@ -40,6 +40,9 @@ module Cryptography {
/** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() }
/** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */
DataFlow::Node getInitialization() { result = super.getInitialization() }
/** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
DataFlow::Node getAnInput() { result = super.getAnInput() }
@@ -65,6 +68,9 @@ module Cryptography {
* extend `CryptographicOperation` instead.
*/
abstract class Range extends DataFlow::Node {
/** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */
abstract DataFlow::Node getInitialization();
/** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
abstract CryptographicAlgorithm getAlgorithm();

30
ruby/ql/lib/codeql/ruby/security/OpenSSL.qll
View File

@@ -569,6 +569,8 @@ private class CipherOperation extends Cryptography::CryptographicOperation::Rang
this.getMethodName() = "update"
}
override DataFlow::Node getInitialization() { result = cipherNode }
override Cryptography::EncryptionAlgorithm getAlgorithm() {
result = cipherNode.getCipher().getAlgorithm()
}
@@ -591,21 +593,21 @@ private module Digest {
private class DigestCall extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
{
Cryptography::HashingAlgorithm algo;
API::MethodAccessNode call;
DigestCall() {
exists(API::MethodAccessNode call |
call = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("new")
|
this = call.getReturn().getAMethodCall(["digest", "update", "<<"]) and
algo.matchesName(call.asCall()
.getArgument(0)
.asExpr()
.getExpr()
.getConstantValue()
.getString())
)
call = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("new") and
this = call.getReturn().getAMethodCall(["digest", "update", "<<"]) and
algo.matchesName(call.asCall()
.getArgument(0)
.asExpr()
.getExpr()
.getConstantValue()
.getString())
}
override DataFlow::Node getInitialization() { result = call.asCall() }
override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
override DataFlow::Node getAnInput() { result = super.getArgument(0) }
@@ -617,12 +619,16 @@ private module Digest {
private class DigestCallDirect extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
{
Cryptography::HashingAlgorithm algo;
API::Node digestNode;
DigestCallDirect() {
this = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("digest").asCall() and
digestNode = API::getTopLevelMember("OpenSSL").getMember("Digest") and
this = digestNode.getMethod("digest").asCall() and
algo.matchesName(this.getArgument(0).asExpr().getExpr().getConstantValue().getString())
}
override DataFlow::Node getInitialization() { result = digestNode.asSource() }
override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
override DataFlow::Node getAnInput() { result = super.getArgument(1) }

2
ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql
View File

@@ -23,4 +23,4 @@ where
)
or
operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
select operation, msgPrefix + " is broken or weak, and should not be used."
select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.", operation.getInitialization(), "here"

38
ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected
View File

@@ -1,19 +1,19 @@
| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES is broken or weak, and should not be used. |
| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB is broken or weak, and should not be used. |
| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | here |
| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | here |
| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | here |
| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | here |
| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | here |
| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | here |
| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | here |
| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | here |
| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | here |
| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | here |
| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | here |
| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | here |
| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | here |
| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | here |
| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | here |
| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | here |
| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | here |