Update TimingAttackAgainstHeaderValue.ql

2025-12-24 04:36:35 +01:00 · 2023-02-16 14:03:26 +01:00
parent 4b3efa87dc
commit f70f5c7935
1 changed files with 1 additions and 1 deletions
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql
@@ -28,6 +28,6 @@ class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
 }

 from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).FlowToLen()
 select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
  "client-supplied token"