hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Deprecate some old terminology.

Browse Source
This commit is contained in:
Geoffrey White
2020-06-29 17:38:59 +01:00
parent 71492f90ac
commit fc69c16ba6
2 changed files with 41 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {
}
Function getAnInsecureFunction() {
result.getName().regexpMatch(algorithmBlacklistRegex()) and
result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
exists(result.getACallToThisFunction())
}
@@ -33,7 +33,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
}
Macro getAnInsecureMacro() {
result.getName().regexpMatch(algorithmBlacklistRegex()) and
result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
exists(result.getAnInvocation())
}

49
cpp/ql/src/semmle/code/cpp/security/Encryption.qll
View File

@@ -1,12 +1,13 @@
/**
* Provides predicates relating to encryption in C and C++.
*/
import cpp
/**
* Returns an algorithm that is known to be insecure.
*/
string algorithmBlacklist() {
string getAnInsecureAlgorithmName() {
result = "DES" or
result = "RC2" or
result = "RC4" or
@@ -18,7 +19,7 @@ string algorithmBlacklist() {
* Returns the name of a hash algorithm that is insecure if it is being used for
* encryption (but it is hard to know when that is happening).
*/
string hashAlgorithmBlacklist() {
string getAnInsecureHashAlgorithmName() {
result = "SHA1" or
result = "MD5"
}
@@ -27,23 +28,23 @@ string hashAlgorithmBlacklist() {
* Returns a regular expression for matching strings that look like they
* contain an algorithm that is known to be insecure.
*/
string algorithmBlacklistRegex() {
string getInsecureAlgorithmRegex() {
result =
// algorithms usually appear in names surrounded by characters that are not
// alphabetical characters in the same case. This handles the upper and lower
// case cases
"(^|.*[^A-Z])(" + strictconcat(algorithmBlacklist(), "|") + ")([^A-Z].*|$)" + "|" +
"(^|.*[^A-Z])(" + strictconcat(getAnInsecureAlgorithmName(), "|") + ")([^A-Z].*|$)" + "|" +
// for lowercase, we want to be careful to avoid being confused by camelCase
// hence we require two preceding uppercase letters to be sure of a case switch,
// or a preceding non-alphabetic character
"(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(algorithmBlacklist().toLowerCase(), "|") +
"(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(getAnInsecureAlgorithmName().toLowerCase(), "|") +
")([^a-z].*|$)"
}
/**
* Returns an algorithms that is known to be secure.
*/
string algorithmWhitelist() {
string getASecureAlgorithmName() {
result = "RSA" or
result = "SHA256" or
result = "CCM" or
@@ -57,16 +58,44 @@ string algorithmWhitelist() {
* Returns a regular expression for matching strings that look like they
* contain an algorithm that is known to be secure.
*/
string algorithmWhitelistRegex() {
// The implementation of this is a duplicate of algorithmBlacklistRegex, as
string getSecureAlgorithmRegex() {
// The implementation of this is a duplicate of getInsecureAlgorithmRegex, as
// it isn't possible to have string -> string functions at the moment
// algorithms usually appear in names surrounded by characters that are not
// alphabetical characters in the same case. This handles the upper and lower
// case cases
result = "(^|.*[^A-Z])" + algorithmWhitelist() + "([^A-Z].*|$)"
result = "(^|.*[^A-Z])" + getASecureAlgorithmName() + "([^A-Z].*|$)"
or
// for lowercase, we want to be careful to avoid being confused by camelCase
// hence we require two preceding uppercase letters to be sure of a case
// switch, or a preceding non-alphabetic character
result = "(^|.*[A-Z]{2}|.*[^a-zA-Z])" + algorithmWhitelist().toLowerCase() + "([^a-z].*|$)"
result = "(^|.*[A-Z]{2}|.*[^a-zA-Z])" + getASecureAlgorithmName().toLowerCase() + "([^a-z].*|$)"
}
/**
* DEPRECATED: Terminology has been updated. Use `getAnInsecureAlgorithmName()`
* instead.
*/
deprecated string algorithmBlacklist() { result = getAnInsecureAlgorithmName() }
/**
* DEPRECATED: Terminology has been updated. Use
* `getAnInsecureHashAlgorithmName()` instead.
*/
deprecated string hashAlgorithmBlacklist() { result = getAnInsecureHashAlgorithmName() }
/**
* DEPRECATED: Terminology has been updated. Use `getInsecureAlgorithmRegex()` instead.
*/
deprecated string algorithmBlacklistRegex() { result = getInsecureAlgorithmRegex() }
/**
* DEPRECATED: Terminology has been updated. Use `getASecureAlgorithmName()`
* instead.
*/
deprecated string algorithmWhitelist() { result = getASecureAlgorithmName() }
/**
* DEPRECATED: Terminology has been updated. Use `getSecureAlgorithmRegex()` instead.
*/
deprecated string algorithmWhitelistRegex() { result = getSecureAlgorithmRegex() }