Compare commits

...

81 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
0019cb10d8 Revert "Python: Use new dataflow API" 2023-09-05 09:47:32 +02:00
Rasmus Wriedt Larsen
49f5d38956 Merge pull request #14068 from RasmusWL/dataflow-config-refactor
Python: Use new dataflow API
2023-09-04 21:04:10 +02:00
Tom Hvitved
4a1163b38c Merge pull request #14109 from hvitved/ruby/hide-desugared-assignments-in-dataflow 2023-09-04 19:59:33 +02:00
Kasper Svendsen
ecee427c72 Merge pull request #14117 from kaspersv/delete-unnecessary-test
Java: Delete java test query which fails to compile
2023-09-04 15:28:57 +02:00
Alex Ford
0325c87ccb Merge pull request #13825 from boveus/add-cwe-208
Ruby: Add Unsafe HMAC Comparison Query.
2023-09-04 14:10:12 +01:00
Alex Ford
11e5565344 Merge branch 'main' into add-cwe-208 2023-09-04 12:45:49 +01:00
Kasper Svendsen
4bc6ca3d84 Java: Delete java test query which fails to compile 2023-09-01 11:21:06 +02:00
Tom Hvitved
89e9d25f02 Ruby: Hide desugared assignments from data flow path graph 2023-08-31 14:04:57 +02:00
Brandon Stewart
56f0387613 Merge branch 'main' into add-cwe-208 2023-08-29 13:09:59 -04:00
Rasmus Wriedt Larsen
ce6335866b Python: Move ModificationOfParameterWithDefault to new dataflow API 2023-08-28 16:19:47 +02:00
Rasmus Wriedt Larsen
e8e8d975e3 Python: Remove all usage of DataFlow2+TaintTracking2
(and any higher number as well)
2023-08-28 15:34:19 +02:00
Rasmus Wriedt Larsen
c665c21d83 Python: More style-guide renaming
Split it into multiple commits to make it easier to review.
2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
996364d6ee Python: Fix naming style guide violations 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
efec4e7ebf Python: Add missing qldocs 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
98538d237e Python: Autoformat 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
5ba8e102eb Python: Adopt tests to new DataflowQueryTest
Since we want to know the _sinks_ and not just the flow, we need to
expose the config as well :|
2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
6961ca5234 Python: Rename to EmailXss 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
ed0e441567 Python: Accept missing DataflowQueryTest implementation for now 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
6d4491e0a9 Python: Modernize WebAppConstantSecretKey 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
852b01c65d Python: Move SmtpMessageConfig to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
d5e2a30e5b Python: Modernize py/azure-storage/unsafe-client-side-encryption-in-use a bit
To use consistent naming
2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
bfcc194b85 Python: Move experimental paramiko to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
acd0f2a8fb Python: Move experimental LDAPInsecureAuth to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
c6911c2ae0 Python: Move experimental UnicodeBypassValidation to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
2c06394bf3 Python: Move experimental CookieInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
2c412707ab Python: Move experimental CsvInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
ace1e23c21 Python: Move experimental ClientSuppliedIpUsedInSecurityCheck to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
d948e103fa Python: Move experimental HeaderInjection to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
53e57dad5c Python: Move experimental InsecureRandomness to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
3bf2705668 Python: Move experimental TimingAttackAgainstHeaderValue to new dataflow API 2023-08-28 15:31:08 +02:00
Rasmus Wriedt Larsen
c88a0ccb7c Python: Move experimental TimingAttackAgainstHash to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
a779547515 Python: Move experimental PossibleTimingAttackAgainstHash to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
8abd3430a2 Python: Move experimental TimingAttackAgainstSensitiveInfo to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
1a4e8d9464 Python: Move experimental PossibleTimingAttackAgainstSensitiveInfo to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
5fd3594f5f Python: Move TimingAttack.qll to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
5d8329d9c8 Python: Move experimental ZipSlip to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
67cc3a3935 Python: Move experimental ReflectedXSS to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
a0d26741d0 Python: Move experimental TarSlipImprov to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
3cdd875e9f Python: Move experimental UnsafeUnpack to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
3edb9d1011 Python: Move experimental TokenBuiltFromUUID to new dataflow API 2023-08-28 15:31:07 +02:00
Rasmus Wriedt Larsen
acde1920e7 Python: Move UntrustedDataToExternalAPI to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
657b1997cc Python: Move FullServerSideRequestForgery and PartialServerSideRequestForgery to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dbfe517555 Python: Move HardcodedCredentials to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
46322b717a Python: Move XmlBomb to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
add1077532 Python: Move RegexInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c6caf83dfe Python: Move PolynomialReDoS to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c336990e5 Python: Move XpathInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
60e45335dd Python: Move Xxe to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
4c76ca6127 Python: Move UrlRedirect to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
6f08e73dbc Python: Move UnsafeDeserialization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dd074173d2 Python: Move WeakSensitiveDataHashing to new dataflow API
I adopted helper predicates to do the "heavy" lifting of .asPathNode1(), maybe I like this approach better... let me know what you think 😊
2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
9d6b96dfd2 Python: Move CleartextStorage to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
70095446b6 Python: Move CleartextLogging to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
cca78f31ff Python: Move PamAuthorization to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
dcd96083e8 Python: Move StackTraceExposure to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
f75e65c67d Python: Move LogInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
88cf9c99b0 Python: Move CodeInjection to new dataflow API 2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
05573904a5 Python: Move LdapInjection to new dataflow API
We could have switched to a stateful config, but I tried to keep changes
as straight forward as possible.
2023-08-28 15:27:50 +02:00
Rasmus Wriedt Larsen
c360346e9e Python: Move ReflectedXss to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
b30142c1d7 Python: Move CommandInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
700841e9b0 Python: Move UnsafeShellCommandConstruction to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
d4e4e2d426 Python: Move TarSlip to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
e97032909a Python: Move PathInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Rasmus Wriedt Larsen
245c24077d Python: Move SqlInjection to new dataflow API 2023-08-28 15:27:49 +02:00
Brandon Stewart
b0944cf9a6 Merge branch 'main' into add-cwe-208 2023-08-11 09:37:16 -04:00
Brandon Stewart
68d9c8491e Merge branch 'main' into add-cwe-208 2023-08-10 16:14:04 -04:00
Brandon Stewart
01577dac32 format document 2023-08-10 13:59:47 +00:00
Brandon Stewart
b899b648e5 Update ruby/ql/src/experimental/cwe-208/UnsafeHmacComparison.ql
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
2023-08-10 09:21:16 -04:00
Brandon Stewart
7882cf0bf0 Update ruby/ql/src/experimental/cwe-208/UnsafeHmacComparison.ql
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
2023-08-10 09:21:02 -04:00
Brandon Stewart
74567041a7 remove pathgraph 2023-08-09 19:51:07 +00:00
Brandon Stewart
cca4c35cf8 add pathgraph 2023-08-09 19:23:21 +00:00
Brandon Stewart
7f07422a5d Merge branch 'main' into add-cwe-208 2023-08-09 14:52:51 -04:00
Brandon Stewart
07d5beca34 run format document 2023-08-09 18:51:55 +00:00
Brandon Stewart
26401fec70 address PR comments 2023-08-09 18:44:42 +00:00
Brandon Stewart
93dd9d0aa4 Update ruby/ql/src/experimental/cwe-208/UnsafeHmacComparison.ql
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
2023-08-08 12:54:54 -04:00
Brandon Stewart
f241498cab correct additional pascalcase issue 2023-07-26 17:55:56 +00:00
Brandon Stewart
1a83554b0c correct typo 2023-07-26 17:54:42 +00:00
Brandon Stewart
346a2f269e Update UnsafeHmacComparison.ql 2023-07-26 13:48:42 -04:00
Brandon Stewart
42adbe0cd4 address linter 2023-07-26 17:43:34 +00:00
Brandon Stewart
adddc58b61 address linter 2023-07-26 17:38:06 +00:00
Brandon Stewart
494e7d9a3f add unsafe HMAC comparison query and qlhelp file 2023-07-26 17:28:22 +00:00
8 changed files with 93 additions and 19 deletions

View File

@@ -1 +0,0 @@
ERROR: class or primitive expected in query (selectAtType.ql:5,8-15)

View File

@@ -1,5 +0,0 @@
import java
@classorinterface clasz() { any() }
select clasz()

View File

@@ -558,9 +558,7 @@ import Cached
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) {
exists(SsaImpl::DefinitionExt def | def = n.(SsaDefinitionExtNode).getDefinitionExt() |
not def instanceof Ssa::WriteDefinition
)
n.(SsaDefinitionExtNode).isHidden()
or
n = LocalFlow::getParameterDefNode(_)
or
@@ -593,6 +591,13 @@ class SsaDefinitionExtNode extends NodeImpl, TSsaDefinitionExtNode {
/** Gets the underlying variable. */
Variable getVariable() { result = def.getSourceVariable() }
/** Holds if this node should be hidden from path explanations. */
predicate isHidden() {
not def instanceof Ssa::WriteDefinition
or
isDesugarNode(def.(Ssa::WriteDefinition).getWriteAccess().getExpr())
}
override CfgScope getCfgScope() { result = def.getBasicBlock().getScope() }
override Location getLocationImpl() { result = def.getLocation() }
@@ -1593,7 +1598,11 @@ class CastNode extends Node {
*/
predicate neverSkipInPathGraph(Node n) {
// ensure that all variable assignments are included in the path graph
n.(SsaDefinitionExtNode).getDefinitionExt() instanceof Ssa::WriteDefinition
n =
any(SsaDefinitionExtNode def |
def.getDefinitionExt() instanceof Ssa::WriteDefinition and
not def.isHidden()
)
}
class DataFlowExpr = CfgNodes::ExprCfgNode;

View File

@@ -0,0 +1,45 @@
/**
* @name Unsafe HMAC Comparison
* @description An HMAC is being compared using the equality operator. This may be vulnerable to a cryptographic timing attack
* because the equality operation does not occur in constant time."
* @kind path-problem
* @problem.severity error
* @security-severity 6.0
* @precision high
* @id rb/unsafe-hmac-comparison
* @tags security
* external/cwe/cwe-208
*/
private import codeql.ruby.AST
private import codeql.ruby.DataFlow
private import codeql.ruby.ApiGraphs
private class OpenSslHmacSource extends DataFlow::Node {
OpenSslHmacSource() {
exists(API::Node hmacNode | hmacNode = API::getTopLevelMember("OpenSSL").getMember("HMAC") |
this = hmacNode.getAMethodCall(["hexdigest", "to_s", "digest", "base64digest"])
or
this = hmacNode.getAnInstantiation()
)
}
}
private module UnsafeHmacComparison {
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof OpenSslHmacSource }
// Holds if a given sink is an Equality Operation (== or !=)
predicate isSink(DataFlow::Node sink) {
any(EqualityOperation eqOp).getAnOperand() = sink.asExpr().getExpr()
}
}
import DataFlow::Global<Config>
}
private import UnsafeHmacComparison::PathGraph
from UnsafeHmacComparison::PathNode source, UnsafeHmacComparison::PathNode sink
where UnsafeHmacComparison::flowPath(source, sink)
select sink.getNode(), source, sink, "This comparison is potentially vulnerable to a timing attack."

View File

@@ -0,0 +1,21 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using the `==` or `!=` operator to compare a known valid HMAC with a user-supplied HMAC digest could lead to a timing attack, as these operations do not occur in constant time.
</p>
</overview>
<recommendation>
<p>
Instead of using `==` or `!=` to compare a known valid HMAC with a user-supplied HMAC digest use Rack::Utils#secure_compare, ActiveSupport::SecurityUtils#secure_compare or OpenSSL.secure_compare
</p>
</recommendation>
<example>
<p>
In this example, the HMAC is validated using the `==` operation.
</p>
<sample src="./examples/unsafe_hmac_comparison.rb" />
</example>
</qhelp>

View File

@@ -0,0 +1,11 @@
class UnsafeHmacComparison
def verify_hmac(host, hmac, salt)
sha1 = OpenSSL::Digest.new('sha1')
if OpenSSL::HMAC.digest(sha1, salt, host) == hmac
puts "HMAC verified"
else
puts "HMAC not verified"
end
end
end

View File

@@ -203,10 +203,8 @@ edges
| array_flow.rb:80:13:80:21 | call to source | array_flow.rb:80:5:80:5 | a [element 1] |
| array_flow.rb:81:8:81:8 | c | array_flow.rb:83:10:83:10 | c |
| array_flow.rb:81:8:81:8 | c | array_flow.rb:83:10:83:10 | c |
| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | array_flow.rb:81:8:81:8 | c |
| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | array_flow.rb:81:8:81:8 | c |
| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:15:81:15 | __synth__3 [element 1] |
| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:15:81:15 | __synth__3 [element 1] |
| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:8:81:8 | c |
| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:8:81:8 | c |
| array_flow.rb:88:5:88:5 | a [element 1] | array_flow.rb:89:9:89:9 | a [element 1] |
| array_flow.rb:88:5:88:5 | a [element 1] | array_flow.rb:89:9:89:9 | a [element 1] |
| array_flow.rb:88:13:88:22 | call to source | array_flow.rb:88:5:88:5 | a [element 1] |
@@ -4468,8 +4466,6 @@ nodes
| array_flow.rb:80:13:80:21 | call to source | semmle.label | call to source |
| array_flow.rb:81:8:81:8 | c | semmle.label | c |
| array_flow.rb:81:8:81:8 | c | semmle.label | c |
| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | semmle.label | __synth__3 [element 1] |
| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | semmle.label | __synth__3 [element 1] |
| array_flow.rb:81:15:81:15 | a [element 1] | semmle.label | a [element 1] |
| array_flow.rb:81:15:81:15 | a [element 1] | semmle.label | a [element 1] |
| array_flow.rb:83:10:83:10 | c | semmle.label | c |

View File

@@ -81,8 +81,7 @@ edges
| hash_flow.rb:96:30:96:33 | hash [element :a] | hash_flow.rb:96:13:96:34 | call to try_convert [element :a] |
| hash_flow.rb:97:10:97:14 | hash2 [element :a] | hash_flow.rb:97:10:97:18 | ...[...] |
| hash_flow.rb:105:5:105:5 | b | hash_flow.rb:106:10:106:10 | b |
| hash_flow.rb:105:21:105:30 | __synth__0 | hash_flow.rb:105:5:105:5 | b |
| hash_flow.rb:105:21:105:30 | call to taint | hash_flow.rb:105:21:105:30 | __synth__0 |
| hash_flow.rb:105:21:105:30 | call to taint | hash_flow.rb:105:5:105:5 | b |
| hash_flow.rb:113:5:113:5 | b | hash_flow.rb:115:10:115:10 | b |
| hash_flow.rb:113:9:113:12 | [post] hash [element :a] | hash_flow.rb:114:10:114:13 | hash [element :a] |
| hash_flow.rb:113:9:113:34 | call to store | hash_flow.rb:113:5:113:5 | b |
@@ -1063,7 +1062,6 @@ nodes
| hash_flow.rb:97:10:97:14 | hash2 [element :a] | semmle.label | hash2 [element :a] |
| hash_flow.rb:97:10:97:18 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:105:5:105:5 | b | semmle.label | b |
| hash_flow.rb:105:21:105:30 | __synth__0 | semmle.label | __synth__0 |
| hash_flow.rb:105:21:105:30 | call to taint | semmle.label | call to taint |
| hash_flow.rb:106:10:106:10 | b | semmle.label | b |
| hash_flow.rb:113:5:113:5 | b | semmle.label | b |