hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-04 06:36:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ddb5d92ef8a854711eb35ff6cef90963adfd412d
codeql/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
Ed Minnix 4b76564911 Add MaybeBrokenCryptoAlgorithmQuery
2023-05-04 10:15:00 -04:00

64 lines
2.1 KiB
Plaintext
Raw Blame History

/**
* Provides classes and a taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
*/
import java
private import semmle.code.java.security.Encryption
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dispatch.VirtualDispatch
private class ShortStringLiteral extends StringLiteral {
ShortStringLiteral() { this.getValue().length() < 100 }
}
/**
* A string literal that may refer to an insecure cryptographic algorithm.
*/
class InsecureAlgoLiteral extends ShortStringLiteral {
InsecureAlgoLiteral() {
// Algorithm identifiers should be at least two characters.
this.getValue().length() > 1 and
exists(string s | s = this.getValue() |
not s.regexpMatch(getSecureAlgorithmRegex()) and
// Exclude results covered by another query.
not s.regexpMatch(getInsecureAlgorithmRegex())
)
}
}
private predicate objectToString(MethodAccess ma) {
exists(ToStringMethod m |
m = ma.getMethod() and
m.getDeclaringType() instanceof TypeObject and
DataFlow::exprNode(ma.getQualifier()).getTypeBound().getErasure() instanceof TypeObject
)
}
private class StringContainer extends RefType {
StringContainer() {
this instanceof TypeString or
this instanceof StringBuildingType or
this.hasQualifiedName("java.util", "StringTokenizer") or
this.(Array).getComponentType() instanceof StringContainer
}
}
/**
* A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
*/
module InsecureCryptoConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
predicate isBarrier(DataFlow::Node n) {
objectToString(n.asExpr()) or
not n.getType().getErasure() instanceof StringContainer
}
}
/**
* Taint-tracking flow for use of potentially insecure cryptographic algorithms.
*/
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
Reference in New Issue View Git Blame Copy Permalink