Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 75794ec

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
false negative testing - before rewrite for variable dataflow
1 parent 7d94590 commit 75794ec

2 files changed

Lines changed: 34 additions & 3 deletions

File tree

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import semmle.code.java.security.Encryption
22
import semmle.code.java.dataflow.TaintTracking
3+
import semmle.code.java.dataflow.DataFlow3
34

45
/** The Java class `java.security.spec.ECGenParameterSpec`. */
56
private class ECGenParameterSpec extends RefType {
@@ -86,9 +87,18 @@ private predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type)
8687
jcg.getAlgoSpec().(StringLiteral).getValue() = type and
8788
source.getNode().asExpr() = jcg and
8889
dest.getNode().asExpr() = ma.getQualifier() and
89-
cc.hasFlowPath(source, dest)
90+
//ma.getArgument(0) = var and // ! me
91+
//var.getVariable().getInitializer().getUnderlyingExpr() instanceof IntegerLiteral and // ! me
92+
cc.hasFlowPath(source, dest) //and
93+
//var.getVariable().getInitializer().getUnderlyingExpr().toString().toInt() < 128 // ! me
94+
) and
95+
exists(VarAccess var |
96+
var.getVariable().getInitializer().getUnderlyingExpr() instanceof IntegerLiteral and
97+
var.getVariable().getInitializer().getUnderlyingExpr().toString().toInt() < 128 and
98+
//DataFlow3::localExprFlow(var, ma.getArgument(0)) and
99+
ma.getArgument(0) = var
100+
//ma.getArgument(0).(IntegerLiteral).getIntValue() < 128
90101
) and
91-
ma.getArgument(0).(IntegerLiteral).getIntValue() < 128 and
92102
msg = "Key size should be at least 128 bits for " + type + " encryption."
93103
}
94104

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
import javax.crypto.KeyGenerator;
44

55
public class InsufficientKeySizeTest {
6-
public void CryptoMethod() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
6+
public void cryptoMethod() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
77
KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
88
// BAD: Key size is less than 128
99
keyGen1.init(64); // $ hasInsufficientKeySize
@@ -89,5 +89,26 @@ public void CryptoMethod() throws java.security.NoSuchAlgorithmException, java.s
8989
KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("DH");
9090
// GOOD: Key size is no less than 2048
9191
keyPairGen17.initialize(2048); // Safe
92+
93+
94+
// FN: Test with variables as numbers
95+
final int size1 = 64;
96+
KeyGenerator keyGen3 = KeyGenerator.getInstance("AES");
97+
// BAD: Key size is less than 128
98+
keyGen3.init(size1); // $ hasInsufficientKeySize
99+
100+
int size2 = 1024;
101+
KeyPairGenerator keyPairGen18 = KeyPairGenerator.getInstance("RSA");
102+
// BAD: Key size is less than 2048
103+
keyPairGen18.initialize(size2); // $ hasInsufficientKeySize
104+
105+
int keysize = 64;
106+
test(keysize);
107+
}
108+
109+
public void test(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
110+
KeyGenerator keyGen4 = KeyGenerator.getInstance("AES");
111+
// BAD: Key size is less than 128
112+
keyGen4.init(keySize); // $ hasInsufficientKeySize
92113
}
93114
}

0 commit comments

Comments
 (0)