use steps from InsecureRandomness, and use small-steps

erik-krogh · erik-krogh · commit 7e8fd803277c · 2020-06-10T12:27:50.000+02:00
diff --git a/javascript/ql/src/Security/CWE-327/BadRandomness.ql b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
@@ -13,6 +13,7 @@
 import javascript
 private import semmle.javascript.dataflow.InferredTypes
 private import semmle.javascript.dataflow.internal.StepSummary
+private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations
 
 /**
  * Gets a Buffer/TypedArray containing cryptographically secure random numbers.
@@ -29,7 +30,9 @@ private DataFlow::SourceNode randomBufferSource() {
   or
   result = DataFlow::moduleImport("secure-random").getACall()
   or
-  result = DataFlow::moduleImport("secure-random").getAMethodCall(["randomArray", "randomUint8Array", "randomBuffer"])
+  result =
+    DataFlow::moduleImport("secure-random")
+        .getAMethodCall(["randomArray", "randomUint8Array", "randomBuffer"])
 }
 
 /**
@@ -41,48 +44,50 @@ private string prop() { result = DataFlow::PseudoProperties::setElement() }
 /**
  * Gets a reference to a cryptographically secure random number, type tracked using `t`.
  */
-private DataFlow::SourceNode goodRandom(DataFlow::TypeTracker t) {
+private DataFlow::Node goodRandom(DataFlow::TypeTracker t) {
   t.startInProp(prop()) and
   result = randomBufferSource()
   or
   // Loading a number from a `Buffer`.
   exists(DataFlow::TypeTracker t2 | t = t2.append(LoadStep(prop())) |
     // the random generators return arrays/Buffers of random numbers, we therefore track through an indexed read.
-    exists(DataFlow::PropRead read |
+    exists(DataFlow::PropRead read | result = read |
       read.getBase() = goodRandom(t2) and
-      exists(read.getPropertyNameExpr())
+      not read.getPropertyNameExpr() instanceof Label
     )
     or
     // reading a number from a Buffer.
-    exists(DataFlow::MethodCallNode call |
-      call.getReceiver().getALocalSource() = goodRandom(t.continue()) and
+    exists(DataFlow::MethodCallNode call | result = call |
+      call.getReceiver() = goodRandom(t2) and
       call
           .getMethodName()
           .regexpMatch("read(BigInt|BigUInt|Double|Float|Int|UInt)(8|16|32|64)?(BE|LE)?")
     )
   )
   or
-  exists(DataFlow::TypeTracker t2 | result = goodRandom(t2).track(t2, t))
+  exists(DataFlow::TypeTracker t2 | t = t2.smallstep(goodRandom(t2), result))
   or
-  // re-using the collection steps for `Set`. 
+  // re-using the collection steps for `Set`.
   exists(DataFlow::TypeTracker t2 |
     result = CollectionsTypeTracking::collectionStep(goodRandom(t2), t, t2)
   )
+  or
+  InsecureRandomness::isAdditionalTaintStep(goodRandom(t.continue()), result)
 }
 
 /**
  * Gets a reference to a cryptographically random number.
  */
-DataFlow::SourceNode goodRandom() { result = goodRandom(DataFlow::TypeTracker::end()) }
+DataFlow::Node goodRandom() { result = goodRandom(DataFlow::TypeTracker::end()) }
 
 /**
  * Gets a node that that produces a biased result from otherwise cryptographically secure random numbers.
  */
 DataFlow::Node badCrypto(string description) {
   // addition and multiplication - always bad when both the lhs and rhs are random.
   exists(BinaryExpr binop | result.asExpr() = binop |
-    goodRandom().flowsToExpr(binop.getLeftOperand()) and
-    goodRandom().flowsToExpr(binop.getRightOperand()) and
+    goodRandom().asExpr() = binop.getLeftOperand() and
+    goodRandom().asExpr() = binop.getRightOperand() and
     (
       binop.getOperator() = "+" and description = "addition"
       or
@@ -92,22 +97,21 @@ DataFlow::Node badCrypto(string description) {
   or
   // division - always bad
   exists(DivExpr div | result.asExpr() = div |
-    goodRandom().flowsToExpr(div.getLeftOperand()) and
+    goodRandom().asExpr() = div.getLeftOperand() and
     description = "division"
   )
   or
   // modulo - only bad if not by a power of 2 - and the result is not checked for bias
-  exists(ModExpr mod, DataFlow::SourceNode random |
-    result.asExpr() = mod and mod.getOperator() = "%"
-  |
+  exists(ModExpr mod, DataFlow::Node random | result.asExpr() = mod and mod.getOperator() = "%" |
     description = "modulo" and
     goodRandom() = random and
-    random.flowsToExpr(mod.getLeftOperand()) and
-    // division by a power of 2 is OK. E.g. if `x` is uniformly random is in the range [0..255] then `x % 32` is uniformly random in the range [0..31]. 
+    random.asExpr() = mod.getLeftOperand() and
+    // division by a power of 2 is OK. E.g. if `x` is uniformly random is in the range [0..255] then `x % 32` is uniformly random in the range [0..31].
     not mod.getRightOperand().getIntValue() = [2, 4, 8, 16, 32, 64, 128] and
     // not exists a comparison that checks if the result is potentially biased.
     not exists(BinaryExpr comparison | comparison.getOperator() = [">", "<", "<=", ">="] |
-      AccessPath::getAnAliasedSourceNode(random).flowsToExpr(comparison.getAnOperand())
+      AccessPath::getAnAliasedSourceNode(random.getALocalSource())
+          .flowsToExpr(comparison.getAnOperand())
       or
       exists(DataFlow::PropRead otherRead |
         otherRead = random.(DataFlow::PropRead).getBase().getALocalSource().getAPropertyRead() and
@@ -121,7 +125,7 @@ DataFlow::Node badCrypto(string description) {
   exists(DataFlow::CallNode number, StringOps::ConcatenationRoot root | result = number |
     number = DataFlow::globalVarRef(["Number", "parseInt", "parseFloat"]).getACall() and
     root = number.getArgument(0) and
-    goodRandom().flowsTo(root.getALeaf()) and
+    goodRandom() = root.getALeaf() and
     exists(root.getALeaf().getStringValue()) and
     description = "string concatenation"
   )
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected
@@ -6,3 +6,5 @@
 | bad-random.js:73:32:73:42 | byte / 25.6 | Using division on cryptographically random numbers produces biased results. |
 | bad-random.js:75:21:75:30 | byte % 100 | Using modulo on cryptographically random numbers produces biased results. |
 | bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on cryptographically random numbers produces biased results. |
+| bad-random.js:85:11:85:35 | goodRan ... Random2 | Using addition on cryptographically random numbers produces biased results. |
+| bad-random.js:87:16:87:24 | bad + bad | Using addition on cryptographically random numbers produces biased results. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/bad-random.js b/javascript/ql/test/query-tests/Security/CWE-327/bad-random.js
@@ -78,4 +78,10 @@ function setSteps() {
 
 const secureRandom = require("secure-random");
 
-var bad = secureRandom(10)[0] + secureRandom(10)[0]; // NOT OK
+var bad = secureRandom(10)[0] + secureRandom(10)[0]; // NOT OK
+
+var goodRandom1 = 5 + secureRandom(10)[0];
+var goodRandom2 = 5 + secureRandom(10)[0];
+var bad = goodRandom1 + goodRandom2; // NOT OK
+
+var dontFlag = bad + bad; // OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
