refactor isAdditionalTaintStep to a utility predicate in InsecureRandomness

erik-krogh · erik-krogh · commit 9029dbacf54c · 2020-06-10T10:55:30.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
@@ -36,16 +36,7 @@ module InsecureRandomness {
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      // Assume that all operations on tainted values preserve taint: crypto is hard
-      succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()
-      or
-      succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()
-      or
-      exists(DataFlow::MethodCallNode mc |
-        mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and
-        pred = mc.getAnArgument() and
-        succ = mc
-      )
+      InsecureRandomness::isAdditionalTaintStep(pred, succ)
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
@@ -78,4 +78,20 @@ module InsecureRandomness {
   class CryptoKeySink extends Sink {
     CryptoKeySink() { this instanceof CryptographicKey }
   }
+
+  /**
+   * Holds if the step `pred` -> `succ` is an additional taint-step for random values that are not cryptographically secure. 
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // Assume that all operations on tainted values preserve taint: crypto is hard
+    succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()
+    or
+    succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()
+    or
+    exists(DataFlow::MethodCallNode mc |
+      mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and
+      pred = mc.getAnArgument() and
+      succ = mc
+    )
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,16 +36,7 @@ module InsecureRandomness {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`
`39`		`- // Assume that all operations on tainted values preserve taint: crypto is hard`
`40`		`- succ.asExpr().(BinaryExpr).getAnOperand() = pred.asExpr()`
`41`		`- or`
`42`		`- succ.asExpr().(UnaryExpr).getOperand() = pred.asExpr()`
`43`		`- or`
`44`		`- exists(DataFlow::MethodCallNode mc \|`
`45`		`- mc = DataFlow::globalVarRef("Math").getAMemberCall(_) and`
`46`		`- pred = mc.getAnArgument() and`
`47`		`- succ = mc`
`48`		`- )`
	`39`	`+ InsecureRandomness::isAdditionalTaintStep(pred, succ)`
`49`	`40`	`}`
`50`	`41`	`}`
`51`	`42`	`}`