Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b0af9f9

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
added kg taintracking config to all
1 parent b7123c1 commit b0af9f9

2 files changed

Lines changed: 55 additions & 28 deletions

File tree

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

Lines changed: 46 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ class AsymmetricKeyTrackingConfiguration extends TaintTracking2::Configuration {
2828
override predicate isSink(DataFlow::Node sink) {
2929
exists(MethodAccess ma, VarAccess va |
3030
ma.getMethod() instanceof KeyPairGeneratorInitMethod and
31-
ma.getFile().getBaseName().matches("SignatureTest.java") and
31+
//ma.getFile().getBaseName().matches("SignatureTest.java") and
3232
// va.getVariable()
3333
// .getAnAssignedValue()
3434
// .(JavaSecurityKeyPairGenerator)
@@ -52,10 +52,17 @@ class AsymmetricKeyTrackingConfiguration extends TaintTracking2::Configuration {
5252
}
5353
}
5454

55+
// predicate hasInsufficientKeySize(string msg) { hasShortAsymmetricKeyPair(msg) }
56+
// predicate hasShortAsymmetricKeyPair(string msg) {
57+
// exists(AsymmetricKeyTrackingConfiguration config1, DataFlow::Node source, DataFlow::Node sink |
58+
// config1.hasFlow(source, sink)
59+
// ) and
60+
// msg = "Key size should be at least 2048 bits for " + "___" + " encryption."
61+
// }
5562
/**
5663
* Asymmetric (RSA, DSA, DH) key length data flow tracking configuration.
5764
*/
58-
class AsymmetricECCKeyTrackingConfiguration extends DataFlow::Configuration {
65+
class AsymmetricECCKeyTrackingConfiguration extends TaintTracking2::Configuration {
5966
AsymmetricECCKeyTrackingConfiguration() { this = "AsymmetricECCKeyTrackingConfiguration" }
6067

6168
override predicate isSource(DataFlow::Node source) {
@@ -71,15 +78,24 @@ class AsymmetricECCKeyTrackingConfiguration extends DataFlow::Configuration {
7178
exists(MethodAccess ma, VarAccess va |
7279
ma.getMethod() instanceof KeyPairGeneratorInitMethod and
7380
//ma.getArgument(0).getType() instanceof ECGenParameterSpec and // ! can generate EC with just the keysize and not the curve apparently... (based on netty/netty FP example)
74-
va.getVariable()
75-
.getAnAssignedValue()
76-
.(JavaSecurityKeyPairGenerator)
77-
.getAlgoSpec()
78-
.(StringLiteral)
79-
.getValue()
80-
.toUpperCase()
81-
.matches(["EC%"]) and
82-
ma.getQualifier() = va and
81+
// va.getVariable()
82+
// .getAnAssignedValue()
83+
// .(JavaSecurityKeyPairGenerator)
84+
// .getAlgoSpec()
85+
// .(StringLiteral)
86+
// .getValue()
87+
// .toUpperCase()
88+
// .matches(["EC%"]) and
89+
// ma.getQualifier() = va and
90+
exists(
91+
JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kpgConfig,
92+
DataFlow::PathNode source, DataFlow::PathNode dest
93+
|
94+
jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches("EC%") and
95+
source.getNode().asExpr() = jpg and
96+
dest.getNode().asExpr() = ma.getQualifier() and
97+
kpgConfig.hasFlowPath(source, dest)
98+
) and
8399
sink.asExpr() = ma.getArgument(0)
84100
)
85101
}
@@ -88,7 +104,7 @@ class AsymmetricECCKeyTrackingConfiguration extends DataFlow::Configuration {
88104
/**
89105
* Symmetric (AES) key length data flow tracking configuration.
90106
*/
91-
class SymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
107+
class SymmetricKeyTrackingConfiguration extends TaintTracking2::Configuration {
92108
SymmetricKeyTrackingConfiguration() { this = "SymmetricKeyTrackingConfiguration2" }
93109

94110
override predicate isSource(DataFlow::Node source) {
@@ -98,15 +114,24 @@ class SymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
98114
override predicate isSink(DataFlow::Node sink) {
99115
exists(MethodAccess ma, VarAccess va |
100116
ma.getMethod() instanceof KeyGeneratorInitMethod and
101-
va.getVariable()
102-
.getAnAssignedValue()
103-
.(JavaxCryptoKeyGenerator)
104-
.getAlgoSpec()
105-
.(StringLiteral)
106-
.getValue()
107-
.toUpperCase()
108-
.matches(["AES"]) and
109-
ma.getQualifier() = va and
117+
// va.getVariable()
118+
// .getAnAssignedValue()
119+
// .(JavaxCryptoKeyGenerator)
120+
// .getAlgoSpec()
121+
// .(StringLiteral)
122+
// .getValue()
123+
// .toUpperCase()
124+
// .matches(["AES"]) and
125+
// ma.getQualifier() = va and
126+
exists(
127+
JavaxCryptoKeyGenerator jcg, KeyGeneratorInitConfiguration kgConfig,
128+
DataFlow::PathNode source, DataFlow::PathNode dest
129+
|
130+
jcg.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches("AES") and
131+
source.getNode().asExpr() = jcg and
132+
dest.getNode().asExpr() = ma.getQualifier() and
133+
kgConfig.hasFlowPath(source, dest)
134+
) and
110135
sink.asExpr() = ma.getArgument(0)
111136
)
112137
}

java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* @name Insufficient key size used with a cryptographic algorithm
33
* @description Using cryptographic algorithms with too small of a key size can
44
* allow an attacker to compromise security.
5-
* @kind path-problem
5+
* @kind problem
66
* @problem.severity error
77
* @security-severity 7.5
88
* @precision high
@@ -13,8 +13,8 @@
1313

1414
import java
1515
import semmle.code.java.security.InsufficientKeySizeQuery
16-
import DataFlow::PathGraph
1716

17+
//import DataFlow::PathGraph
1818
// from Expr e, string msg
1919
// where hasInsufficientKeySize(e, msg)
2020
// select e, msg
@@ -34,9 +34,11 @@ import DataFlow::PathGraph
3434
// select sink.getNode(), source, sink, "This $@ is too small, and flows to $@.", source.getNode(),
3535
// "key size", sink.getNode(), "here"
3636
// * Use Above
37+
// * Use Below for taint-tracking with kpg
3738
from DataFlow::Node source, DataFlow::Node sink
38-
where exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) //or
39-
//exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) //or
40-
//exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
41-
select sink, source, sink, "This $@ is too small, and flows to $@.", source, "key size", sink,
42-
"here"
39+
where
40+
exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
41+
exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
42+
exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlow(source, sink))
43+
select sink, "This $@ is too small and creates a key $@.", source, "key size", sink, "here"
44+
// * Use Above for taint-tracking with kpg

0 commit comments

Comments
 (0)