clean up code

Jami Cogswell · Jami Cogswell · commit bfbb6db43612 · 2022-10-12T16:58:34.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
@@ -26,6 +26,7 @@ class SymmetricSource extends InsufficientKeySizeSource {
   SymmetricSource() { getNodeIntValue(this) < 128 }
 }
 
+// TODO: use `typeFlag` like with sinks below to include the size numbers in this predicate?
 private int getNodeIntValue(DataFlow::Node node) {
   result = node.asExpr().(IntegerLiteral).getIntValue()
 }
@@ -43,19 +44,13 @@ private int getECKeySize(string algorithm) {
   result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }
 
+// TODO: Consider if below 3 sinks should be private and if it's possible to only use InsufficientKeySizeSink in the configs
+// TODO: add QLDocs if keeping non-private
 class AsymmetricNonECSink extends InsufficientKeySizeSink {
   AsymmetricNonECSink() {
-    exists(MethodAccess ma, JavaSecurityKeyPairGenerator jpg |
-      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
-      jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches(["RSA", "DSA", "DH"]) and
-      DataFlow::localExprFlow(jpg, ma.getQualifier()) and
-      this.asExpr() = ma.getArgument(0)
-    )
+    hasKeySizeInInitMethod(this, "asymmetric-non-ec")
     or
-    exists(ClassInstanceExpr genParamSpec |
-      genParamSpec.getConstructedType() instanceof AsymmetricNonECSpec and
-      this.asExpr() = genParamSpec.getArgument(0)
-    )
+    hasKeySizeInSpec(this, "asymmetric-non-ec")
   }
 }
 
@@ -70,31 +65,60 @@ private class AsymmetricNonECSpec extends RefType {
 
 class AsymmetricECSink extends InsufficientKeySizeSink {
   AsymmetricECSink() {
-    exists(MethodAccess ma, JavaSecurityKeyPairGenerator jpg |
-      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
-      jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches("EC%") and
-      DataFlow::localExprFlow(jpg, ma.getQualifier()) and
-      this.asExpr() = ma.getArgument(0)
-    )
+    hasKeySizeInInitMethod(this, "asymmetric-ec")
     or
-    exists(ClassInstanceExpr ecGenParamSpec |
-      ecGenParamSpec.getConstructedType() instanceof EcGenParameterSpec and
-      this.asExpr() = ecGenParamSpec.getArgument(0)
-    )
+    hasKeySizeInSpec(this, "asymmetric-ec")
   }
 }
 
 class SymmetricSink extends InsufficientKeySizeSink {
-  SymmetricSink() {
-    exists(MethodAccess ma, JavaxCryptoKeyGenerator jcg |
-      ma.getMethod() instanceof KeyGeneratorInitMethod and
-      jcg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = "AES" and
-      DataFlow::localExprFlow(jcg, ma.getQualifier()) and
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
+  SymmetricSink() { hasKeySizeInInitMethod(this, "symmetric") }
+}
+
+// TODO: rethink the predicate name; also think about whether this could/should be a class instead; or a predicate within the sink class so can do sink.predicate()...
+// TODO: can prbly re-work way using the typeFlag to be better and less repetitive
+private predicate hasKeySizeInInitMethod(DataFlow::Node node, string typeFlag) {
+  exists(MethodAccess ma, JavaxCryptoAlgoSpec jcaSpec |
+    (
+      ma.getMethod() instanceof KeyGeneratorInitMethod and typeFlag = "symmetric"
+      or
+      ma.getMethod() instanceof KeyPairGeneratorInitMethod and typeFlag.matches("asymmetric%")
+    ) and
+    (
+      jcaSpec instanceof JavaxCryptoKeyGenerator and typeFlag = "symmetric"
+      or
+      jcaSpec instanceof JavaSecurityKeyPairGenerator and typeFlag.matches("asymmetric%")
+    ) and
+    (
+      jcaSpec.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = "AES" and
+      typeFlag = "symmetric"
+      or
+      jcaSpec.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches(["RSA", "DSA", "DH"]) and
+      typeFlag = "asymmetric-non-ec"
+      or
+      jcaSpec.getAlgoSpec().(StringLiteral).getValue().toUpperCase().matches("EC%") and
+      typeFlag = "asymmetric-ec"
+    ) and
+    DataFlow::localExprFlow(jcaSpec, ma.getQualifier()) and
+    node.asExpr() = ma.getArgument(0)
+  )
+}
+
+// TODO: rethink the predicate name; also think about whether this could/should be a class instead; or a predicate within the sink class so can do sink.predicate()...
+// TODO: can prbly re-work way using the typeFlag to be better and less repetitive
+private predicate hasKeySizeInSpec(DataFlow::Node node, string typeFlag) {
+  exists(ClassInstanceExpr paramSpec |
+    (
+      paramSpec.getConstructedType() instanceof AsymmetricNonECSpec and
+      typeFlag = "asymmetric-non-ec"
+      or
+      paramSpec.getConstructedType() instanceof EcGenParameterSpec and
+      typeFlag = "asymmetric-ec"
+    ) and
+    node.asExpr() = paramSpec.getArgument(0)
+  )
 }
 // TODO:
 // todo #0: look into use of specs without keygen objects; should spec not be a sink in these cases?
 // todo #3: make list of algo names more easily reusable (either as constant-type variable at top of file, or model as own class to share, etc.)
-// todo #5:
+// todo #4: use flowstate (or even just result predicate) to pass source int size to sink?
diff --git a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -19,7 +19,7 @@ from DataFlow::PathNode source, DataFlow::PathNode sink
 where
   //exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
   //or
-  exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
-  exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
-  exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
+  exists(AsymmetricNonECKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink)) or
+  exists(AsymmetricECKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink)) or
+  exists(SymmetricKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink))
 select sink.getNode(), source, sink, "This $@ is too small.", source.getNode(), "key size"
diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
@@ -13,9 +13,9 @@ class InsufficientKeySizeTest extends InlineExpectationsTest {
     exists(DataFlow::PathNode source, DataFlow::PathNode sink |
       //exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
       //or
-      exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
-      exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
-      exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
+      exists(AsymmetricNonECKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink)) or
+      exists(AsymmetricECKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink)) or
+      exists(SymmetricKeyTrackingConfiguration cfg | cfg.hasFlowPath(source, sink))
     |
       sink.getNode().getLocation() = location and
       element = sink.getNode().toString() and
