Python: Move WeakSensitiveDataHashing to new dataflow API

RasmusWL · RasmusWL · commit dd074173d2d3 · 2023-08-28T15:27:50.000+02:00
I adopted helper predicates to do the "heavy" lifting of .asPathNode1(), maybe I like this approach better... let me know what you think 😊
diff --git a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll
@@ -24,10 +24,12 @@ module NormalHashFunction {
   import WeakSensitiveDataHashingCustomizations::NormalHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on sensitive data.
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "NormalHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -44,6 +46,21 @@ module NormalHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
 }
 
 /**
@@ -57,13 +74,15 @@ module ComputationallyExpensiveHashFunction {
   import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
 
   /**
+   * DEPRECATED: Use `Flow` module instead.
+   *
    * A taint-tracking configuration for detecting use of a broken or weak
    * cryptographic hashing algorithm on passwords.
    *
    * Passwords has stricter requirements on the hashing algorithm used (must be
    * computationally expensive to prevent brute-force attacks).
    */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ComputationallyExpensiveHashFunction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -80,4 +99,49 @@ module ComputationallyExpensiveHashFunction {
       sensitiveDataExtraStepForCalls(node1, node2)
     }
   }
+
+  /**
+   * Passwords has stricter requirements on the hashing algorithm used (must be
+   * computationally expensive to prevent brute-force attacks).
+   */
+  private module Config implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
+  }
+
+  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
+  module Flow = TaintTracking::Global<Config>;
+}
+
+/**
+ * Global taint-tracking for detecting both variants of "use of a broken or weak
+ * cryptographic hashing algorithm on sensitive data" vulnerabilities.
+ *
+ * See convenience predicates `normalHashFunctionFlowPath` and
+ * `computationallyExpensiveHashFunctionFlowPath`.
+ */
+module WeakSensitiveDataHashingFlow =
+  DataFlow::MergePathGraph<NormalHashFunction::Flow::PathNode,
+    ComputationallyExpensiveHashFunction::Flow::PathNode, NormalHashFunction::Flow::PathGraph,
+    ComputationallyExpensiveHashFunction::Flow::PathGraph>;
+
+/** Holds if data can flow from `source` to `sink` with `NormalHashFunction::Flow`. */
+predicate normalHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  NormalHashFunction::Flow::flowPath(source.asPathNode1(), sink.asPathNode1())
+}
+
+/** Holds if data can flow from `source` to `sink` with `ComputationallyExpensiveHashFunction::Flow`. */
+predicate computationallyExpensiveHashFunctionFlowPath(
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink
+) {
+  ComputationallyExpensiveHashFunction::Flow::flowPath(source.asPathNode2(), sink.asPathNode2())
 }
diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -16,33 +16,29 @@ import python
 import semmle.python.security.dataflow.WeakSensitiveDataHashingQuery
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
-import DataFlow::PathGraph
+import WeakSensitiveDataHashingFlow::PathGraph
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
-  string classification
+  WeakSensitiveDataHashingFlow::PathNode source, WeakSensitiveDataHashingFlow::PathNode sink,
+  string ending, string algorithmName, string classification
 where
-  exists(NormalHashFunction::Configuration config |
-    config.hasFlowPath(source, sink) and
-    algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
-    classification = source.getNode().(NormalHashFunction::Source).getClassification() and
-    ending = "."
-  )
+  normalHashFunctionFlowPath(source, sink) and
+  algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
+  classification = source.getNode().(NormalHashFunction::Source).getClassification() and
+  ending = "."
   or
-  exists(ComputationallyExpensiveHashFunction::Configuration config |
-    config.hasFlowPath(source, sink) and
-    algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
-    classification =
-      source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
-    (
-      sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
-      ending = "."
-      or
-      not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
-      ending =
-        " for " + classification +
-          " hashing, since it is not a computationally expensive hash function."
-    )
+  computationallyExpensiveHashFunctionFlowPath(source, sink) and
+  algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
+  classification =
+    source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
+  (
+    sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+    ending = "."
+    or
+    not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+    ending =
+      " for " + classification +
+        " hashing, since it is not a computationally expensive hash function."
   )
 select sink.getNode(), source, sink,
   "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
@@ -5,27 +5,27 @@ edges
 | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:2:37:2:51 | GSSA Variable get_certificate |
 | test_cryptodome.py:2:37:2:51 | GSSA Variable get_certificate | test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate |
 | test_cryptodome.py:6:5:6:13 | SSA variable dangerous | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous |
-| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | test_cryptodome.py:6:5:6:13 | SSA variable dangerous |
+| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() |
 | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:6:5:6:13 | SSA variable dangerous |
 | test_cryptodome.py:13:5:13:13 | SSA variable dangerous | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous |
-| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | test_cryptodome.py:13:5:13:13 | SSA variable dangerous |
+| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() |
 | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:13:5:13:13 | SSA variable dangerous |
 | test_cryptodome.py:20:5:20:13 | SSA variable dangerous | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous |
-| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | test_cryptodome.py:20:5:20:13 | SSA variable dangerous |
+| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() |
 | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:20:5:20:13 | SSA variable dangerous |
 | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:3:23:3:34 | GSSA Variable get_password |
 | test_cryptography.py:3:23:3:34 | GSSA Variable get_password | test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password |
 | test_cryptography.py:3:23:3:34 | GSSA Variable get_password | test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password |
 | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:3:37:3:51 | GSSA Variable get_certificate |
 | test_cryptography.py:3:37:3:51 | GSSA Variable get_certificate | test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate |
 | test_cryptography.py:7:5:7:13 | SSA variable dangerous | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous |
-| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | test_cryptography.py:7:5:7:13 | SSA variable dangerous |
+| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() |
 | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:7:5:7:13 | SSA variable dangerous |
 | test_cryptography.py:15:5:15:13 | SSA variable dangerous | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous |
-| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | test_cryptography.py:15:5:15:13 | SSA variable dangerous |
+| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() |
 | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:15:5:15:13 | SSA variable dangerous |
 | test_cryptography.py:23:5:23:13 | SSA variable dangerous | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous |
-| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | test_cryptography.py:23:5:23:13 | SSA variable dangerous |
+| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() |
 | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:23:5:23:13 | SSA variable dangerous |
 nodes
 | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
