|
| 1 | +/** Provides classes and predicates for reasoning about weak randomness. */ |
| 2 | + |
| 3 | +import java |
| 4 | +import semmle.code.java.frameworks.Servlets |
| 5 | +import semmle.code.java.security.SensitiveActions |
| 6 | +import semmle.code.java.dataflow.TaintTracking |
| 7 | +import semmle.code.java.security.RandomQuery |
| 8 | + |
| 9 | +/** |
| 10 | + * The `java.util.Random` class. |
| 11 | + */ |
| 12 | +class TypeRandom extends RefType { |
| 13 | + TypeRandom() { this.hasQualifiedName("java.util", "Random") } |
| 14 | +} |
| 15 | + |
| 16 | +/** |
| 17 | + * A node representing a source of weak randomness. |
| 18 | + * |
| 19 | + * For example, use of `java.util.Random` or `java.lang.Math.random`. |
| 20 | + */ |
| 21 | +abstract class WeakRandomnessSource extends DataFlow::Node { } |
| 22 | + |
| 23 | +/** |
| 24 | + * A node representing a call to a constructor of `java.util.Random`. |
| 25 | + */ |
| 26 | +private class JavaRandomSource extends WeakRandomnessSource { |
| 27 | + JavaRandomSource() { |
| 28 | + this.asExpr().getType() instanceof TypeRandom and this.asExpr() instanceof ConstructorCall |
| 29 | + } |
| 30 | +} |
| 31 | + |
| 32 | +/** |
| 33 | + * The `random` method of `java.lang.Math`. |
| 34 | + */ |
| 35 | +private class MathRandomMethodAccess extends WeakRandomnessSource { |
| 36 | + MathRandomMethodAccess() { |
| 37 | + exists(MethodAccess ma | this.asExpr() = ma | |
| 38 | + ma.getMethod().hasName("random") and |
| 39 | + ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Math") |
| 40 | + ) |
| 41 | + } |
| 42 | +} |
| 43 | + |
| 44 | +/** |
| 45 | + * A type which is an implementation of `java.util.Random` but considered to be safe. |
| 46 | + * |
| 47 | + * For example, `java.security.SecureRandom`. |
| 48 | + */ |
| 49 | +abstract private class SafeRandomImplementation extends RefType { } |
| 50 | + |
| 51 | +private class TypeSecureRandom extends SafeRandomImplementation { |
| 52 | + TypeSecureRandom() { this.hasQualifiedName("java.security", "SecureRandom") } |
| 53 | +} |
| 54 | + |
| 55 | +private class TypeHadoopOsSecureRandom extends SafeRandomImplementation { |
| 56 | + TypeHadoopOsSecureRandom() { |
| 57 | + this.hasQualifiedName("org.apache.hadoop.crypto.random", "OsSecureRandom") |
| 58 | + } |
| 59 | +} |
| 60 | + |
| 61 | +/** |
| 62 | + * A node representing an operation which should not use a weakly random value. |
| 63 | + */ |
| 64 | +abstract class WeakRandomnessSink extends DataFlow::Node { } |
| 65 | + |
| 66 | +/** |
| 67 | + * A node which creates a cookie. |
| 68 | + */ |
| 69 | +private class CookieSink extends WeakRandomnessSink { |
| 70 | + CookieSink() { |
| 71 | + this.asExpr().getType() instanceof TypeCookie and |
| 72 | + exists(MethodAccess ma | ma.getMethod().hasName("addCookie") | |
| 73 | + ma.getArgument(0) = this.asExpr() |
| 74 | + ) |
| 75 | + } |
| 76 | +} |
| 77 | + |
| 78 | +private class SensitiveActionSink extends WeakRandomnessSink { |
| 79 | + SensitiveActionSink() { this.asExpr() instanceof SensitiveExpr } |
| 80 | +} |
| 81 | + |
| 82 | +/** |
| 83 | + * Holds if there is a method access which converts `bytes` to the string `str`. |
| 84 | + */ |
| 85 | +private predicate covertsBytesToString(DataFlow::Node bytes, DataFlow::Node str) { |
| 86 | + bytes.getType().(Array).getElementType().(PrimitiveType).hasName("byte") and |
| 87 | + str.getType() instanceof TypeString and |
| 88 | + exists(MethodAccess ma | ma = str.asExpr() | bytes.asExpr() = ma.getAnArgument()) |
| 89 | +} |
| 90 | + |
| 91 | +/** |
| 92 | + * A taint-tracking configuration for weak randomness. |
| 93 | + */ |
| 94 | +module WeakRandomnessConfig implements DataFlow::ConfigSig { |
| 95 | + predicate isSource(DataFlow::Node src) { src instanceof WeakRandomnessSource } |
| 96 | + |
| 97 | + predicate isSink(DataFlow::Node sink) { sink instanceof WeakRandomnessSink } |
| 98 | + |
| 99 | + predicate isBarrier(DataFlow::Node n) { n.getTypeBound() instanceof SafeRandomImplementation } |
| 100 | + |
| 101 | + predicate isBarrierIn(DataFlow::Node n) { isSource(n) } |
| 102 | + |
| 103 | + predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { |
| 104 | + n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand() |
| 105 | + or |
| 106 | + n1.asExpr() = n2.asExpr().(UnaryExpr).getExpr() |
| 107 | + or |
| 108 | + exists(MethodAccess ma, Method m | |
| 109 | + n1.asExpr() = ma.getQualifier() and |
| 110 | + ma.getMethod() = m and |
| 111 | + m.getDeclaringType() instanceof TypeRandom and |
| 112 | + ( |
| 113 | + m.hasName(["nextInt", "nextLong", "nextFloat", "nextDouble", "nextBoolean", "nextGaussian"]) and |
| 114 | + n2.asExpr() = ma |
| 115 | + or |
| 116 | + m.hasName("nextBytes") and |
| 117 | + n2.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = ma.getArgument(0) |
| 118 | + ) |
| 119 | + ) |
| 120 | + or |
| 121 | + covertsBytesToString(n1, n2) |
| 122 | + } |
| 123 | +} |
| 124 | + |
| 125 | +/** |
| 126 | + * Taint-tracking flow of a weakly random value into a sensitive sink. |
| 127 | + */ |
| 128 | +module WeakRandomnessFlow = TaintTracking::Global<WeakRandomnessConfig>; |
0 commit comments