Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 9ac24c7

Browse filesBrowse files
committed
Merge branch 'main' into moresensitive
2 parents b503b1e + 09dd000 commit 9ac24c7
Copy full SHA for 9ac24c7

File tree

Expand file treeCollapse file tree

287 files changed

+12485
-3287
lines changed
Filter options

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner
Expand file treeCollapse file tree

287 files changed

+12485
-3287
lines changed

‎.github/workflows/go-tests-other-os.yml

Copy file name to clipboardExpand all lines: .github/workflows/go-tests-other-os.yml
+1-2Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,8 @@ jobs:
2626
uses: ./go/actions/test
2727

2828
test-win:
29-
if: github.repository_owner == 'github'
3029
name: Test Windows
31-
runs-on: windows-latest-xl
30+
runs-on: windows-latest
3231
steps:
3332
- name: Check out code
3433
uses: actions/checkout@v4

‎.gitignore

Copy file name to clipboardExpand all lines: .gitignore
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ node_modules/
6262

6363
# Temporary folders for working with generated models
6464
.model-temp
65+
/mad-generation-build
6566

6667
# bazel-built in-tree extractor packs
6768
/*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
7172

7273
# cargo build directory
7374
/target
75+
76+
# some upgrade/downgrade checks create these files
77+
**/upgrades/*/*.dbscheme.stats
78+
**/downgrades/*/*.dbscheme.stats

‎Cargo.toml

Copy file name to clipboardExpand all lines: Cargo.toml
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ members = [
1010
"rust/ast-generator",
1111
"rust/autobuild",
1212
]
13+
exclude = ["mad-generation-build"]
1314

1415
[patch.crates-io]
1516
# patch for build script bug preventing bazel build
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: fix
3+
---
4+
* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
---
2+
category: breaking
3+
---
4+
* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
5+
* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
6+
* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
7+
* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
8+
* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
9+
* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.

‎cpp/ql/lib/experimental/quantum/Language.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/Language.qll
+25-1Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
private import cpp as Language
2-
import semmle.code.cpp.dataflow.new.DataFlow
2+
import semmle.code.cpp.dataflow.new.TaintTracking
33
import codeql.quantum.experimental.Model
44

55
module CryptoInput implements InputSig<Language::Location> {
@@ -86,6 +86,30 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
8686
}
8787
}
8888

89+
module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
90+
91+
private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
92+
ConstantDataSource() {
93+
// TODO: this is an API specific workaround for OpenSSL, as 'EC' is a constant that may be used
94+
// where typical algorithms are specified, but EC specifically means set up a
95+
// default curve container, that will later be specified explicitly (or if not a default)
96+
// curve is used.
97+
this.getValue() != "EC" and
98+
// Exclude all 0's as algorithms. Currently we know of no algorithm defined as 0, and
99+
// the typical case is 0 is assigned to represent null.
100+
this.getValue().toInt() != 0
101+
}
102+
103+
override DataFlow::Node getOutputNode() { result.asExpr() = this }
104+
105+
override predicate flowsTo(Crypto::FlowAwareElement other) {
106+
// TODO: separate config to avoid blowing up data-flow analysis
107+
GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
108+
}
109+
110+
override string getAdditionalDescription() { result = this.toString() }
111+
}
112+
89113
module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
90114
predicate isSource(DataFlow::Node source) {
91115
source = any(Crypto::ArtifactInstance artifact).getOutputNode()

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll
+9-6Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,9 @@
11
import cpp
2-
import semmle.code.cpp.dataflow.new.DataFlow
3-
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
4-
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
2+
private import experimental.quantum.Language
3+
private import semmle.code.cpp.dataflow.new.DataFlow
4+
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
5+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
6+
private import PaddingAlgorithmInstance
57

68
/**
79
* Traces 'known algorithms' to AVCs, specifically
@@ -18,6 +20,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
1820
predicate isSink(DataFlow::Node sink) {
1921
exists(OpenSSLAlgorithmValueConsumer c |
2022
c.getInputNode() = sink and
23+
// exclude padding algorithm consumers, since
24+
// these consumers take in different constant values
25+
// not in the typical "known algorithm" set
2126
not c instanceof PaddingAlgorithmValueConsumer
2227
)
2328
}
@@ -42,9 +47,7 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
4247
DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
4348

4449
module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
45-
predicate isSource(DataFlow::Node source) {
46-
source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
47-
}
50+
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
4851

4952
predicate isSink(DataFlow::Node sink) {
5053
exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll
+7-6Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
import cpp
2-
import experimental.quantum.Language
3-
import OpenSSLAlgorithmInstanceBase
4-
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
5-
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
6-
import AlgToAVCFlow
2+
private import experimental.quantum.Language
3+
private import OpenSSLAlgorithmInstanceBase
4+
private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
5+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
6+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
7+
private import AlgToAVCFlow
78

89
/**
910
* Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
10-
* Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
11+
* Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
1112
*/
1213
predicate knownOpenSSLConstantToBlockModeFamilyType(
1314
KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll
+12-14Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,17 @@
11
import cpp
2-
import experimental.quantum.Language
3-
import KnownAlgorithmConstants
4-
import Crypto::KeyOpAlg as KeyOpAlg
5-
import OpenSSLAlgorithmInstanceBase
6-
import PaddingAlgorithmInstance
7-
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
8-
import AlgToAVCFlow
9-
import BlockAlgorithmInstance
2+
private import experimental.quantum.Language
3+
private import KnownAlgorithmConstants
4+
private import Crypto::KeyOpAlg as KeyOpAlg
5+
private import OpenSSLAlgorithmInstanceBase
6+
private import PaddingAlgorithmInstance
7+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
8+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
9+
private import AlgToAVCFlow
10+
private import BlockAlgorithmInstance
1011

1112
/**
1213
* Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
13-
* Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
14+
* Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
1415
*/
1516
predicate knownOpenSSLConstantToCipherFamilyType(
1617
KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
@@ -103,11 +104,8 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
103104

104105
override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
105106

106-
override string getKeySizeFixed() {
107-
exists(int keySize |
108-
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
109-
result = keySize.toString()
110-
)
107+
override int getKeySizeFixed() {
108+
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
111109
}
112110

113111
override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+49Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
import cpp
2+
private import experimental.quantum.Language
3+
private import KnownAlgorithmConstants
4+
private import OpenSSLAlgorithmInstanceBase
5+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
6+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
7+
private import AlgToAVCFlow
8+
9+
class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
10+
Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
11+
{
12+
OpenSSLAlgorithmValueConsumer getterCall;
13+
14+
KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
15+
// Two possibilities:
16+
// 1) The source is a literal and flows to a getter, then we know we have an instance
17+
// 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
18+
// Possibility 1:
19+
this instanceof Literal and
20+
exists(DataFlow::Node src, DataFlow::Node sink |
21+
// Sink is an argument to a CipherGetterCall
22+
sink = getterCall.getInputNode() and
23+
// Source is `this`
24+
src.asExpr() = this and
25+
// This traces to a getter
26+
KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
27+
)
28+
or
29+
// Possibility 2:
30+
this instanceof DirectAlgorithmValueConsumer and getterCall = this
31+
}
32+
33+
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
34+
35+
override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() }
36+
37+
override Crypto::TEllipticCurveType getEllipticCurveType() {
38+
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
39+
}
40+
41+
override string getParsedEllipticCurveName() {
42+
result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
43+
}
44+
45+
override int getKeySize() {
46+
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
47+
.getNormalizedName(), result, _)
48+
}
49+
}

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll
+5-4Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
11
import cpp
2-
import experimental.quantum.Language
3-
import KnownAlgorithmConstants
4-
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
5-
import AlgToAVCFlow
2+
private import experimental.quantum.Language
3+
private import KnownAlgorithmConstants
4+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
5+
private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
6+
private import AlgToAVCFlow
67

78
predicate knownOpenSSLConstantToHashFamilyType(
89
KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll
+13-6Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
import cpp
2-
import experimental.quantum.OpenSSL.LibraryDetector
32

43
predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
54
resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -20,7 +19,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
2019

2120
KnownOpenSSLCipherAlgorithmConstant() {
2221
resolveAlgorithmFromExpr(this, _, algType) and
23-
algType.toLowerCase().matches("%encryption")
22+
algType.matches("%ENCRYPTION")
2423
}
2524

2625
int getExplicitKeySize() {
@@ -37,7 +36,7 @@ class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
3736

3837
KnownOpenSSLPaddingAlgorithmConstant() {
3938
resolveAlgorithmFromExpr(this, _, algType) and
40-
algType.toLowerCase().matches("%padding")
39+
algType.matches("%PADDING")
4140
}
4241
}
4342

@@ -46,7 +45,7 @@ class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConsta
4645

4746
KnownOpenSSLBlockModeAlgorithmConstant() {
4847
resolveAlgorithmFromExpr(this, _, algType) and
49-
algType.toLowerCase().matches("%block_mode")
48+
algType.matches("%BLOCK_MODE")
5049
}
5150
}
5251

@@ -55,7 +54,7 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
5554

5655
KnownOpenSSLHashAlgorithmConstant() {
5756
resolveAlgorithmFromExpr(this, _, algType) and
58-
algType.toLowerCase().matches("%hash")
57+
algType.matches("%HASH")
5958
}
6059

6160
int getExplicitDigestLength() {
@@ -67,6 +66,15 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
6766
}
6867
}
6968

69+
class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
70+
KnownOpenSSLEllipticCurveAlgorithmConstant() {
71+
exists(string algType |
72+
resolveAlgorithmFromExpr(this, _, algType) and
73+
algType.matches("ELLIPTIC_CURVE")
74+
)
75+
}
76+
}
77+
7078
/**
7179
* Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
7280
* This approach to fetching algorithms was used in OpenSSL 1.0.2.
@@ -80,7 +88,6 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
8088
* alias = "dss1" and target = "dsaWithSHA1"
8189
*/
8290
predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
83-
isPossibleOpenSSLFunction(c.getTarget()) and
8491
exists(string name, string parsedTargetName |
8592
parsedTargetName =
8693
c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
import experimental.quantum.Language
2-
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
1+
private import experimental.quantum.Language
2+
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
33

44
abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
55
abstract OpenSSLAlgorithmValueConsumer getAVC();

‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

Copy file name to clipboardExpand all lines: cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ import CipherAlgorithmInstance
33
import PaddingAlgorithmInstance
44
import BlockAlgorithmInstance
55
import HashAlgorithmInstance
6+
import EllipticCurveAlgorithmInstance

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.