Skip to content

Commit 5cdeb40

Browse files
authored
Merge pull request #594 from owen-mc/insufficient-key-size-barrier-guard
Add barrier guard for comparison in Insufficient Key Size query
2 parents e784c35 + 004beab commit 5cdeb40

File tree

4 files changed

+88
-0
lines changed

4 files changed

+88
-0
lines changed
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
lgtm,codescanning
2+
* The query "Use of a weak cryptographic key" has been improved to recognize more cases where the
3+
key size should be considered to be safe, which should lead to fewer false positive results.

ql/src/Security/CWE-326/InsufficientKeySize.ql

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,25 @@ class RsaKeyTrackingConfiguration extends DataFlow::Configuration {
2727
c.getTarget().hasQualifiedName("crypto/rsa", "GenerateKey")
2828
)
2929
}
30+
31+
override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
32+
guard instanceof ComparisonBarrierGuard
33+
}
34+
}
35+
36+
/**
37+
* A comparison which guarantees that an expression is at least 2048,
38+
* considered as a barrier guard for key sizes.
39+
*/
40+
class ComparisonBarrierGuard extends DataFlow::BarrierGuard instanceof DataFlow::RelationalComparisonNode {
41+
override predicate checks(Expr e, boolean branch) {
42+
exists(DataFlow::Node lesser, DataFlow::Node greater, int bias |
43+
super.leq(branch, lesser, greater, bias)
44+
|
45+
globalValueNumber(DataFlow::exprNode(e)) = globalValueNumber(greater) and
46+
lesser.getIntValue() - bias >= 2048
47+
)
48+
}
3049
}
3150

3251
from RsaKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink

ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,26 @@ edges
22
| InsufficientKeySize.go:13:10:13:13 | 1024 : int | InsufficientKeySize.go:14:31:14:34 | size |
33
| InsufficientKeySize.go:18:7:18:10 | 1024 : int | InsufficientKeySize.go:25:11:25:14 | definition of size : int |
44
| InsufficientKeySize.go:25:11:25:14 | definition of size : int | InsufficientKeySize.go:26:31:26:34 | size |
5+
| InsufficientKeySize.go:30:13:30:16 | 1024 : int | InsufficientKeySize.go:32:32:32:38 | keyBits |
6+
| InsufficientKeySize.go:44:13:44:16 | 1024 : int | InsufficientKeySize.go:47:32:47:38 | keyBits |
7+
| InsufficientKeySize.go:61:21:61:24 | 1024 : int | InsufficientKeySize.go:67:31:67:37 | keyBits |
58
nodes
69
| InsufficientKeySize.go:9:31:9:34 | 1024 | semmle.label | 1024 |
710
| InsufficientKeySize.go:13:10:13:13 | 1024 : int | semmle.label | 1024 : int |
811
| InsufficientKeySize.go:14:31:14:34 | size | semmle.label | size |
912
| InsufficientKeySize.go:18:7:18:10 | 1024 : int | semmle.label | 1024 : int |
1013
| InsufficientKeySize.go:25:11:25:14 | definition of size : int | semmle.label | definition of size : int |
1114
| InsufficientKeySize.go:26:31:26:34 | size | semmle.label | size |
15+
| InsufficientKeySize.go:30:13:30:16 | 1024 : int | semmle.label | 1024 : int |
16+
| InsufficientKeySize.go:32:32:32:38 | keyBits | semmle.label | keyBits |
17+
| InsufficientKeySize.go:44:13:44:16 | 1024 : int | semmle.label | 1024 : int |
18+
| InsufficientKeySize.go:47:32:47:38 | keyBits | semmle.label | keyBits |
19+
| InsufficientKeySize.go:61:21:61:24 | 1024 : int | semmle.label | 1024 : int |
20+
| InsufficientKeySize.go:67:31:67:37 | keyBits | semmle.label | keyBits |
1221
#select
1322
| InsufficientKeySize.go:9:31:9:34 | 1024 | InsufficientKeySize.go:9:31:9:34 | 1024 | InsufficientKeySize.go:9:31:9:34 | 1024 | The size of this RSA key should be at least 2048 bits. |
1423
| InsufficientKeySize.go:14:31:14:34 | size | InsufficientKeySize.go:13:10:13:13 | 1024 : int | InsufficientKeySize.go:14:31:14:34 | size | The size of this RSA key should be at least 2048 bits. |
1524
| InsufficientKeySize.go:26:31:26:34 | size | InsufficientKeySize.go:18:7:18:10 | 1024 : int | InsufficientKeySize.go:26:31:26:34 | size | The size of this RSA key should be at least 2048 bits. |
25+
| InsufficientKeySize.go:32:32:32:38 | keyBits | InsufficientKeySize.go:30:13:30:16 | 1024 : int | InsufficientKeySize.go:32:32:32:38 | keyBits | The size of this RSA key should be at least 2048 bits. |
26+
| InsufficientKeySize.go:47:32:47:38 | keyBits | InsufficientKeySize.go:44:13:44:16 | 1024 : int | InsufficientKeySize.go:47:32:47:38 | keyBits | The size of this RSA key should be at least 2048 bits. |
27+
| InsufficientKeySize.go:67:31:67:37 | keyBits | InsufficientKeySize.go:61:21:61:24 | 1024 : int | InsufficientKeySize.go:67:31:67:37 | keyBits | The size of this RSA key should be at least 2048 bits. |

ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,3 +25,57 @@ func foo4() {
2525
func foo5(size int) {
2626
rsa.GenerateKey(rand.Reader, size)
2727
}
28+
29+
func foo6() {
30+
keyBits := 1024
31+
if keyBits >= 2047 {
32+
rsa.GenerateKey(rand.Reader, keyBits) // BAD
33+
}
34+
}
35+
36+
func foo7() {
37+
keyBits := 1024
38+
if keyBits >= 2048 {
39+
rsa.GenerateKey(rand.Reader, keyBits) // GOOD
40+
}
41+
}
42+
43+
func foo8() {
44+
keyBits := 1024
45+
switch {
46+
case keyBits >= 2047:
47+
rsa.GenerateKey(rand.Reader, keyBits) // BAD
48+
}
49+
}
50+
51+
func foo9() {
52+
keyBits := 1024
53+
switch {
54+
case keyBits >= 2048:
55+
rsa.GenerateKey(rand.Reader, keyBits) // GOOD
56+
}
57+
}
58+
59+
func foo10(customOptionSupplied bool, nonConstantKeyBits int) {
60+
keyBits := 0
61+
constantKeyBits := 1024
62+
if customOptionSupplied {
63+
keyBits = constantKeyBits
64+
} else {
65+
keyBits = nonConstantKeyBits
66+
}
67+
rsa.GenerateKey(rand.Reader, keyBits) // BAD
68+
}
69+
70+
func foo11(customOptionSupplied bool, nonConstantKeyBits int) {
71+
keyBits := 0
72+
constantKeyBits := 1024
73+
if customOptionSupplied {
74+
keyBits = constantKeyBits
75+
} else {
76+
keyBits = nonConstantKeyBits
77+
}
78+
if keyBits >= 2048 {
79+
rsa.GenerateKey(rand.Reader, keyBits) // GOOD
80+
}
81+
}

0 commit comments

Comments
 (0)