Update TimingAttackAgainstHeader.ql

ahmed-farid-dev · smowton · commit 785928804057 · 2022-02-25T17:33:07.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
@@ -16,6 +16,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
+/** A static method that uses a non-constant-time algorithm for comparing inputs. */
 private class NonConstantTimeComparisonCall extends StaticMethodAccess {
   NonConstantTimeComparisonCall() {
     this.getMethod()
@@ -24,6 +25,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {
   }
 }
 
+/** Methods that use a non-constant-time algorithm for comparing inputs. */
 private class NonConstantTimeEqualsCall extends MethodAccess {
   NonConstantTimeEqualsCall() {
     this.getMethod().hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"])

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ import semmle.code.java.dataflow.FlowSources`
`16`	`16`	`import semmle.code.java.dataflow.TaintTracking`
`17`	`17`	`import DataFlow::PathGraph`
`18`	`18`
	`19`	`+/** A static method that uses a non-constant-time algorithm for comparing inputs. */`
`19`	`20`	`private class NonConstantTimeComparisonCall extends StaticMethodAccess {`
`20`	`21`	`NonConstantTimeComparisonCall() {`
`21`	`22`	`this.getMethod()`
`@@ -24,6 +25,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {`
`24`	`25`	`}`
`25`	`26`	`}`
`26`	`27`
	`28`	`+/** Methods that use a non-constant-time algorithm for comparing inputs. */`
`27`	`29`	`private class NonConstantTimeEqualsCall extends MethodAccess {`
`28`	`30`	`NonConstantTimeEqualsCall() {`
`29`	`31`	`this.getMethod().hasQualifiedName("java.lang", "String", ["equals", "contentEquals", "equalsIgnoreCase"])`