JS: Flag crypto operations with weak block mode

asgerf · asgerf · commit 86a06bde7214 · 2023-03-16T14:52:52.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmCustomizations.qll
@@ -40,7 +40,11 @@ module BrokenCryptoAlgorithm {
   class WeakCryptographicOperationSink extends Sink {
     WeakCryptographicOperationSink() {
       exists(CryptographicOperation application |
-        application.getAlgorithm().isWeak() and
+        (
+          application.getAlgorithm().isWeak()
+          or
+          application.getBlockMode().isWeak()
+        ) and
         this = application.getAnInput()
       )
     }
diff --git a/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
@@ -11,15 +11,23 @@ nodes
 | tst.js:19:17:19:24 | password |
 | tst.js:19:17:19:24 | password |
 | tst.js:19:17:19:24 | password |
+| tst.js:22:21:22:30 | secretText |
+| tst.js:22:21:22:30 | secretText |
+| tst.js:22:21:22:30 | secretText |
 edges
 | tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText |
 | tst.js:3:5:3:24 | secretText | tst.js:11:17:11:26 | secretText |
+| tst.js:3:5:3:24 | secretText | tst.js:22:21:22:30 | secretText |
+| tst.js:3:5:3:24 | secretText | tst.js:22:21:22:30 | secretText |
 | tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText |
 | tst.js:3:18:3:24 | trusted | tst.js:3:5:3:24 | secretText |
 | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText |
 | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted |
 | tst.js:19:17:19:24 | password | tst.js:19:17:19:24 | password |
+| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText |
 #select
 | tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:3:18:3:24 | trusted | sensitive data froman access to trusted |
 | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:11:17:11:26 | secretText | sensitive data froman access to secretText |
 | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | A broken or weak cryptographic algorithm depends on $@. | tst.js:17:17:17:25 | o.trusted | sensitive data froman access to trusted |
+| tst.js:22:21:22:30 | secretText | tst.js:3:18:3:24 | trusted | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:3:18:3:24 | trusted | sensitive data froman access to trusted |
+| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm depends on $@. | tst.js:22:21:22:30 | secretText | sensitive data froman access to secretText |

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,11 @@ module BrokenCryptoAlgorithm {`
`40`	`40`	`class WeakCryptographicOperationSink extends Sink {`
`41`	`41`	`WeakCryptographicOperationSink() {`
`42`	`42`	`exists(CryptographicOperation application \|`
`43`		`- application.getAlgorithm().isWeak() and`
	`43`	`+ (`
	`44`	`+ application.getAlgorithm().isWeak()`
	`45`	`+ or`
	`46`	`+ application.getBlockMode().isWeak()`
	`47`	`+ ) and`
`44`	`48`	`this = application.getAnInput()`
`45`	`49`	`)`
`46`	`50`	`}`