Skip to content

Commit 1a4e8d9

Browse files
RasmusWLRasmusWL
committed
Python: Move experimental PossibleTimingAttackAgainstSensitiveInfo to new dataflow API
1 parent 5fd3594 commit 1a4e8d9

File tree

2 files changed

+10
-29
lines changed

2 files changed

+10
-29
lines changed

python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,20 +15,22 @@ import python
1515
import semmle.python.dataflow.new.DataFlow
1616
import semmle.python.dataflow.new.TaintTracking
1717
import experimental.semmle.python.security.TimingAttack
18-
import DataFlow::PathGraph
1918

2019
/**
2120
* A configuration tracing flow from obtaining a client Secret to a unsafe Comparison.
2221
*/
23-
class ClientSuppliedSecretConfig extends TaintTracking::Configuration {
24-
ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" }
22+
private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlow::ConfigSig {
23+
predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
2524

26-
override predicate isSource(DataFlow::Node source) { source instanceof SecretSource }
27-
28-
override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
25+
predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
2926
}
3027

31-
from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
32-
where config.hasFlowPath(source, sink)
28+
module PossibleTimingAttackAgainstSensitiveInfoFlow =
29+
TaintTracking::Global<PossibleTimingAttackAgainstSensitiveInfoConfig>;
30+
31+
import PossibleTimingAttackAgainstSensitiveInfoFlow::PathGraph
32+
33+
from PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode source, PossibleTimingAttackAgainstSensitiveInfoFlow::PathNode sink
34+
where PossibleTimingAttackAgainstSensitiveInfoFlow::flowPath(source, sink)
3335
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(),
3436
"client-supplied token"

python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.expected

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,6 @@
11
edges
2-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request |
3-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request |
4-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request |
5-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request |
6-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request |
7-
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
8-
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password |
9-
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password |
10-
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
11-
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password |
12-
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password |
132
nodes
14-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
15-
| TimingAttackAgainstSensitiveInfo.py:7:19:7:25 | GSSA Variable request | semmle.label | GSSA Variable request |
16-
| TimingAttackAgainstSensitiveInfo.py:14:8:14:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
17-
| TimingAttackAgainstSensitiveInfo.py:15:9:15:16 | SSA variable password | semmle.label | SSA variable password |
18-
| TimingAttackAgainstSensitiveInfo.py:15:20:15:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
193
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
20-
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
21-
| TimingAttackAgainstSensitiveInfo.py:20:8:20:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
22-
| TimingAttackAgainstSensitiveInfo.py:21:9:21:16 | SSA variable password | semmle.label | SSA variable password |
23-
| TimingAttackAgainstSensitiveInfo.py:21:20:21:26 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
24-
| TimingAttackAgainstSensitiveInfo.py:22:38:22:45 | ControlFlowNode for password | semmle.label | ControlFlowNode for password |
254
subpaths
265
#select
276
| TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | Timing attack against $@ validation. | TimingAttackAgainstSensitiveInfo.py:16:16:16:23 | ControlFlowNode for password | client-supplied token |

0 commit comments

Comments
 (0)