Insecure-TLS: restrict sources to potentially interesting integers.

smowton · smowton · commit cce3a704128f · 2020-07-29T16:46:36.000+01:00
diff --git a/ql/src/Security/CWE-327/InsecureTLS.ql b/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -35,6 +35,14 @@ predicate isInsecureTlsVersion(int val, string name, string fieldName) {
   )
 }
 
+/**
+ * Returns integers that may represent a TLS version.
+ *
+ * Integer values corresponding to versions are defined at https://golang.org/pkg/crypto/tls/#pkg-constants
+ * Zero means the default version; at the time of writing, TLS 1.0.
+ */
+int getATlsVersion() { result in [768, 769, 770, 771, 772, 0] }
+
 /**
  * Holds if `node` refers to a value returned alongside a non-nil error value.
  *
@@ -60,6 +68,7 @@ class TlsVersionFlowConfig extends TaintTracking::Configuration {
    */
   predicate isSource(DataFlow::Node source, int val) {
     val = source.getIntValue() and
+    val = getATlsVersion() and
     not isReturnedWithError(source)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,14 @@ predicate isInsecureTlsVersion(int val, string name, string fieldName) {`
`35`	`35`	`)`
`36`	`36`	`}`
`37`	`37`
	`38`	`+/**`
	`39`	`+ * Returns integers that may represent a TLS version.`
	`40`	`+ *`
	`41`	`+ * Integer values corresponding to versions are defined at https://golang.org/pkg/crypto/tls/#pkg-constants`
	`42`	`+ * Zero means the default version; at the time of writing, TLS 1.0.`
	`43`	`+ */`
	`44`	`+int getATlsVersion() { result in [768, 769, 770, 771, 772, 0] }`
	`45`	`+`
`38`	`46`	`/**`
`39`	`47`	* Holds if `node` refers to a value returned alongside a non-nil error value.
`40`	`48`	`*`
`@@ -60,6 +68,7 @@ class TlsVersionFlowConfig extends TaintTracking::Configuration {`
`60`	`68`	`*/`
`61`	`69`	`predicate isSource(DataFlow::Node source, int val) {`
`62`	`70`	`val = source.getIntValue() and`
	`71`	`+ val = getATlsVersion() and`
`63`	`72`	`not isReturnedWithError(source)`
`64`	`73`	`}`
`65`	`74`