Fix minor error in Weak Hashing

egregius313 · egregius313 · commit 7f9dff2dc748 · 2023-12-21T22:48:07.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -44,10 +44,12 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node n) {
     n.asExpr() instanceof InsecureAlgoLiteral
     or
-    exists(PropertiesGetPropertyMethodCall mc | n.asExpr() = mc |
+    exists(PropertiesGetPropertyMethodCall mc, string value |
+      n.asExpr() = mc and value = mc.getPropertyValue()
+    |
       // Since properties pairs are not included in the java/weak-crypto-algorithm,
       // The check for values from properties files can be less strict than `InsecureAlgoLiteral`.
-      not mc.getPropertyValue().regexpMatch(getSecureAlgorithmRegex())
+      not value.regexpMatch(getSecureAlgorithmRegex())
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -44,10 +44,12 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {`
`44`	`44`	`predicate isSource(DataFlow::Node n) {`
`45`	`45`	`n.asExpr() instanceof InsecureAlgoLiteral`
`46`	`46`	`or`
`47`		`- exists(PropertiesGetPropertyMethodCall mc \| n.asExpr() = mc \|`
	`47`	`+ exists(PropertiesGetPropertyMethodCall mc, string value \|`
	`48`	`+ n.asExpr() = mc and value = mc.getPropertyValue()`
	`49`	`+ \|`
`48`	`50`	`// Since properties pairs are not included in the java/weak-crypto-algorithm,`
`49`	`51`	// The check for values from properties files can be less strict than `InsecureAlgoLiteral`.
`50`		`- not mc.getPropertyValue().regexpMatch(getSecureAlgorithmRegex())`
	`52`	`+ not value.regexpMatch(getSecureAlgorithmRegex())`
`51`	`53`	`)`
`52`	`54`	`}`
`53`	`55`