Improve source of randomness detection

atorralba · atorralba · commit d955dce72a82 · 2023-12-13T11:15:27.000+01:00
Also sanitize flow out of sinks to avoid overlapping paths
diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll
@@ -20,7 +20,7 @@ abstract class InsecureRandomnessSource extends DataFlow::Node { }
 private class RandomMethodSource extends InsecureRandomnessSource {
   RandomMethodSource() {
     exists(RandomDataSource s | this.asExpr() = s.getOutput() |
-      not s.getQualifier().getType() instanceof SafeRandomImplementation
+      not s.getSourceOfRandomness() instanceof SafeRandomImplementation
     )
   }
 }
@@ -69,6 +69,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
 
+  predicate isBarrierOut(DataFlow::Node n) { isSink(n) }
+
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand()
     or
diff --git a/java/ql/lib/semmle/code/java/security/RandomDataSource.qll b/java/ql/lib/semmle/code/java/security/RandomDataSource.qll
@@ -3,6 +3,7 @@
  */
 
 import java
+private import semmle.code.java.dataflow.TypeFlow
 
 /**
  * A method access that returns random data or writes random data to an argument.
@@ -43,6 +44,9 @@ abstract class RandomDataSource extends MethodCall {
    * in the case where it writes random data to that argument.
    */
   abstract Expr getOutput();
+
+  /** Gets the type of the source of randomness used by this call. */
+  RefType getSourceOfRandomness() { boundOrStaticType(this.getQualifier(), result) }
 }
 
 /**
@@ -167,4 +171,18 @@ class ApacheCommonsRandomStringSource extends RandomDataSource {
   }
 
   override Expr getOutput() { result = this }
+
+  override RefType getSourceOfRandomness() {
+    if
+      this.getMethod().hasStringSignature("random(int, int, int, boolean, boolean, char[], Random)")
+    then boundOrStaticType(this.getArgument(6), result)
+    else result.hasQualifiedName("java.util", "Random")
+  }
+}
+
+/** Holds if `t` is the static type of `e`, or an upper bound of the runtime type of `e`. */
+private predicate boundOrStaticType(Expr e, RefType t) {
+  exprTypeFlow(e, t, false)
+  or
+  t = e.getType()
 }

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ abstract class InsecureRandomnessSource extends DataFlow::Node { }`
`20`	`20`	`private class RandomMethodSource extends InsecureRandomnessSource {`
`21`	`21`	`RandomMethodSource() {`
`22`	`22`	`exists(RandomDataSource s \| this.asExpr() = s.getOutput() \|`
`23`		`- not s.getQualifier().getType() instanceof SafeRandomImplementation`
	`23`	`+ not s.getSourceOfRandomness() instanceof SafeRandomImplementation`
`24`	`24`	`)`
`25`	`25`	`}`
`26`	`26`	`}`
`@@ -69,6 +69,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {`
`69`	`69`
`70`	`70`	`predicate isBarrierIn(DataFlow::Node n) { isSource(n) }`
`71`	`71`
	`72`	`+ predicate isBarrierOut(DataFlow::Node n) { isSink(n) }`
	`73`	`+`
`72`	`74`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`73`	`75`	`n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand()`
`74`	`76`	`or`