Port changes to Ruby.

Max Schaefer · Max Schaefer · commit f42bd28ca93a · 2023-10-26T15:06:45.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Digest.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Digest.qll
@@ -18,15 +18,21 @@ private API::Node digest(Cryptography::HashingAlgorithm algo) {
 private class DigestCall extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
 {
   Cryptography::HashingAlgorithm algo;
+  API::Node digestNode;
 
   DigestCall() {
-    this = digest(algo).getAMethodCall(["hexdigest", "base64digest", "bubblebabble"])
-    or
-    this = digest(algo).getAMethodCall("file") // it's directly hashing the contents of a file, but that's close enough for us.
-    or
-    this = digest(algo).getInstance().getAMethodCall(["digest", "update", "<<"])
+    digestNode = digest(algo) and
+    (
+      this = digestNode.getAMethodCall(["hexdigest", "base64digest", "bubblebabble"])
+      or
+      this = digestNode.getAMethodCall("file") // it's directly hashing the contents of a file, but that's close enough for us.
+      or
+      this = digestNode.getInstance().getAMethodCall(["digest", "update", "<<"])
+    )
   }
 
+  override DataFlow::Node getInitialization() { result = digestNode.asSource() }
+
   override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
 
   override DataFlow::Node getAnInput() { result = super.getArgument(0) }
diff --git a/ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll b/ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll
@@ -40,6 +40,9 @@ module Cryptography {
     /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
     CryptographicAlgorithm getAlgorithm() { result = super.getAlgorithm() }
 
+    /** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */
+    DataFlow::Node getInitialization() { result = super.getInitialization() }
+
     /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
     DataFlow::Node getAnInput() { result = super.getAnInput() }
 
@@ -65,6 +68,9 @@ module Cryptography {
      * extend `CryptographicOperation` instead.
      */
     abstract class Range extends DataFlow::Node {
+      /** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */
+      abstract DataFlow::Node getInitialization();
+
       /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
       abstract CryptographicAlgorithm getAlgorithm();
 
diff --git a/ruby/ql/lib/codeql/ruby/security/OpenSSL.qll b/ruby/ql/lib/codeql/ruby/security/OpenSSL.qll
@@ -569,6 +569,8 @@ private class CipherOperation extends Cryptography::CryptographicOperation::Rang
     this.getMethodName() = "update"
   }
 
+  override DataFlow::Node getInitialization() { result = cipherNode }
+
   override Cryptography::EncryptionAlgorithm getAlgorithm() {
     result = cipherNode.getCipher().getAlgorithm()
   }
@@ -591,21 +593,21 @@ private module Digest {
   private class DigestCall extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
   {
     Cryptography::HashingAlgorithm algo;
+    API::MethodAccessNode call;
 
     DigestCall() {
-      exists(API::MethodAccessNode call |
-        call = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("new")
-      |
-        this = call.getReturn().getAMethodCall(["digest", "update", "<<"]) and
-        algo.matchesName(call.asCall()
-              .getArgument(0)
-              .asExpr()
-              .getExpr()
-              .getConstantValue()
-              .getString())
-      )
+      call = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("new") and
+      this = call.getReturn().getAMethodCall(["digest", "update", "<<"]) and
+      algo.matchesName(call.asCall()
+            .getArgument(0)
+            .asExpr()
+            .getExpr()
+            .getConstantValue()
+            .getString())
     }
 
+    override DataFlow::Node getInitialization() { result = call.asCall() }
+
     override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
 
     override DataFlow::Node getAnInput() { result = super.getArgument(0) }
@@ -617,12 +619,16 @@ private module Digest {
   private class DigestCallDirect extends Cryptography::CryptographicOperation::Range instanceof DataFlow::CallNode
   {
     Cryptography::HashingAlgorithm algo;
+    API::Node digestNode;
 
     DigestCallDirect() {
-      this = API::getTopLevelMember("OpenSSL").getMember("Digest").getMethod("digest").asCall() and
+      digestNode = API::getTopLevelMember("OpenSSL").getMember("Digest") and
+      this = digestNode.getMethod("digest").asCall() and
       algo.matchesName(this.getArgument(0).asExpr().getExpr().getConstantValue().getString())
     }
 
+    override DataFlow::Node getInitialization() { result = digestNode.asSource() }
+
     override Cryptography::HashingAlgorithm getAlgorithm() { result = algo }
 
     override DataFlow::Node getAnInput() { result = super.getArgument(1) }
diff --git a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql
@@ -23,4 +23,4 @@ where
   )
   or
   operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
-select operation, msgPrefix + " is broken or weak, and should not be used."
+select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.", operation.getInitialization(), "here"
diff --git a/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected b/ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected
@@ -1,19 +1,19 @@
-| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
-| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES is broken or weak, and should not be used. |
-| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
-| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES is broken or weak, and should not be used. |
-| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
-| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB is broken or weak, and should not be used. |
-| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 is broken or weak, and should not be used. |
-| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
-| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
-| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
+| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | here |
+| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | here |
+| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | here |
+| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | here |
+| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | here |
+| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | here |
+| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | here |
+| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | here |
+| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | here |
+| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | here |
+| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | here |
+| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | here |
+| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | here |
+| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | here |
+| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
+| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
+| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | here |
+| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | here |
+| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | here |

Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,4 @@ where`
`23`	`23`	`)`
`24`	`24`	`or`
`25`	`25`	`operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()`
`26`		`-select operation, msgPrefix + " is broken or weak, and should not be used."`
	`26`	`+select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.", operation.getInitialization(), "here"`