From aafdf1a279001646f1c8f881c49a5badf2f09831 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Fri, 25 Jul 2025 16:11:07 +0100 Subject: [PATCH 1/6] Rust: Update StreamCipherInit to use getCanonicalPath. --- .../rust/frameworks/rustcrypto/RustCrypto.qll | 35 ++++++++----------- .../CWE-327/BrokenCryptoAlgorithm.expected | 13 +------ .../security/CWE-327/test_cipher.rs | 24 ++++++------- 3 files changed, 28 insertions(+), 44 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll index 70b92a3f7eaf..3a9de4743a71 100644 --- a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll @@ -5,6 +5,8 @@ private import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow +import codeql.rust.internal.TypeInference +import codeql.rust.internal.Type bindingset[algorithmName] private string simplifyAlgorithmName(string algorithmName) { @@ -21,28 +23,21 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range { StreamCipherInit() { // a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`, - // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices` or `rc2::Rc2::new_with_eff_key_len`. - exists(PathExpr p, string rawAlgorithmName | - this.asExpr().getExpr().(CallExpr).getFunction() = p and - p.getResolvedCrateOrigin().matches("%/RustCrypto%") and - p.getPath().getText() = ["new", "new_from_slice", "new_from_slices", "new_with_eff_key_len"] and - ( - rawAlgorithmName = p.getPath().getQualifier().getText() or + // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices`, `rc2::Rc2::new_with_eff_key_len` or similar. + exists(CallExprBase ce, string rawAlgorithmName | + ce = this.asExpr().getExpr() and + ce.getStaticTarget() + .getCanonicalPath() + .matches(["%::new", "%::new_from_slice", "%::new_with_eff_key_len", "%::new_from_slices"]) and + // extract the algorithm name from the type of `ce` or its receiver. + exists(Type t, TypePath tp | + t = inferType([ce, ce.(MethodCallExpr).getReceiver()], tp) and rawAlgorithmName = - p.getPath() - .getQualifier() - .getSegment() - .getGenericArgList() - .getGenericArg(0) - .(TypeArg) - .getTypeRepr() - .(PathTypeRepr) - .getPath() - .getSegment() - .getIdentifier() - .getText() + t.(StructType).asItemNode().(Addressable).getCanonicalPath().splitAt("::") ) and - algorithmName = simplifyAlgorithmName(rawAlgorithmName) + algorithmName = simplifyAlgorithmName(rawAlgorithmName) and + // only match a known cryptographic algorithm + any(Cryptography::CryptographicAlgorithm alg).matchesName(algorithmName) ) } diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected index f1395ff39ec0..e0b3647e9591 100644 --- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected @@ -2,20 +2,9 @@ | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | The cryptographic algorithm RC4 | | test_cipher.rs:26:27:26:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:26:27:26:48 | ...::new(...) | The cryptographic algorithm RC4 | | test_cipher.rs:29:27:29:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:29:27:29:48 | ...::new(...) | The cryptographic algorithm RC4 | -| test_cipher.rs:59:23:59:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:59:23:59:42 | ...::new(...) | The cryptographic algorithm DES | -| test_cipher.rs:63:23:63:47 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:63:23:63:47 | ...::new(...) | The cryptographic algorithm DES | | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | -| test_cipher.rs:71:23:71:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:42 | ...::new(...) | The cryptographic algorithm DES | -| test_cipher.rs:75:27:75:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:27:75:46 | ...::new(...) | The cryptographic algorithm DES | -| test_cipher.rs:80:24:80:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:80:24:80:48 | ...::new(...) | The cryptographic algorithm 3DES | -| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm 3DES | -| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm 3DES | | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES | -| test_cipher.rs:97:23:97:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:97:23:97:42 | ...::new(...) | The cryptographic algorithm RC2 | -| test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm DES | | test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 | | test_cipher.rs:110:23:110:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:110:23:110:50 | ...::new(...) | The cryptographic algorithm RC5 | | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | -| test_cipher.rs:132:23:132:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:132:23:132:76 | ...::new(...) | The cryptographic algorithm DES | -| test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | The cryptographic algorithm DES | -| test_cipher.rs:141:23:141:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:141:23:141:76 | ...::new(...) | The cryptographic algorithm DES | diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index 0cf20c4c2782..f8bf181cd044 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -56,11 +56,11 @@ fn test_block_cipher( aes_cipher3.decrypt_block(block128.into()); // des (broken) - let des_cipher1 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] des_cipher1.encrypt_block(data.into()); des_cipher1.decrypt_block(data.into()); - let des_cipher2 = des::Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher2 = des::Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] des_cipher2.encrypt_block(data.into()); des_cipher2.decrypt_block(data.into()); @@ -68,24 +68,24 @@ fn test_block_cipher( des_cipher3.encrypt_block(data.into()); des_cipher3.decrypt_block(data.into()); - let des_cipher4 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher4 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] des_cipher4.encrypt_block_b2b(input.into(), data.into()); des_cipher4.decrypt_block_b2b(input.into(), data.into()); - let mut des_cipher5 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let mut des_cipher5 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] des_cipher5.encrypt_block_mut(data.into()); des_cipher5.decrypt_block_mut(data.into()); // triple des (broken) - let tdes_cipher1 = TdesEde2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher1 = TdesEde2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] tdes_cipher1.encrypt_block(data.into()); tdes_cipher1.decrypt_block(data.into()); - let tdes_cipher2 = TdesEde3::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher2 = TdesEde3::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] tdes_cipher2.encrypt_block(data.into()); tdes_cipher2.decrypt_block(data.into()); - let tdes_cipher3 = TdesEee2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher3 = TdesEee2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] tdes_cipher3.encrypt_block(data.into()); tdes_cipher3.decrypt_block(data.into()); @@ -94,11 +94,11 @@ fn test_block_cipher( tdes_cipher4.decrypt_block(data.into()); // rc2 (broken) - let rc2_cipher1 = Rc2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher1 = Rc2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] rc2_cipher1.encrypt_block(data.into()); rc2_cipher1.decrypt_block(data.into()); - let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] rc2_cipher2.encrypt_block(data.into()); rc2_cipher2.decrypt_block(data.into()); @@ -129,15 +129,15 @@ fn test_cbc( _ = aes_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); // des (broken) - let des_cipher1 = cbc::Encryptor::::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher1 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] _ = des_cipher1.encrypt_padded_mut::(data, data_len).unwrap(); let des_cipher2 = MyDesEncryptor::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] _ = des_cipher2.encrypt_padded_mut::(data, data_len).unwrap(); - let des_cipher3 = cbc::Encryptor::::new_from_slices(&key, &iv).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher3 = cbc::Encryptor::::new_from_slices(&key, &iv).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] _ = des_cipher3.encrypt_padded_mut::(data, data_len).unwrap(); - let des_cipher4 = cbc::Encryptor::::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm] + let des_cipher4 = cbc::Encryptor::::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] _ = des_cipher4.encrypt_padded_b2b_mut::(input, data).unwrap(); } From a9650e02ca50f05cf4638dd2b1951808cbc299ee Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 18 Aug 2025 10:16:35 +0100 Subject: [PATCH 2/6] Rust: Add a slightly simpler / more explicit test case. --- .../security/CWE-327/BrokenCryptoAlgorithm.expected | 12 ++++++------ .../test/query-tests/security/CWE-327/test_cipher.rs | 6 +++++- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected index e0b3647e9591..53374234338c 100644 --- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected @@ -2,9 +2,9 @@ | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | The cryptographic algorithm RC4 | | test_cipher.rs:26:27:26:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:26:27:26:48 | ...::new(...) | The cryptographic algorithm RC4 | | test_cipher.rs:29:27:29:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:29:27:29:48 | ...::new(...) | The cryptographic algorithm RC4 | -| test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | -| test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES | -| test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm DES | -| test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 | -| test_cipher.rs:110:23:110:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:110:23:110:50 | ...::new(...) | The cryptographic algorithm RC5 | -| test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | +| test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | +| test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm DES | +| test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:114:23:114:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:50 | ...::new(...) | The cryptographic algorithm RC5 | +| test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index f8bf181cd044..de7e23a517f6 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -42,7 +42,7 @@ fn test_stream_cipher( fn test_block_cipher( key: &[u8], key128: &[u8;16], key192: &[u8;24], key256: &[u8;32], - data: &mut [u8], input: &[u8], block128: &mut [u8;16] + data: &mut [u8], input: &[u8], block128: &mut [u8;16], des_key : &cipher::Key ) { // aes let aes_cipher1 = Aes128::new(key128.into()); @@ -56,6 +56,10 @@ fn test_block_cipher( aes_cipher3.decrypt_block(block128.into()); // des (broken) + let des_cipher0 : Des = Des::new(des_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + des_cipher0.encrypt_block(data.into()); + des_cipher0.decrypt_block(data.into()); + let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] des_cipher1.encrypt_block(data.into()); des_cipher1.decrypt_block(data.into()); From fdec780921efd3ebb670ce227b55fbd2ff996d35 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 18 Aug 2025 18:42:06 +0100 Subject: [PATCH 3/6] Rust: Accept consistency .expected changes. --- .../CWE-327/CONSISTENCY/PathResolutionConsistency.expected | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/test/query-tests/security/CWE-327/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-327/CONSISTENCY/PathResolutionConsistency.expected index 3d73ede26c5f..50dd9e9f0ed2 100644 --- a/rust/ql/test/query-tests/security/CWE-327/CONSISTENCY/PathResolutionConsistency.expected +++ b/rust/ql/test/query-tests/security/CWE-327/CONSISTENCY/PathResolutionConsistency.expected @@ -4,4 +4,4 @@ multipleCallTargets | test_cipher.rs:29:27:29:48 | ...::new(...) | | test_cipher.rs:36:30:36:59 | ...::new(...) | | test_cipher.rs:39:30:39:63 | ...::new(...) | -| test_cipher.rs:110:23:110:50 | ...::new(...) | +| test_cipher.rs:114:23:114:50 | ...::new(...) | From bf33d1b870e9c793cc249bed02a3815d961b9ce6 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 18 Aug 2025 18:51:33 +0100 Subject: [PATCH 4/6] Rust: Make a couple of new imports private. --- rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll index 3a9de4743a71..d21b658e8a74 100644 --- a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll @@ -5,8 +5,8 @@ private import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow -import codeql.rust.internal.TypeInference -import codeql.rust.internal.Type +private import codeql.rust.internal.TypeInference +private import codeql.rust.internal.Type bindingset[algorithmName] private string simplifyAlgorithmName(string algorithmName) { From 9f04de859f8cdd546861e32ed84630be28ced203 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 19 Aug 2025 08:46:25 +0100 Subject: [PATCH 5/6] Rust: Update test results following merge. --- .../CWE-327/BrokenCryptoAlgorithm.expected | 13 ++++++++++++ .../security/CWE-327/test_cipher.rs | 20 +++++++++---------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected index 53374234338c..ef0a9e0d8063 100644 --- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected +++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected @@ -2,9 +2,22 @@ | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | The cryptographic algorithm RC4 | | test_cipher.rs:26:27:26:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:26:27:26:48 | ...::new(...) | The cryptographic algorithm RC4 | | test_cipher.rs:29:27:29:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:29:27:29:48 | ...::new(...) | The cryptographic algorithm RC4 | +| test_cipher.rs:59:29:59:45 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:59:29:59:45 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:63:23:63:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:63:23:63:42 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:67:23:67:47 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:47 | ...::new(...) | The cryptographic algorithm DES | | test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | The cryptographic algorithm DES | +| test_cipher.rs:75:23:75:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:23:75:42 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:79:27:79:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:79:27:79:46 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm DES | +| test_cipher.rs:92:24:92:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:48 | ...::new(...) | The cryptographic algorithm 3DES | +| test_cipher.rs:92:24:92:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:48 | ...::new(...) | The cryptographic algorithm DES | | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES | | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm DES | +| test_cipher.rs:101:23:101:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:42 | ...::new(...) | The cryptographic algorithm RC2 | +| test_cipher.rs:105:23:105:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 | | test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 | | test_cipher.rs:114:23:114:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:50 | ...::new(...) | The cryptographic algorithm RC5 | | test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 | diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs index de7e23a517f6..61471ac99ecf 100644 --- a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs +++ b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs @@ -56,15 +56,15 @@ fn test_block_cipher( aes_cipher3.decrypt_block(block128.into()); // des (broken) - let des_cipher0 : Des = Des::new(des_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher0 : Des = Des::new(des_key); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher0.encrypt_block(data.into()); des_cipher0.decrypt_block(data.into()); - let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher1 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher1.encrypt_block(data.into()); des_cipher1.decrypt_block(data.into()); - let des_cipher2 = des::Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher2 = des::Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher2.encrypt_block(data.into()); des_cipher2.decrypt_block(data.into()); @@ -72,24 +72,24 @@ fn test_block_cipher( des_cipher3.encrypt_block(data.into()); des_cipher3.decrypt_block(data.into()); - let des_cipher4 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let des_cipher4 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher4.encrypt_block_b2b(input.into(), data.into()); des_cipher4.decrypt_block_b2b(input.into(), data.into()); - let mut des_cipher5 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let mut des_cipher5 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] des_cipher5.encrypt_block_mut(data.into()); des_cipher5.decrypt_block_mut(data.into()); // triple des (broken) - let tdes_cipher1 = TdesEde2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher1 = TdesEde2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher1.encrypt_block(data.into()); tdes_cipher1.decrypt_block(data.into()); - let tdes_cipher2 = TdesEde3::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher2 = TdesEde3::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher2.encrypt_block(data.into()); tdes_cipher2.decrypt_block(data.into()); - let tdes_cipher3 = TdesEee2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let tdes_cipher3 = TdesEee2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] tdes_cipher3.encrypt_block(data.into()); tdes_cipher3.decrypt_block(data.into()); @@ -98,11 +98,11 @@ fn test_block_cipher( tdes_cipher4.decrypt_block(data.into()); // rc2 (broken) - let rc2_cipher1 = Rc2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher1 = Rc2::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm] rc2_cipher1.encrypt_block(data.into()); rc2_cipher1.decrypt_block(data.into()); - let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm] + let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ Alert[rust/weak-cryptographic-algorithm] rc2_cipher2.encrypt_block(data.into()); rc2_cipher2.decrypt_block(data.into()); From 401315c4f573d87991010a1b8a6b53c2de823a43 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 19 Aug 2025 09:22:53 +0100 Subject: [PATCH 6/6] Update rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll Co-authored-by: Tom Hvitved --- rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll index d21b658e8a74..51d00f795d7e 100644 --- a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll @@ -26,9 +26,8 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range { // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices`, `rc2::Rc2::new_with_eff_key_len` or similar. exists(CallExprBase ce, string rawAlgorithmName | ce = this.asExpr().getExpr() and - ce.getStaticTarget() - .getCanonicalPath() - .matches(["%::new", "%::new_from_slice", "%::new_with_eff_key_len", "%::new_from_slices"]) and + ce.getStaticTarget().getName().getText() = + ["new", "new_from_slice", "new_with_eff_key_len", "new_from_slices"] and // extract the algorithm name from the type of `ce` or its receiver. exists(Type t, TypePath tp | t = inferType([ce, ce.(MethodCallExpr).getReceiver()], tp) and