Skip to content

Java: Add MaDs for java.crypto.KDF #20345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Java: Add MaDs for java.crypto.KDF #20345

wants to merge 5 commits into from

Conversation

IdrissRio
Copy link
Contributor

@IdrissRio IdrissRio commented Sep 2, 2025
edited
Loading

@IdrissRio IdrissRio changed the base branch from main to idrissrio/java-upgrade-fix September 2, 2025 11:00
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 2, 2025

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4
+    Java extensions,"``javax.*``, ``jakarta.*``",87,4189,90,10,4,2,1,1,4
-    Totals,,330,26328,2656,404,16,128,33,1,409
+    Totals,,330,26358,2656,404,16,128,33,1,409
  • Changes to framework-coverage-java.csv:
- javax.crypto,19,,114,,,12,3,,2,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,61,53
+ javax.crypto,19,,144,,,12,3,,2,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,83,61

@IdrissRio IdrissRio marked this pull request as ready for review September 2, 2025 11:40
@IdrissRio IdrissRio requested a review from a team as a code owner September 2, 2025 11:40
@Copilot Copilot AI review requested due to automatic review settings September 2, 2025 11:40
Copilot
Copilot AI reviewed Sep 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Model as Data (MaD) support for the java.crypto.KDF API, enabling taint tracking through Key Derivation Function operations. The changes include comprehensive taint flow models for KDF operations and HKDF parameter specifications.

  • Adds taint flow models for javax.crypto.KDF class methods
  • Adds taint flow models for javax.crypto.spec.HKDFParameterSpec and its builder pattern
  • Includes comprehensive test coverage for various KDF usage patterns

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
java/ql/lib/ext/javax.crypto.model.yml Adds summary models for KDF class methods including deriveKey and deriveData
java/ql/lib/ext/javax.crypto.spec.model.yml Adds taint flow models for HKDF parameter specification builder methods and constructors
java/ql/test/library-tests/dataflow/kdf/test.ql Test query for verifying taint flow through KDF operations
java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java Comprehensive test cases covering various KDF usage patterns
java/ql/test/library-tests/dataflow/kdf/options Compilation options enabling Java 25 preview features
java/ql/lib/change-notes/2025-09-02-kdf-api.md Release notes documenting the new KDF taint flow support

java/ql/lib/ext/javax.crypto.spec.model.yml Outdated
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addSalt", "(SecretKey)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "thenExpand", "(byte[],int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "thenExpand", "(byte[],int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec", False, "ofExtract", "()", "", "", "ReturnValue", "taint", "manual"]
Copy link
Preview

Copilot AI Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ofExtract() method creates a clean builder instance and should not propagate taint by itself. Taint should only flow when actual key material is added via addIKM() methods. This model could lead to false positives where clean HKDF operations are flagged as tainted.

Suggested change
- ["javax.crypto.spec", "HKDFParameterSpec", False, "ofExtract", "()", "", "", "ReturnValue", "taint", "manual"]

Copilot uses AI. Check for mistakes.

@IdrissRio IdrissRio force-pushed the idrissrio/java-upgrade-fix branch from a34b362 to 5d2268f Compare September 2, 2025 18:19
@IdrissRio IdrissRio requested a review from a team as a code owner September 2, 2025 18:19
aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
java/ql/lib/ext/javax.crypto.model.yml
- ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,Provider)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
- ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,String)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
- ["javax.crypto", "KDF", True, "getAlgorithm", "()", "", "Argument[this].SyntheticField[javax.crypto.KDF.algorithm]", "ReturnValue", "value", "manual"]
- ["javax.crypto", "KDF", True, "getProvider", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line looks suspicious. It suggests that getProvider() is implemented as return this. Should this have been a taint model rather than a value-preserving step?

aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
java/ql/lib/ext/javax.crypto.spec.model.yml
Comment on lines +10 to +12
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[this]", "ReturnValue", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a fluent method so the flow from this to return should be value. Once that's fixed, the two lines above will contain redundant information, as MaD has some support for fluent apis: You only need to provide the taint model that taints the argument - then the model that taints the output will be automatically added.

Suggested change
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["javax.crypto.spec", "HKDFParameterSpec$Builder", True, "addIKM", "(byte[])", "", "Argument[this]", "ReturnValue", "value", "manual"]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same applies to the other fluent api models below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I'll fix this 👍

aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
@@ -16,30 +16,6 @@ methodWithDuplicate
| AbstractCollection<E> | removeAll | Collection<?> |
| AbstractCollection<E> | retainAll | Collection<?> |
| AbstractCollection<E> | toArray | T[] |
| AbstractCollection<Entry<K,V>> | add | Entry<K,V> |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This diff doesn't belong on this PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, none of the Kotlin changes are part of this PR. I updated the base to idrissrio/java-upgrade-fix, so that commit now appears as well. Rebasing should remove it from the UI. You can safely ignore anything related to Kotlin.

aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java

KDF kdf = KDF.getInstance("HKDF-SHA256");
byte[] result = kdf.deriveData(spec);
sink(result); // should flag
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use inline expectation

Base automatically changed from idrissrio/java-upgrade-fix to main September 4, 2025 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IdrissRio @aschackmull