|
1 | 1 | /** |
2 | 2 | * @name Unsafe usage of v1 version of Azure Storage client-side encryption. |
3 | 3 | * @description Using version v1 of Azure Storage client-side encryption is insecure, and may enable an attacker to decrypt encrypted data |
4 | | - * @kind problem |
| 4 | + * @kind path-problem |
5 | 5 | * @tags security |
6 | 6 | * experimental |
7 | 7 | * cryptography |
|
12 | 12 | */ |
13 | 13 |
|
14 | 14 | import python |
| 15 | +import semmle.python.dataflow.new.DataFlow |
15 | 16 | import semmle.python.ApiGraphs |
16 | 17 |
|
17 | | -predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) { |
18 | | - exists( |
19 | | - API::Node n, ControlFlowNode startingNode, Attribute attr, ControlFlowNode ctrlFlowNode, |
20 | | - Attribute attrUploadBlob, ControlFlowNode ctrlFlowNodeUploadBlob, string s1, string s2, |
21 | | - string s3 |
22 | | - | |
23 | | - call.getAChildNode() = attrUploadBlob and |
24 | | - node = ctrlFlowNode |
25 | | - | |
26 | | - s1 in ["key_encryption_key", "key_resolver_function"] and |
27 | | - s2 in ["ContainerClient", "BlobClient", "BlobServiceClient"] and |
28 | | - s3 = "upload_blob" and |
29 | | - n = API::moduleImport("azure").getMember("storage").getMember("blob").getMember(s2).getAMember() and |
30 | | - startingNode = n.getACall().getReturn().getAValueReachableFromSource().asExpr().getAFlowNode() and |
31 | | - startingNode.strictlyReaches(ctrlFlowNode) and |
32 | | - attr.getAFlowNode() = ctrlFlowNode and |
33 | | - attr.getName() = s1 and |
34 | | - ctrlFlowNode.strictlyReaches(ctrlFlowNodeUploadBlob) and |
35 | | - attrUploadBlob.getAFlowNode() = ctrlFlowNodeUploadBlob and |
36 | | - attrUploadBlob.getName() = s3 and |
37 | | - not exists( |
38 | | - Attribute attrBarrier, ControlFlowNode ctrlFlowNodeBarrier, AssignStmt astmt2, StrConst uc |
39 | | - | |
40 | | - startingNode.strictlyReaches(ctrlFlowNodeBarrier) and |
41 | | - attrBarrier.getAFlowNode() = ctrlFlowNodeBarrier and |
42 | | - attrBarrier.getName() = "encryption_version" and |
43 | | - uc = astmt2.getValue() and |
44 | | - uc.getText() in ["'2.0'", "2.0"] and |
45 | | - astmt2.getATarget().getAChildNode*() = attrBarrier and |
46 | | - ctrlFlowNodeBarrier.strictlyReaches(ctrlFlowNodeUploadBlob) |
| 18 | +API::Node getBlobServiceClient(boolean isSource) { |
| 19 | + isSource = true and |
| 20 | + result = |
| 21 | + API::moduleImport("azure") |
| 22 | + .getMember("storage") |
| 23 | + .getMember("blob") |
| 24 | + .getMember("BlobServiceClient") |
| 25 | + .getReturn() |
| 26 | + or |
| 27 | + isSource = true and |
| 28 | + result = |
| 29 | + API::moduleImport("azure") |
| 30 | + .getMember("storage") |
| 31 | + .getMember("blob") |
| 32 | + .getMember("BlobServiceClient") |
| 33 | + .getMember("from_connection_string") |
| 34 | + .getReturn() |
| 35 | +} |
| 36 | + |
| 37 | +API::CallNode getTransitionToContainerClient() { |
| 38 | + result = getBlobServiceClient(_).getMember("get_container_client").getACall() |
| 39 | + or |
| 40 | + result = getBlobClient(_).getMember("_get_container_client").getACall() |
| 41 | +} |
| 42 | + |
| 43 | +API::Node getContainerClient(boolean isSource) { |
| 44 | + isSource = false and |
| 45 | + result = getTransitionToContainerClient().getReturn() |
| 46 | + or |
| 47 | + isSource = true and |
| 48 | + result = |
| 49 | + API::moduleImport("azure") |
| 50 | + .getMember("storage") |
| 51 | + .getMember("blob") |
| 52 | + .getMember("ContainerClient") |
| 53 | + .getReturn() |
| 54 | + or |
| 55 | + isSource = true and |
| 56 | + result = |
| 57 | + API::moduleImport("azure") |
| 58 | + .getMember("storage") |
| 59 | + .getMember("blob") |
| 60 | + .getMember("ContainerClient") |
| 61 | + .getMember(["from_connection_string", "from_container_url"]) |
| 62 | + .getReturn() |
| 63 | +} |
| 64 | + |
| 65 | +API::CallNode getTransitionToBlobClient() { |
| 66 | + result = [getBlobServiceClient(_), getContainerClient(_)].getMember("get_blob_client").getACall() |
| 67 | +} |
| 68 | + |
| 69 | +API::Node getBlobClient(boolean isSource) { |
| 70 | + isSource = false and |
| 71 | + result = getTransitionToBlobClient().getReturn() |
| 72 | + or |
| 73 | + isSource = true and |
| 74 | + result = |
| 75 | + API::moduleImport("azure") |
| 76 | + .getMember("storage") |
| 77 | + .getMember("blob") |
| 78 | + .getMember("BlobClient") |
| 79 | + .getReturn() |
| 80 | + or |
| 81 | + isSource = true and |
| 82 | + result = |
| 83 | + API::moduleImport("azure") |
| 84 | + .getMember("storage") |
| 85 | + .getMember("blob") |
| 86 | + .getMember("BlobClient") |
| 87 | + .getMember(["from_connection_string", "from_blob_url"]) |
| 88 | + .getReturn() |
| 89 | +} |
| 90 | + |
| 91 | +API::Node anyClient(boolean isSource) { |
| 92 | + result in [getBlobServiceClient(isSource), getContainerClient(isSource), getBlobClient(isSource)] |
| 93 | +} |
| 94 | + |
| 95 | +newtype TAzureFlowState = |
| 96 | + MkUsesV1Encryption() or |
| 97 | + MkUsesNoEncryption() |
| 98 | + |
| 99 | +module AzureBlobClientConfig implements DataFlow::StateConfigSig { |
| 100 | + class FlowState = TAzureFlowState; |
| 101 | + |
| 102 | + predicate isSource(DataFlow::Node node, FlowState state) { |
| 103 | + state = MkUsesNoEncryption() and |
| 104 | + node = anyClient(true).asSource() |
| 105 | + } |
| 106 | + |
| 107 | + predicate isBarrier(DataFlow::Node node, FlowState state) { |
| 108 | + exists(state) and |
| 109 | + exists(DataFlow::AttrWrite attr | |
| 110 | + node = anyClient(_).getAValueReachableFromSource() and |
| 111 | + attr.accesses(node, "encryption_version") and |
| 112 | + attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"] |
47 | 113 | ) |
48 | | - ) |
| 114 | + or |
| 115 | + // small optimization to block flow with no encryption out of the post-update node |
| 116 | + // for the attribute assignment. |
| 117 | + isAdditionalFlowStep(_, MkUsesNoEncryption(), node, MkUsesV1Encryption()) and |
| 118 | + state = MkUsesNoEncryption() |
| 119 | + } |
| 120 | + |
| 121 | + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { |
| 122 | + exists(DataFlow::MethodCallNode call | |
| 123 | + call in [getTransitionToContainerClient(), getTransitionToBlobClient()] and |
| 124 | + node1 = call.getObject() and |
| 125 | + node2 = call |
| 126 | + ) |
| 127 | + } |
| 128 | + |
| 129 | + predicate isAdditionalFlowStep( |
| 130 | + DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 |
| 131 | + ) { |
| 132 | + node1 = node2.(DataFlow::PostUpdateNode).getPreUpdateNode() and |
| 133 | + state1 = MkUsesNoEncryption() and |
| 134 | + state2 = MkUsesV1Encryption() and |
| 135 | + exists(DataFlow::AttrWrite attr | |
| 136 | + node1 = anyClient(_).getAValueReachableFromSource() and |
| 137 | + attr.accesses(node1, ["key_encryption_key", "key_resolver_function"]) |
| 138 | + ) |
| 139 | + } |
| 140 | + |
| 141 | + predicate isSink(DataFlow::Node node, FlowState state) { |
| 142 | + state = MkUsesV1Encryption() and |
| 143 | + exists(DataFlow::MethodCallNode call | |
| 144 | + call = getBlobClient(_).getMember("upload_blob").getACall() and |
| 145 | + node = call.getObject() |
| 146 | + ) |
| 147 | + } |
49 | 148 | } |
50 | 149 |
|
51 | | -from Call call, ControlFlowNode node |
52 | | -where isUnsafeClientSideAzureStorageEncryptionViaAttributes(call, node) |
53 | | -select node, "Unsafe usage of v1 version of Azure Storage client-side encryption." |
| 150 | +module AzureBlobClient = DataFlow::GlobalWithState<AzureBlobClientConfig>; |
| 151 | + |
| 152 | +import AzureBlobClient::PathGraph |
| 153 | + |
| 154 | +from AzureBlobClient::PathNode source, AzureBlobClient::PathNode sink |
| 155 | +where AzureBlobClient::flowPath(source, sink) |
| 156 | +select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption" |
0 commit comments