Enhance the additional step flow and update qldoc

luchua-bc · luchua-bc · commit 19ff00bad421 · 2021-01-07T13:15:30.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.qhelp b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.qhelp
@@ -2,7 +2,7 @@
 <qhelp>
 
   <overview>
-    <p>In cryptography, "salt" is random data that are used as an additional input to a one-way function that hashes a password or pass-phrase. It makes dictionary attacks more difficult.</p>
+    <p>In cryptography, a salt is some random data used as an additional input to a one-way function that hashes a password or pass-phrase. It makes dictionary attacks more difficult.</p>
 
     <p>Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords.</p>
   </overview>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
@@ -1,8 +1,8 @@
 /**
- * @id java/hash-without-salt
- * @name Use of a One-Way Hash without a Salt
+ * @name Use of a hash function without a salt
  * @description Hashed passwords without a salt are vulnerable to dictionary attacks.
  * @kind path-problem
+ * @id java/hash-without-salt
  * @tags security
  *       external/cwe-759
  */
@@ -11,30 +11,28 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-/** The Java class `java.security.MessageDigest` */
+/** The Java class `java.security.MessageDigest`. */
 class MessageDigest extends RefType {
   MessageDigest() { this.hasQualifiedName("java.security", "MessageDigest") }
 }
 
 /** The method `digest()` declared in `java.security.MessageDigest`. */
 class MDDigestMethod extends Method {
   MDDigestMethod() {
-    getDeclaringType() instanceof MessageDigest and
-    hasName("digest")
+    this.getDeclaringType() instanceof MessageDigest and
+    this.hasName("digest")
   }
 }
 
 /** The method `update()` declared in `java.security.MessageDigest`. */
 class MDUpdateMethod extends Method {
   MDUpdateMethod() {
-    getDeclaringType() instanceof MessageDigest and
-    hasName("update")
+    this.getDeclaringType() instanceof MessageDigest and
+    this.hasName("update")
   }
 }
 
-/**
- * Gets a regular expression for matching common names of variables that indicate the value being held is a password.
- */
+/** Gets a regular expression for matching common names of variables that indicate the value being held is a password. */
 string getPasswordRegex() { result = "(?i).*pass(wd|word|code|phrase).*" }
 
 /** Finds variables that hold password information judging by their names. */
@@ -78,9 +76,11 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  /** Holds for additional steps such as `passwordStr.getBytes()` */
+  /** Holds for additional steps that flow to a method call of `update` or `digest` declared in `java.security.MessageDigest`. */
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof MessageDigest and
+      ma.getMethod().hasName(["digest", "update"]) and
       pred.asExpr() = ma.getAnArgument() and
       (succ.asExpr() = ma or succ.asExpr() = ma.getQualifier())
     )
