Update TimingAttack.qll

ahmed-farid-dev · web-flow · commit 4b3efa87dcf2 · 2023-02-16T14:01:29.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll
@@ -292,6 +292,25 @@ class UserInputInComparisonConfig extends TaintTracking2::Configuration {
   }
 }
 
+/**
+ * A configuration tracing flow from  a client Secret obtained by an HTTP header to a len() function.
+ */
+private class ExcludeLenFunc extends TaintTracking2::Configuration {
+  ExcludeLenFunc() { this = "ExcludeLenFunc" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call call |
+      call.getFunc().(Name).getId() = "len" and
+      sink.asExpr() = call.getArg(0)
+    )
+  }
+}
+
+/**
+ * Holds if there is a fast-fail check.
+ */
 private class CompareSink extends DataFlow::Node {
   CompareSink() {
     exists(Compare compare |
@@ -321,4 +340,13 @@ private class CompareSink extends DataFlow::Node {
       )      
    )     
   }
+  
+/**
+ * Holds if there is a flow to len().
+ */
+  predicate FlowToLen() {
+    exists(ExcludeLenFunc config, DataFlow2::PathNode source, DataFlow2::PathNode sink |
+       config.hasFlowPath(source, sink)
+    )
+  }
 }
