Reduce the scope of the query to reduce FPs

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql

@@ -8,10 +8,8 @@
  */
 
 import java
-import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.TaintTracking2
-import semmle.code.java.dataflow.TaintTracking3
 import DataFlow::PathGraph
 
 /** The Java class `java.security.MessageDigest`. */
@@ -44,38 +42,91 @@ class MDUpdateMethod extends Method {
   }
 }
 
+/** The hashing method that could taint the input. */
+class MDHashMethodAccess extends MethodAccess {
+  MDHashMethodAccess() {
+    (
+      this.getMethod() instanceof MDDigestMethod or
+      this.getMethod() instanceof MDUpdateMethod
+    ) and
+    this.getNumArgument() != 0
+  }
+}
+
 /** Gets a regular expression for matching common names of variables that indicate the value being held is a password. */
 string getPasswordRegex() { result = "(?i).*pass(wd|word|code|phrase).*" }
 
 /** Finds variables that hold password information judging by their names. */
 class PasswordVarExpr extends Expr {
   PasswordVarExpr() {
-    exists(Variable v | this = v.getAnAccess() |
-      (
-        v.getName().toLowerCase().regexpMatch(getPasswordRegex()) and
-        not v.getName().toLowerCase().matches("%hash%") // Exclude variable names such as `passwordHash` since their values were already hashed
-      )
-    )
+    this.(VarAccess).getVariable().getName().toLowerCase().regexpMatch(getPasswordRegex()) and
+    not this.(VarAccess).getVariable().getName().toLowerCase().matches("%hash%") // Exclude variable names such as `passwordHash` since their values were already hashed
   }
 }
 
-/** Taint configuration tracking flow from an expression whose name suggests it holds password data to a method call that generates a hash without a salt. */
-class PasswordHashConfiguration extends TaintTracking3::Configuration {
-  PasswordHashConfiguration() { this = "PasswordHashConfiguration" }
-
-  override predicate isSource(DataFlow3::Node source) { source.asExpr() instanceof PasswordVarExpr }
-
-  override predicate isSink(DataFlow3::Node sink) {
-    exists(
-      MethodAccess ma // invoke `md.update(password)` without the call of `md.update(digest)`
-    |
-      sink.asExpr() = ma.getArgument(0) and
-      (
-        ma.getMethod() instanceof MDUpdateMethod or // md.update(password)
-        ma.getMethod() instanceof MDDigestMethod // md.digest(password)
-      )
+/** Holds if `Expr` e is an operand of `AddExpr`. */
+predicate hasAddExpr(AddExpr ae, Expr e) {
+  ae.getAnOperand() = e or
+  hasAddExpr(ae.getAnOperand(), e)
+}
+
+/** Holds if `MethodAccess` ma has a flow to another `MDHashMethodAccess` call. */
+predicate hasAnotherHashCall(MethodAccess ma) {
+  exists(MethodAccess ma2, DataFlow2::Node node1, DataFlow2::Node node2 |
+    ma2 instanceof MDHashMethodAccess and
+    ma2 != ma and
+    node1.asExpr() = ma.getAChildExpr() and
+    node2.asExpr() = ma2.getAChildExpr() and
+    (
+      TaintTracking2::localTaint(node1, node2) or
+      TaintTracking2::localTaint(node2, node1)
+    )
+  )
+}
+
+/** Holds if `MethodAccess` ma is a hashing call without a sibling node making another hashing call. */
+predicate isSingleHashMethodCall(MethodAccess ma) {
+  (
+    ma instanceof MDHashMethodAccess and
+    not hasAnotherHashCall(ma)
+  )
+}
+
+/** Holds if `MethodAccess` ma is invoked by `MethodAccess` ma2 either directly or indirectly. */
+predicate hasParentCall(MethodAccess ma2, MethodAccess ma) {
+  ma.getCaller() = ma2.getMethod() and
+  not ma2 instanceof MDHashMethodAccess
+  or
+  exists(MethodAccess ma3 |
+    ma.getCaller() = ma3.getMethod() and
+    not ma3 instanceof MDHashMethodAccess and
+    hasParentCall(ma2, ma3)
+  )
+}
+
+/** Holds if `MethodAccess` is a single hashing call. */
+predicate isSink(MethodAccess ma) {
+  isSingleHashMethodCall(ma) and
+  not exists(MethodAccess ma2 | hasParentCall(ma2, ma))
+}
+
+/** Sink of hashing calls. */
+class HashWithoutSaltSink extends DataFlow::ExprNode {
+  HashWithoutSaltSink() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getAnArgument() and
+      isSink(ma)
     )
   }
+}
+
+/** Taint configuration tracking flow from an expression whose name suggests it holds password data to a method call that generates a hash without a salt. */
+class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
+  HashWithoutSaltConfiguration() { this = "HashWithoutSaltConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof PasswordVarExpr }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof HashWithoutSaltSink }
 
   /**
    * Holds if a password is concatenated with a salt then hashed together through the call `System.arraycopy(password.getBytes(), ...)`, for example,
@@ -84,60 +135,26 @@ class PasswordHashConfiguration extends TaintTracking3::Configuration {
    *  `byte[] messageDigest = md.digest(allBytes);`
    * Or the password is concatenated with a salt as a string.
    */
-  override predicate isSanitizer(DataFlow3::Node node) {
+  override predicate isSanitizer(DataFlow::Node node) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "System") and
       ma.getMethod().hasName("arraycopy") and
       ma.getArgument(0) = node.asExpr()
     ) // System.arraycopy(password.getBytes(), ...)
     or
-    exists(AddExpr e | node.asExpr() = e.getAnOperand()) // password+salt
-  }
-}
-
-class PasswordDigestConfiguration extends TaintTracking2::Configuration {
-  PasswordDigestConfiguration() { this = "PasswordDigestConfiguration" }
-
-  override predicate isSource(DataFlow2::Node source) {
-    exists(MDConstructor mc | source.asExpr() = mc)
-  }
-
-  override predicate isSink(DataFlow2::Node sink) {
-    exists(MethodAccess ma |
-      (
-        ma.getMethod() instanceof MDUpdateMethod or
-        ma.getMethod() instanceof MDDigestMethod
-      ) and
-      exists(PasswordHashConfiguration cc | cc.hasFlowToExpr(ma.getAnArgument())) and
-      sink.asExpr() = ma.getQualifier()
-    )
-  }
-}
-
-class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
-  HashWithoutSaltConfiguration() { this = "HashWithoutSaltConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(PasswordDigestConfiguration pc | pc.hasFlow(source, _))
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
+    exists(AddExpr e | hasAddExpr(e, node.asExpr())) // password+salt
+    or
+    exists(ConditionalExpr ce | ce = node.asExpr()) // useSalt?password+":"+salt:password
+    or
     exists(MethodAccess ma |
-      ma.getMethod() instanceof MDDigestMethod and // md.digest(password)
-      sink.asExpr() = ma.getQualifier()
+      ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") and
+      ma.getMethod().hasName("append") and
+      ma.getArgument(0) = node.asExpr() // stringBuilder.append(password).append(salt)
     )
-  }
-
-  /** Holds if `md.update` or `md.digest` calls integrate something other than the password, perhaps a salt. */
-  override predicate isSanitizer(DataFlow::Node node) {
+    or
     exists(MethodAccess ma |
-      (
-        ma.getMethod() instanceof MDUpdateMethod
-        or
-        ma.getMethod() instanceof MDDigestMethod and ma.getNumArgument() != 0
-      ) and
-      node.asExpr() = ma.getQualifier() and
-      not exists(PasswordHashConfiguration cc | cc.hasFlowToExpr(ma.getAnArgument()))
+      ma.getQualifier().(VarAccess).getVariable().getType() instanceof Interface and
+      ma.getAnArgument() = node.asExpr() // Method access of interface type variables requires runtime determination
     )
   }
 }

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected

@@ -1,19 +1,11 @@
 edges
 | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) |
 | HashWithoutSalt.java:17:13:17:20 | password : String | HashWithoutSalt.java:17:13:17:31 | getBytes(...) |
-| HashWithoutSalt.java:98:22:98:29 | password : String | HashWithoutSalt.java:99:17:99:25 | passBytes : byte[] |
-| HashWithoutSalt.java:99:17:99:25 | passBytes : byte[] | SHA256.java:14:22:14:31 | foo : byte[] |
-| SHA256.java:14:22:14:31 | foo : byte[] | SHA256.java:15:15:15:17 | foo |
 nodes
 | HashWithoutSalt.java:10:36:10:43 | password : String | semmle.label | password : String |
 | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | semmle.label | getBytes(...) |
 | HashWithoutSalt.java:17:13:17:20 | password : String | semmle.label | password : String |
 | HashWithoutSalt.java:17:13:17:31 | getBytes(...) | semmle.label | getBytes(...) |
-| HashWithoutSalt.java:98:22:98:29 | password : String | semmle.label | password : String |
-| HashWithoutSalt.java:99:17:99:25 | passBytes : byte[] | semmle.label | passBytes : byte[] |
-| SHA256.java:14:22:14:31 | foo : byte[] | semmle.label | foo : byte[] |
-| SHA256.java:15:15:15:17 | foo | semmle.label | foo |
 #select
-| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:10:36:10:43 | password | The password |
-| HashWithoutSalt.java:17:13:17:31 | getBytes(...) | HashWithoutSalt.java:17:13:17:20 | password : String | HashWithoutSalt.java:17:13:17:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:17:13:17:20 | password | The password |
-| SHA256.java:15:15:15:17 | foo | HashWithoutSalt.java:98:22:98:29 | password : String | SHA256.java:15:15:15:17 | foo | $@ is hashed without a salt. | HashWithoutSalt.java:98:22:98:29 | password | The password |
+| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:10:36:10:43 | password : String | The password |
+| HashWithoutSalt.java:17:13:17:31 | getBytes(...) | HashWithoutSalt.java:17:13:17:20 | password : String | HashWithoutSalt.java:17:13:17:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:17:13:17:20 | password : String | The password |

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java

@@ -54,7 +54,12 @@ public String getSHA256Hash3(String password, byte[] salt) throws NoSuchAlgorith
 
 	// GOOD - Hash with a given salt stored somewhere else.
 	public String getSHA256Hash(String password, String salt) throws NoSuchAlgorithmException {
-		return hash(password+salt);
+		return hash(password+":"+salt);
+	}
+
+	// GOOD - Hash with a given salt stored somewhere else.
+	public String getSHA256Hash2(String password, String salt, boolean useSalt) throws NoSuchAlgorithmException {
+		return hash(useSalt?password+":"+salt:password);
 	}
 
 	// GOOD - Hash with a salt for a variable named passwordHash, whose value is a hash used as an input for a hashing function.
@@ -71,9 +76,9 @@ public void update(SHA256 sha256, byte[] foo, int start, int len) throws NoSuchA
 	public void update2(SHA256 sha256, byte[] foo, int start, int len) throws NoSuchAlgorithmException {
 		sha256.update(foo, start, len);
 	}
-	
-	// GOOD - Invoke a wrapper implementation with a salt.
-	public String getSHA256Hash4(String password) throws NoSuchAlgorithmException {
+
+	// BAD - Invoking a wrapper implementation without a salt is not detected.
+	public String getSHA256Hash4(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
 		SHA256 sha256 = new SHA256();
 		byte[] salt = getSalt();
 		byte[] passBytes = password.getBytes();
@@ -82,7 +87,7 @@ public String getSHA256Hash4(String password) throws NoSuchAlgorithmException {
 		return Base64.getEncoder().encodeToString(sha256.digest());
 	}
 
-	// GOOD - Invoke a wrapper implementation with a salt.
+	// BAD - Invoking a wrapper implementation without a salt is not detected.
 	public String getSHA256Hash5(String password) throws NoSuchAlgorithmException {
 		SHA256 sha256 = new SHA256();
 		byte[] salt = getSalt();
@@ -92,26 +97,25 @@ public String getSHA256Hash5(String password) throws NoSuchAlgorithmException {
 		return Base64.getEncoder().encodeToString(sha256.digest());
 	}
 
-	// BAD - Invoke a wrapper implementation without a salt.
+	// BAD - Invoking a wrapper implementation without a salt is not detected.
 	public String getSHA256Hash6(String password) throws NoSuchAlgorithmException {
 		SHA256 sha256 = new SHA256();
 		byte[] passBytes = password.getBytes();
 		sha256.update(passBytes, 0, passBytes.length);
 		return Base64.getEncoder().encodeToString(sha256.digest());
 	}
 
-	// GOOD - Invoke a wrapper implementation with a salt, which is only detectable when a class type is declared (not interface).
+	// BAD - Invoke a wrapper implementation with a salt, which is not detected with an interface type variable.
 	public String getSHA256Hash7(byte[] passphrase) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
-		Class c = Class.forName("SHA256");
-		HASH sha256 = (HASH) (c.newInstance());
+		Class c = Class.forName("SHA512");
+		HASH sha512 = (HASH) (c.newInstance());
 		byte[] tmp = new byte[4];
 		byte[] key = new byte[32 * 2];
 		for (int i = 0; i < 2; i++) {
-			sha256.init();
+			sha512.init();
 			tmp[3] = (byte) i;
-			sha256.update(tmp, 0, tmp.length);
-			sha256.update(passphrase, 0, passphrase.length);
-			System.arraycopy(sha256.digest(), 0, key, i * 32, 32);
+			sha512.update(passphrase, 0, passphrase.length);
+			System.arraycopy(sha512.digest(), 0, key, i * 32, 32);
 		}
 		return Base64.getEncoder().encodeToString(key);
 	}

java/ql/test/experimental/query-tests/security/CWE-759/SHA512.java

@@ -0,0 +1,21 @@
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class SHA512 implements HASH {
+  MessageDigest md;
+  public int getBlockSize() {return 32;}
+  public void init() throws NoSuchAlgorithmException {
+    try { md = MessageDigest.getInstance("SHA-512"); }
+    catch (Exception e){
+      System.err.println(e);
+    }
+  }
+
+  public void update(byte[] foo, int start, int len) throws NoSuchAlgorithmException {
+    md.update(foo, start, len);
+  }
+
+  public byte[] digest() throws NoSuchAlgorithmException {
+    return md.digest();
+  }
+}