Merge pull request github#6425 from raulgarciamsft/insecureRandom_potential_fix

tamasvajk · web-flow · commit 763de4fff9be · 2021-08-19T11:16:26.000+02:00
C#: Adding Membership.GeneratePassword() as a bad source of random data
diff --git a/csharp/change-notes/2021-08-05-insecure-randomness.md b/csharp/change-notes/2021-08-05-insecure-randomness.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Membership.GeneratePassword()` has been added as a bad source of random data.
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.cs b/csharp/ql/src/Security Features/InsecureRandomness.cs
@@ -15,7 +15,7 @@ string GeneratePassword()
         password = "mypassword" + BitConverter.ToInt32(randomBytes);
     }
 
-    // GOOD: Password is generated using a cryptographically secure RNG
+    // BAD: Membership.GeneratePassword generates a password with a bias
     password = Membership.GeneratePassword(12, 3);
 
     return password;
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql
@@ -59,6 +59,13 @@ module Random {
       this.getExpr() =
         any(MethodCall mc |
           mc.getQualifier().getType().(RefType).hasQualifiedName("System", "Random")
+          or
+          // by using `% 87` on a `byte`, `System.Web.Security.Membership.GeneratePassword` has a bias
+          mc.getQualifier()
+              .getType()
+              .(RefType)
+              .hasQualifiedName("System.Web.Security", "Membership") and
+          mc.getTarget().hasName("GeneratePassword")
         )
     }
   }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs
@@ -73,4 +73,24 @@ public static string InsecureRandomStringFromIndexer(int length)
         }
         return result;
     }
+
+    public static string BiasPasswordGeneration()
+    {
+        // BAD: Membership.GeneratePassword generates a password with a bias
+        string password =  System.Web.Security.Membership.GeneratePassword(12, 3);
+        return password;
+    }
+
+}
+
+namespace System.Web.Security
+{
+    public static class Membership
+    {
+        public static string GeneratePassword(int length, int numberOfNonAlphanumericCharacters)
+        {
+            return "stub";
+        }
+
+    }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected
@@ -29,7 +29,9 @@ nodes
 | InsecureRandomness.cs:62:16:62:32 | call to method ToString : String | semmle.label | call to method ToString : String |
 | InsecureRandomness.cs:72:31:72:39 | call to method Next : Int32 | semmle.label | call to method Next : Int32 |
 | InsecureRandomness.cs:74:16:74:21 | access to local variable result : String | semmle.label | access to local variable result : String |
+| InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | semmle.label | call to method GeneratePassword |
 #select
 | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
 | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |
 | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | InsecureRandomness.cs:72:31:72:39 | call to method Next : Int32 | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:72:31:72:39 | call to method Next | call to method Next |
+| InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:80:28:80:81 | call to method GeneratePassword | call to method GeneratePassword |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Membership.GeneratePassword()` has been added as a bad source of random data.
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ string GeneratePassword()`
`15`	`15`	`password = "mypassword" + BitConverter.ToInt32(randomBytes);`
`16`	`16`	`}`
`17`	`17`
`18`		`- // GOOD: Password is generated using a cryptographically secure RNG`
	`18`	`+ // BAD: Membership.GeneratePassword generates a password with a bias`
`19`	`19`	`password = Membership.GeneratePassword(12, 3);`
`20`	`20`
`21`	`21`	`return password;`
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,13 @@ module Random {`
`59`	`59`	`this.getExpr() =`
`60`	`60`	`any(MethodCall mc \|`
`61`	`61`	`mc.getQualifier().getType().(RefType).hasQualifiedName("System", "Random")`
	`62`	`+ or`
	`63`	+ // by using `% 87` on a `byte`, `System.Web.Security.Membership.GeneratePassword` has a bias
	`64`	`+ mc.getQualifier()`
	`65`	`+ .getType()`
	`66`	`+ .(RefType)`
	`67`	`+ .hasQualifiedName("System.Web.Security", "Membership") and`
	`68`	`+ mc.getTarget().hasName("GeneratePassword")`
`62`	`69`	`)`
`63`	`70`	`}`
`64`	`71`	`}`