Python: Update py/azure-storage/unsafe-client-side-encryption-in-use to use datafow

Author: RasmusWL

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -1,7 +1,7 @@
 /**
  * @name Unsafe usage of v1 version of Azure Storage client-side encryption.
  * @description Using version v1 of Azure Storage client-side encryption is insecure, and may enable an attacker to decrypt encrypted data
- * @kind problem
+ * @kind path-problem
  * @tags security
  *       experimental
  *       cryptography
@@ -15,33 +15,44 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 
-predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
-  exists(
-    API::Node client, DataFlow::AttrWrite keyAttrWrite, DataFlow::MethodCallNode uploadBlobCall
-  |
-    call = uploadBlobCall.asExpr() and node = keyAttrWrite.asCfgNode()
-  |
-    client =
-      API::moduleImport("azure")
-          .getMember("storage")
-          .getMember("blob")
-          .getMember(["ContainerClient", "BlobClient", "BlobServiceClient"])
-          .getAMember()
-          .getReturn() and
-    keyAttrWrite
-        .accesses(client.getAValueReachableFromSource(),
-          ["key_encryption_key", "key_resolver_function"]) and
-    uploadBlobCall.calls(client.getAValueReachableFromSource(), "upload_blob") and
-    DataFlow::localFlow(keyAttrWrite.getObject(), uploadBlobCall.getObject()) and
-    not exists(DataFlow::AttrWrite encryptionVersionWrite |
-      encryptionVersionWrite.accesses(client.getAValueReachableFromSource(), "encryption_version") and
-      encryptionVersionWrite.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"] and
-      DataFlow::localFlow(keyAttrWrite.getObject(), encryptionVersionWrite.getObject()) and
-      DataFlow::localFlow(encryptionVersionWrite.getObject(), uploadBlobCall.getObject())
+API::Node getClient() {
+  result =
+    API::moduleImport("azure")
+        .getMember("storage")
+        .getMember("blob")
+        .getMember(["ContainerClient", "BlobClient", "BlobServiceClient"])
+        .getAMember()
+        .getReturn()
+}
+
+module AzureBlobClientConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    exists(DataFlow::AttrWrite attr |
+      node = getClient().getAValueReachableFromSource() and
+      attr.accesses(node, ["key_encryption_key", "key_resolver_function"])
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(DataFlow::AttrWrite attr |
+      node = getClient().getAValueReachableFromSource() and
+      attr.accesses(node, "encryption_version") and
+      attr.getValue().asExpr().(StrConst).getText() in ["'2.0'", "2.0"]
     )
-  )
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(DataFlow::MethodCallNode call |
+      call = getClient().getMember("upload_blob").getACall() and
+      node = call.getObject()
+    )
+  }
 }
 
-from Call call, ControlFlowNode node
-where isUnsafeClientSideAzureStorageEncryptionViaAttributes(call, node)
-select node, "Unsafe usage of v1 version of Azure Storage client-side encryption."
+module AzureBlobClient = DataFlow::Global<AzureBlobClientConfig>;
+
+import AzureBlobClient::PathGraph
+
+from AzureBlobClient::PathNode source, AzureBlobClient::PathNode sink
+where AzureBlobClient::flowPath(source, sink)
+select sink, source, sink, "Unsafe usage of v1 version of Azure Storage client-side encryption"

python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/UnsafeUsageOfClientSideEncryptionVersion.expected

@@ -1 +1,20 @@
-| test.py:8:5:8:34 | ControlFlowNode for Attribute | Unsafe usage of v1 version of Azure Storage client-side encryption. |
+edges
+| test.py:8:5:8:15 | ControlFlowNode for blob_client | test.py:10:9:10:19 | ControlFlowNode for blob_client |
+| test.py:16:5:16:15 | ControlFlowNode for blob_client | test.py:22:9:22:19 | ControlFlowNode for blob_client |
+| test.py:38:5:38:15 | ControlFlowNode for blob_client | test.py:39:12:39:22 | ControlFlowNode for blob_client |
+| test.py:39:12:39:22 | ControlFlowNode for blob_client | test.py:43:10:43:33 | ControlFlowNode for get_unsafe_blob_client() |
+| test.py:43:10:43:33 | ControlFlowNode for get_unsafe_blob_client() | test.py:45:9:45:10 | ControlFlowNode for bc |
+nodes
+| test.py:8:5:8:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:10:9:10:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:16:5:16:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:22:9:22:19 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:38:5:38:15 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:39:12:39:22 | ControlFlowNode for blob_client | semmle.label | ControlFlowNode for blob_client |
+| test.py:43:10:43:33 | ControlFlowNode for get_unsafe_blob_client() | semmle.label | ControlFlowNode for get_unsafe_blob_client() |
+| test.py:45:9:45:10 | ControlFlowNode for bc | semmle.label | ControlFlowNode for bc |
+subpaths
+#select
+| test.py:10:9:10:19 | ControlFlowNode for blob_client | test.py:8:5:8:15 | ControlFlowNode for blob_client | test.py:10:9:10:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
+| test.py:22:9:22:19 | ControlFlowNode for blob_client | test.py:16:5:16:15 | ControlFlowNode for blob_client | test.py:22:9:22:19 | ControlFlowNode for blob_client | Unsafe usage of v1 version of Azure Storage client-side encryption |
+| test.py:45:9:45:10 | ControlFlowNode for bc | test.py:38:5:38:15 | ControlFlowNode for blob_client | test.py:45:9:45:10 | ControlFlowNode for bc | Unsafe usage of v1 version of Azure Storage client-side encryption |