Better constant check in java/non-constant-time-crypto-comparison

artem-smotrakov · artem-smotrakov · commit c977fd09cb57 · 2021-08-01T09:47:04.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql
@@ -142,14 +142,19 @@ private class UserInputInComparisonConfig extends TaintTracking2::Configuration
   }
 }
 
+private predicate looksLikeConstant(Expr expr) {
+  expr.isCompileTimeConstant()
+  or
+  expr.(VarAccess).getVariable().isFinal() and expr.getType() instanceof TypeString
+}
+
 /**
  * A sink that compares input using a non-constant time algorithm.
  */
 private class NonConstantTimeComparisonSink extends DataFlow::Node {
   Expr anotherParameter;
 
   NonConstantTimeComparisonSink() {
-    not anotherParameter.isCompileTimeConstant() and
     (
       exists(NonConstantTimeEqualsCall call |
         this.asExpr() = call.getQualifier() and
@@ -167,7 +172,8 @@ private class NonConstantTimeComparisonSink extends DataFlow::Node {
           this.asExpr() = call.getArgument(1) and anotherParameter = call.getArgument(0)
         )
       )
-    )
+    ) and
+    not looksLikeConstant(anotherParameter)
   }
 
   predicate includesUserInput() {

Original file line number	Diff line number	Diff line change
`@@ -142,14 +142,19 @@ private class UserInputInComparisonConfig extends TaintTracking2::Configuration`
`142`	`142`	`}`
`143`	`143`	`}`
`144`	`144`
	`145`	`+private predicate looksLikeConstant(Expr expr) {`
	`146`	`+ expr.isCompileTimeConstant()`
	`147`	`+ or`
	`148`	`+ expr.(VarAccess).getVariable().isFinal() and expr.getType() instanceof TypeString`
	`149`	`+}`
	`150`	`+`
`145`	`151`	`/**`
`146`	`152`	`* A sink that compares input using a non-constant time algorithm.`
`147`	`153`	`*/`
`148`	`154`	`private class NonConstantTimeComparisonSink extends DataFlow::Node {`
`149`	`155`	`Expr anotherParameter;`
`150`	`156`
`151`	`157`	`NonConstantTimeComparisonSink() {`
`152`		`- not anotherParameter.isCompileTimeConstant() and`
`153`	`158`	`(`
`154`	`159`	`exists(NonConstantTimeEqualsCall call \|`
`155`	`160`	`this.asExpr() = call.getQualifier() and`
`@@ -167,7 +172,8 @@ private class NonConstantTimeComparisonSink extends DataFlow::Node {`
`167`	`172`	`this.asExpr() = call.getArgument(1) and anotherParameter = call.getArgument(0)`
`168`	`173`	`)`
`169`	`174`	`)`
`170`		`- )`
	`175`	`+ ) and`
	`176`	`+ not looksLikeConstant(anotherParameter)`
`171`	`177`	`}`
`172`	`178`
`173`	`179`	`predicate includesUserInput() {`