Skip to content

Commit b9d2a26

Browse files
egregius313egregius313
committed
Move ESAPI models into the Weak Randomness query
These models don't need to apply to all queries. So instead they are better suited to be within the weak randomness query itself.
1 parent 7f3995f commit b9d2a26

File tree

6 files changed

+17
-4
lines changed

6 files changed

+17
-4
lines changed

java/ql/lib/ext/org.owasp.esapi.model.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,4 @@ extensions:
33
pack: codeql/java-all
44
extensible: summaryModel
55
data:
6-
- ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
7-
- ["org.owasp.esapi", "Encoder", true, "encodeForBase64", "(byte[],boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
6+
- ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,14 @@ module WeakRandomnessConfig implements DataFlow::ConfigSig {
7979
n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand()
8080
or
8181
n1.asExpr() = n2.asExpr().(UnaryExpr).getExpr()
82+
or
83+
exists(MethodCall mc, string methodName |
84+
mc.getMethod().hasQualifiedName("org.owasp.esapi", "Encoder", methodName) and
85+
methodName.matches("encode%")
86+
|
87+
n1.asExpr() = mc.getArgument(0) and
88+
n2.asExpr() = mc
89+
)
8290
}
8391
}
8492

java/ql/test/query-tests/security/CWE-330/WeakRandomCookies.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
import javax.servlet.http.HttpServletResponse;
99
import javax.servlet.http.Cookie;
1010
import org.apache.commons.lang3.RandomStringUtils;
11+
import org.owasp.esapi.Encoder;
1112

1213
public class WeakRandomCookies extends HttpServlet {
1314
HttpServletResponse response;
@@ -20,9 +21,11 @@ public void doGet() {
2021
Cookie cookie = new Cookie("name", Integer.toString(c));
2122
response.addCookie(cookie); // $hasWeakRandomFlow
2223

24+
Encoder enc = null;
2325
int c2 = r.nextInt();
26+
String value = enc.encodeForHTML(Integer.toString(c2));
2427
// BAD: The cookie value may be predictable.
25-
Cookie cookie2 = new Cookie("name" + c2, "value");
28+
Cookie cookie2 = new Cookie("name", value);
2629
response.addCookie(cookie2); // $hasWeakRandomFlow
2730

2831
byte[] bytes = new byte[16];

java/ql/test/query-tests/security/CWE-330/options

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7
1+
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../stubs/esapi-2.0.1

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/Encoder.java

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/reference/DefaultEncoder.java

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)