Add MaybeBrokenCryptoAlgorithmQuery

egregius313 · egregius313 · commit 4b7656491182 · 2023-05-04T10:15:00.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -0,0 +1,63 @@
+/**
+ * Provides classes and a taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
+ */
+
+import java
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dispatch.VirtualDispatch
+
+private class ShortStringLiteral extends StringLiteral {
+  ShortStringLiteral() { this.getValue().length() < 100 }
+}
+
+/**
+ * A string literal that may refer to an insecure cryptographic algorithm.
+ */
+class InsecureAlgoLiteral extends ShortStringLiteral {
+  InsecureAlgoLiteral() {
+    // Algorithm identifiers should be at least two characters.
+    this.getValue().length() > 1 and
+    exists(string s | s = this.getValue() |
+      not s.regexpMatch(getSecureAlgorithmRegex()) and
+      // Exclude results covered by another query.
+      not s.regexpMatch(getInsecureAlgorithmRegex())
+    )
+  }
+}
+
+private predicate objectToString(MethodAccess ma) {
+  exists(ToStringMethod m |
+    m = ma.getMethod() and
+    m.getDeclaringType() instanceof TypeObject and
+    DataFlow::exprNode(ma.getQualifier()).getTypeBound().getErasure() instanceof TypeObject
+  )
+}
+
+private class StringContainer extends RefType {
+  StringContainer() {
+    this instanceof TypeString or
+    this instanceof StringBuildingType or
+    this.hasQualifiedName("java.util", "StringTokenizer") or
+    this.(Array).getComponentType() instanceof StringContainer
+  }
+}
+
+/**
+ * A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
+ */
+module InsecureCryptoConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
+
+  predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
+
+  predicate isBarrier(DataFlow::Node n) {
+    objectToString(n.asExpr()) or
+    not n.getType().getErasure() instanceof StringContainer
+  }
+}
+
+/**
+ * Taint-tracking flow for use of potentially insecure cryptographic algorithms.
+ */
+module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -13,56 +13,7 @@
 
 import java
 import semmle.code.java.security.Encryption
-import semmle.code.java.dataflow.TaintTracking
-import DataFlow
-import semmle.code.java.dispatch.VirtualDispatch
-
-private class ShortStringLiteral extends StringLiteral {
-  ShortStringLiteral() { this.getValue().length() < 100 }
-}
-
-class InsecureAlgoLiteral extends ShortStringLiteral {
-  InsecureAlgoLiteral() {
-    // Algorithm identifiers should be at least two characters.
-    this.getValue().length() > 1 and
-    exists(string s | s = this.getValue() |
-      not s.regexpMatch(getSecureAlgorithmRegex()) and
-      // Exclude results covered by another query.
-      not s.regexpMatch(getInsecureAlgorithmRegex())
-    )
-  }
-}
-
-predicate objectToString(MethodAccess ma) {
-  exists(ToStringMethod m |
-    m = ma.getMethod() and
-    m.getDeclaringType() instanceof TypeObject and
-    exprNode(ma.getQualifier()).getTypeBound().getErasure() instanceof TypeObject
-  )
-}
-
-class StringContainer extends RefType {
-  StringContainer() {
-    this instanceof TypeString or
-    this instanceof StringBuildingType or
-    this.hasQualifiedName("java.util", "StringTokenizer") or
-    this.(Array).getComponentType() instanceof StringContainer
-  }
-}
-
-module InsecureCryptoConfig implements ConfigSig {
-  predicate isSource(Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
-
-  predicate isSink(Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
-
-  predicate isBarrier(Node n) {
-    objectToString(n.asExpr()) or
-    not n.getType().getErasure() instanceof StringContainer
-  }
-}
-
-module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
-
+import semmle.code.java.security.MaybeBrokenCryptoAlgorithmQuery
 import InsecureCryptoFlow::PathGraph
 
 from
