From 11a0a9f8af54477c2e2afab3afc83fa76b7b37c1 Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Mon, 24 Feb 2025 13:25:16 +0100 Subject: [PATCH] Java: StaticInitializationVector with postprocess Use the new `postprocess` feature for the test of `StaticInitializationVector.ql`. This makes it easier to modify and test this query for diff-informed operation. --- .../StaticInitializationVector.expected | 63 +++++++++++++++++++ .../CWE-1204/StaticInitializationVector.java | 26 ++++---- .../CWE-1204/StaticInitializationVector.qlref | 4 ++ .../StaticInitializationVectorTest.expected | 0 .../StaticInitializationVectorTest.ql | 18 ------ 5 files changed, 80 insertions(+), 31 deletions(-) create mode 100644 java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.expected create mode 100644 java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.qlref delete mode 100644 java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.expected delete mode 100644 java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.expected b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.expected new file mode 100644 index 000000000000..efc00461e546 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.expected @@ -0,0 +1,63 @@ +#select +| StaticInitializationVector.java:19:51:19:56 | ivSpec | StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | StaticInitializationVector.java:19:51:19:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:13:21:13:81 | new byte[] | static initialization vector | +| StaticInitializationVector.java:32:51:32:56 | ivSpec | StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | StaticInitializationVector.java:32:51:32:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:26:21:26:32 | new byte[] | static initialization vector | +| StaticInitializationVector.java:48:51:48:56 | ivSpec | StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | StaticInitializationVector.java:48:51:48:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:39:21:39:32 | new byte[] | static initialization vector | +| StaticInitializationVector.java:64:51:64:56 | ivSpec | StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | StaticInitializationVector.java:64:51:64:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:55:30:58:9 | new byte[][] | static initialization vector | +| StaticInitializationVector.java:80:51:80:56 | ivSpec | StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | StaticInitializationVector.java:80:51:80:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:71:30:74:9 | new byte[][] | static initialization vector | +| StaticInitializationVector.java:96:51:96:56 | ivSpec | StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | StaticInitializationVector.java:96:51:96:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:88:13:88:23 | new byte[] | static initialization vector | +| StaticInitializationVector.java:96:51:96:56 | ivSpec | StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | StaticInitializationVector.java:96:51:96:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:89:13:89:24 | new byte[] | static initialization vector | +edges +| StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | StaticInitializationVector.java:15:61:15:62 | iv : byte[] | provenance | | +| StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:19:51:19:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:15:61:15:62 | iv : byte[] | StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:2 | +| StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | StaticInitializationVector.java:28:61:28:62 | iv : byte[] | provenance | | +| StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:32:51:32:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:28:61:28:62 | iv : byte[] | StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:2 | +| StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | StaticInitializationVector.java:44:54:44:55 | iv : byte[] | provenance | | +| StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | StaticInitializationVector.java:48:51:48:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:44:54:44:55 | iv : byte[] | StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:3 | +| StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | provenance | | +| StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:64:51:64:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:2 | +| StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | provenance | | +| StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:80:51:80:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:2 | +| StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | provenance | | +| StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | provenance | | +| StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | provenance | | +| StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:1 | +| StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | provenance | | +| StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:2 | +models +| 1 | Sink: javax.crypto; Cipher; true; init; (int,Key,AlgorithmParameterSpec); ; Argument[2]; encryption-iv; manual | +| 2 | Summary: javax.crypto.spec; GCMParameterSpec; true; GCMParameterSpec; ; ; Argument[1]; Argument[this]; taint; manual | +| 3 | Summary: javax.crypto.spec; IvParameterSpec; true; IvParameterSpec; ; ; Argument[0]; Argument[this]; taint; manual | +nodes +| StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | semmle.label | new byte[] : byte[] | +| StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec | +| StaticInitializationVector.java:15:61:15:62 | iv : byte[] | semmle.label | iv : byte[] | +| StaticInitializationVector.java:19:51:19:56 | ivSpec | semmle.label | ivSpec | +| StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] | +| StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec | +| StaticInitializationVector.java:28:61:28:62 | iv : byte[] | semmle.label | iv : byte[] | +| StaticInitializationVector.java:32:51:32:56 | ivSpec | semmle.label | ivSpec | +| StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] | +| StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | semmle.label | new IvParameterSpec(...) : IvParameterSpec | +| StaticInitializationVector.java:44:54:44:55 | iv : byte[] | semmle.label | iv : byte[] | +| StaticInitializationVector.java:48:51:48:56 | ivSpec | semmle.label | ivSpec | +| StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | semmle.label | new byte[][] : byte[][] | +| StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec | +| StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | semmle.label | ...[...] : byte[] | +| StaticInitializationVector.java:64:51:64:56 | ivSpec | semmle.label | ivSpec | +| StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | semmle.label | new byte[][] : byte[][] | +| StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec | +| StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | semmle.label | ...[...] : byte[] | +| StaticInitializationVector.java:80:51:80:56 | ivSpec | semmle.label | ivSpec | +| StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | semmle.label | {...} : byte[][] [[]] : byte[] | +| StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | semmle.label | new byte[] : byte[] | +| StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | semmle.label | new byte[] : byte[] | +| StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec | +| StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | semmle.label | ivs : byte[][] [[]] : byte[] | +| StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | semmle.label | ...[...] : byte[] | +| StaticInitializationVector.java:96:51:96:56 | ivSpec | semmle.label | ivSpec | +subpaths diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java index dca6eb261ca1..4da986c4a3df 100644 --- a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java +++ b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.java @@ -10,33 +10,33 @@ public class StaticInitializationVector { // BAD: AES-GCM with static IV from a byte array public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception { - byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; + byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv); SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } // BAD: AES-GCM with static IV from zero-initialized byte array public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception { - byte[] iv = new byte[16]; + byte[] iv = new byte[16]; // $Source GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv); SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } // BAD: AES-CBC with static IV from zero-initialized byte array public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception { - byte[] iv = new byte[16]; + byte[] iv = new byte[16]; // $Source for (byte i = 0; i < iv.length; i++) { iv[i] = 1; } @@ -45,7 +45,7 @@ public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } @@ -55,13 +55,13 @@ public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws E byte[][] staticIvs = new byte[][] { { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } - }; + }; // $Source GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]); SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } @@ -71,13 +71,13 @@ public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws E byte[][] staticIvs = new byte[][] { new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } - }; + }; // $Source GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]); SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } @@ -85,15 +85,15 @@ public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws E // BAD: AES-GCM with static IV from a multidimensional byte array public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception { byte[][] ivs = new byte[][] { - new byte[8], - new byte[16] + new byte[8], // $Source + new byte[16] // $Source }; GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]); SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $staticInitializationVector + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert cipher.update(plaintext); return cipher.doFinal(); } diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.qlref b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.qlref new file mode 100644 index 000000000000..a32d1e353f88 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.qlref @@ -0,0 +1,4 @@ +query: Security/CWE/CWE-1204/StaticInitializationVector.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.expected b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql deleted file mode 100644 index 5996cccdd4f4..000000000000 --- a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql +++ /dev/null @@ -1,18 +0,0 @@ -import java -import semmle.code.java.security.StaticInitializationVectorQuery -import utils.test.InlineExpectationsTest - -module StaticInitializationVectorTest implements TestSig { - string getARelevantTag() { result = "staticInitializationVector" } - - predicate hasActualResult(Location location, string element, string tag, string value) { - tag = "staticInitializationVector" and - exists(DataFlow::Node sink | StaticInitializationVectorFlow::flowTo(sink) | - sink.getLocation() = location and - element = sink.toString() and - value = "" - ) - } -} - -import MakeTest