Merge pull request #10116 from atorralba/atorralba/static-init-vector-fix

atorralba · web-flow · commit 085c12a51fd9 · 2022-08-23T11:38:41.000+02:00
Java: Improve Static Initialization Vector query
diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
@@ -54,10 +54,25 @@ private class ArrayUpdate extends Expr {
       ma = this and
       ma.getArgument(0) = array
     |
-      m.hasQualifiedName("java.io", "InputStream", "read") or
+      m.getAnOverride*().hasQualifiedName("java.io", ["InputStream", "RandomAccessFile"], "read") or
+      m.getAnOverride*().hasQualifiedName("java.io", "DataInput", "readFully") or
       m.hasQualifiedName("java.nio", "ByteBuffer", "get") or
       m.hasQualifiedName("java.security", "SecureRandom", "nextBytes") or
-      m.hasQualifiedName("java.util", "Random", "nextBytes")
+      m.hasQualifiedName("java.util", "Random", "nextBytes") or
+      m.hasQualifiedName("java.util.zip", "Inflater", "inflate") or
+      m.hasQualifiedName("io.netty.buffer", "ByteBuf", "readBytes") or
+      m.getAnOverride*().hasQualifiedName("org.bouncycastle.crypto", "Digest", "doFinal")
+    )
+    or
+    exists(MethodAccess ma, Method m |
+      m = ma.getMethod() and
+      ma = this and
+      ma.getArgument(1) = array
+    |
+      m.hasQualifiedName("org.apache.commons.io", "IOUtils", ["read", "readFully"]) or
+      m.hasQualifiedName("io.netty.buffer", "ByteBuf", "getBytes") or
+      m.hasQualifiedName("org.bouncycastle.crypto.generators",
+        any(string s | s.matches("%BytesGenerator")), "generateBytes")
     )
   }
 
@@ -95,17 +110,15 @@ private class StaticInitializationVectorSource extends DataFlow::Node {
 }
 
 /**
- * A sink that initializes a cipher for encryption with unsafe parameters.
+ * A sink that initializes a cipher with unsafe parameters.
  */
 private class EncryptionInitializationSink extends DataFlow::Node {
   EncryptionInitializationSink() {
-    exists(MethodAccess ma, Method m, FieldRead fr | m = ma.getMethod() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
       m.hasQualifiedName("javax.crypto", "Cipher", "init") and
       m.getParameterType(2)
           .(RefType)
           .hasQualifiedName("java.security.spec", "AlgorithmParameterSpec") and
-      fr.getField().hasQualifiedName("javax.crypto", "Cipher", "ENCRYPT_MODE") and
-      DataFlow::localExprFlow(fr, ma.getArgument(0)) and
       ma.getArgument(2) = this.asExpr()
     )
   }
diff --git a/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md b/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.