C++: fix FP and add paths in InsufficientKeySize

rdmarsh2 · rdmarsh2 · commit a37f746dffa2 · 2022-02-22T15:38:50.000-05:00
diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -13,6 +13,7 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.DataFlow
 import semmle.code.cpp.ir.IR
+import DataFlow::PathGraph
 
 // Gets the recommended minimum key size (in bits) of `func`, the name of an encryption function that accepts a key size as parameter `paramIndex`
 int getMinimumKeyStrength(string func, int paramIndex) {
@@ -43,14 +44,16 @@ class KeyStrengthFlow extends DataFlow::Configuration {
 }
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc, int param,
-  string name, int bits
+  DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc,
+  int param, string name, int minimumBits, int bits
 where
   conf.hasFlowPath(source, sink) and
   sink.getNode().asExpr() = fc.getArgument(param) and
   fc.getTarget().hasGlobalName(name) and
-  bits = getMinimumKeyStrength(name, param) and
-  source.getNode().asInstruction().(ConstantValueInstruction).getValue().toInt() < bits
+  minimumBits = getMinimumKeyStrength(name, param) and
+  bits = source.getNode().asInstruction().(ConstantValueInstruction).getValue().toInt() and
+  bits < minimumBits and
+  bits != 0
 select fc, source, sink,
-  "The key size $@ is less than the recommended key size of " + bits.toString() + " bits.", source,
-  source.toString()
+  "The key size $@ is less than the recommended key size of " + minimumBits.toString() + " bits.",
+  source, bits.toString()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected
@@ -1,3 +1,13 @@
+edges
+nodes
+| test.cpp:28:45:28:48 | 2048 | semmle.label | 2048 |
+| test.cpp:29:49:29:52 | 2048 | semmle.label | 2048 |
+| test.cpp:31:43:31:46 | 2048 | semmle.label | 2048 |
+| test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 |
+| test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 |
+| test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 |
+subpaths
+#select
 | test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 |
 | test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 |
 | test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 |
