Merge pull request #9776 from raulgarciamsft/azure-sdk-client-encryption-version

New queries to detect unsafe client side encryption in Azure Storage

Author: yo-h

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs

@@ -0,0 +1,44 @@
+
+{
+    SymmetricKey aesKey = new SymmetricKey(kid: "symencryptionkey");
+
+    // BAD: Using the outdated client side encryption version V1_0
+    BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key: aesKey, keyResolver: null);
+    BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
+
+    MemoryStream stream = new MemoryStream(buffer);
+    blob.UploadFromStream(stream, length: size, accessCondition: null, options: uploadOptions);
+}
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using an outdated SDK that does not support client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions() 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using the outdated client side encryption version V1_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // GOOD: Using client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V2_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.cs" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,81 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
+ * @problem.severity error
+ * @precision high
+ */
+
+import csharp
+
+/**
+ * Holds if `oc` is creating an object of type `c` = `Azure.Storage.ClientSideEncryptionOptions`
+ * and `e` is the `version` argument to the constructor
+ */
+predicate isCreatingAzureClientSideEncryptionObject(ObjectCreation oc, Class c, Expr e) {
+  exists(Parameter p | p.hasName("version") |
+    c.hasQualifiedName("Azure.Storage.ClientSideEncryptionOptions") and
+    oc.getTarget() = c.getAConstructor() and
+    e = oc.getArgumentForParameter(p)
+  )
+}
+
+/**
+ * Holds if `oc` is an object creation of the outdated type `c` = `Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy`
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(ObjectCreation oc, Class c) {
+  c.hasQualifiedName("Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy") and
+  oc.getTarget() = c.getAConstructor()
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption
+ */
+predicate doesAzureStorageAssemblySupportSafeClientSideEncryption(Assembly asm) {
+  exists(int versionCompare |
+    versionCompare = asm.getVersion().compareTo("12.12.0.0") and
+    versionCompare >= 0
+  ) and
+  asm.getName() = "Azure.Storage.Common"
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption and if the argument for the constructor `version`
+ * is set to a secure value.
+ */
+predicate isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(Expr versionExpr, Assembly asm) {
+  // Check if the Azure.Storage assembly version has the fix
+  doesAzureStorageAssemblySupportSafeClientSideEncryption(asm) and
+  // and that the version argument for the constructor is guaranteed to be Version2
+  isExprAnAccessToSafeClientSideEncryptionVersionValue(versionExpr)
+}
+
+/**
+ * Holds if the expression `e` is an access to a safe version of the enum `ClientSideEncryptionVersion`
+ * or an equivalent numeric value
+ */
+predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
+  exists(EnumConstant ec |
+    ec.hasQualifiedName("Azure.Storage.ClientSideEncryptionVersion.V2_0") and
+    ec.getAnAccess() = e
+  )
+}
+
+from Expr e, Class c, Assembly asm
+where
+  asm = c.getLocation() and
+  (
+    exists(Expr e2 |
+      isCreatingAzureClientSideEncryptionObject(e, c, e2) and
+      not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
+    )
+    or
+    isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+  )
+select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."

java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.java

@@ -0,0 +1,46 @@
+
+// BAD: Using an outdated SDK that does not support client side encryption version V2_0
+new EncryptedBlobClientBuilder()
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);
+
+// BAD: Using the deprecatedd client side encryption version V1_0
+new EncryptedBlobClientBuilder(EncryptionVersion.V1)
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);
+
+
+// GOOD: Using client side encryption version V2_0
+new EncryptedBlobClientBuilder(EncryptionVersion.V2)
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);

java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>The Azure Storage SDK version 12.18.0 or later supports version <code>V2</code> for client-side encryption. All previous versions of Azure Storage SDK only support client-side encryption <code>V1</code> which is unsafe.</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>V2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.java" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,92 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id java/azure-storage/unsafe-client-side-encryption-in-use
+ * @problem.severity error
+ * @precision high
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * Holds if `call` is an object creation for a class `EncryptedBlobClientBuilder`
+ * that takes no arguments, which means that it is using V1 encryption.
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(Call call, Class c) {
+  exists(string package, string type, Constructor constructor |
+    c.hasQualifiedName(package, type) and
+    c.getAConstructor() = constructor and
+    call.getCallee() = constructor and
+    (
+      type = "EncryptedBlobClientBuilder" and
+      package = "com.azure.storage.blob.specialized.cryptography" and
+      constructor.hasNoParameters()
+      or
+      type = "BlobEncryptionPolicy" and package = "com.microsoft.azure.storage.blob"
+    )
+  )
+}
+
+/**
+ * Holds if `call` is an object creation for a class `EncryptedBlobClientBuilder`
+ * that takes `versionArg` as the argument specifying the encryption version.
+ */
+predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c, Expr versionArg) {
+  exists(string package, string type, Constructor constructor |
+    c.hasQualifiedName(package, type) and
+    c.getAConstructor() = constructor and
+    call.getCallee() = constructor and
+    type = "EncryptedBlobClientBuilder" and
+    package = "com.azure.storage.blob.specialized.cryptography" and
+    versionArg = call.getArgument(0)
+  )
+}
+
+/**
+ * A dataflow config that tracks `EncryptedBlobClientBuilder.version` argument initialization.
+ */
+private class EncryptedBlobClientBuilderSafeEncryptionVersionConfig extends DataFlow::Configuration {
+  EncryptedBlobClientBuilderSafeEncryptionVersionConfig() {
+    this = "EncryptedBlobClientBuilderSafeEncryptionVersionConfig"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(FieldRead fr, Field f | fr = source.asExpr() |
+      f.getAnAccess() = fr and
+      f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion",
+        "V2")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    isCreatingAzureClientSideEncryptionObjectNewVersion(_, _, sink.asExpr())
+  }
+}
+
+/**
+ * Holds if `call` is an object creation for a class `EncryptedBlobClientBuilder`
+ * that takes `versionArg` as the argument specifying the encryption version, and that version is safe.
+ */
+predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
+  isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
+  exists(EncryptedBlobClientBuilderSafeEncryptionVersionConfig config, DataFlow::Node sink |
+    sink.asExpr() = versionArg
+  |
+    config.hasFlow(_, sink)
+  )
+}
+
+from Expr e, Class c
+where
+  exists(Expr argVersion |
+    isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and
+    not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion)
+  )
+  or
+  isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.py

@@ -0,0 +1,7 @@
+blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
+blob_client.require_encryption = True
+blob_client.key_encryption_key = kek
+# GOOD: Must use `encryption_version` set to `2.0`
+blob_client.encryption_version = '2.0'  # Use Version 2.0!
+with open("decryptedcontentfile.txt", "rb") as stream:
+    blob_client.upload_blob(stream, overwrite=OVERWRITE_EXISTING)

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.py" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>