Addressing feedback from the PR

raulgarciamsft · raulgarciamsft · commit d5791e2d56e8 · 2022-07-11T15:45:15.000-07:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -11,6 +11,7 @@
  */
 
 import java
+import semmle.code.java.dataflow.DataFlow
 
 /**
  * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
@@ -46,16 +47,37 @@ predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c
   )
 }
 
+/**
+ * A config that tracks `EncryptedBlobClientBuilder.version` argument initialization.
+ */
+private class EncryptedBlobClientBuilderEncryptionVersionConfig extends DataFlow::Configuration {
+  EncryptedBlobClientBuilderEncryptionVersionConfig() {
+    this = "EncryptedBlobClientBuilderEncryptionVersionConfig"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(FieldRead fr, Field f | fr = source.asExpr() |
+      f.getAnAccess() = fr and
+      f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion",
+        "V2")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    isCreatingAzureClientSideEncryptionObjectNewVersion(_, _, sink.asExpr())
+  }
+}
+
 /**
  * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder`
  * that takes `versionArg` as the argument for the version, and the version number is safe
  */
 predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
   isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
-  exists(FieldRead fr, Field f |
-    fr = versionArg and
-    f.getAnAccess() = fr and
-    f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion", "V2")
+  exists(EncryptedBlobClientBuilderEncryptionVersionConfig config, DataFlow::Node sink |
+    sink.asExpr() = versionArg
+  |
+    config.hasFlow(_, sink)
   )
 }
 
diff --git a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -11,6 +11,7 @@
  */
 
 import python
+import semmle.python.ApiGraphs
 
 predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
   exists(ControlFlowNode ctrlFlowNode, AssignStmt astmt, Attribute a |
@@ -33,8 +34,10 @@ predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrN
 }
 
 predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
-  exists(Keyword k | k.getAFlowNode() = node |
-    call.getFunc().(Name).getId() in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
+  exists(API::Node c, string s, Keyword k | k.getAFlowNode() = node |
+    c.getACall().asExpr() = call and
+    c = API::moduleImport("azure").getMember("storage").getMember("blob").getMember(s) and
+    s in ["ContainerClient", "BlobClient", "BlobServiceClient"] and
     k.getArg() = "key_encryption_key" and
     k = call.getANamedArg() and
     not k.getValue() instanceof None and
