New queries to detect unsafe client side encryption in Azure Storage

Author: raulgarciamsft

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs

@@ -0,0 +1,33 @@
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using an outdated SDK that does not support client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions() 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using the outdated client side encryption version V1_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // GOOD: Using client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V2_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v1</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.cs" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+
+  </references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,75 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
+ * @problem.severity error
+ * @precision high
+ */
+
+import csharp
+
+/**
+ * Holds if `oc` is creating an object of type `c` = `Azure.Storage.ClientSideEncryptionOptions`
+ * and `e` is the `version` argument to the contructor
+ */
+predicate isCreatingAzureClientSideEncryptionObject(ObjectCreation oc, Class c, Expr e) {
+  exists(Parameter p | p.hasName("version") |
+    c.getQualifiedName() in ["Azure.Storage.ClientSideEncryptionOptions"] and
+    oc.getTarget() = c.getAConstructor() and
+    e = oc.getArgumentForParameter(p)
+  )
+}
+
+/**
+ * Holds if `oc` is an object creation of the outdated type `c` = `Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy`
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(ObjectCreation oc, Class c) {
+  c.getQualifiedName() in ["Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy"] and
+  oc.getTarget() = c.getAConstructor()
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version knwon to support
+ * version 2+ for client-side encryption and if the argument for the constructor `version`
+ * is set to a secure value.
+ */
+predicate isObjectCreationSafe(Class c, Expr versionExpr, Assembly asm) {
+  // Check if the Azure.Storage assembly version has the fix
+  exists(int versionCompare |
+    versionCompare = asm.getVersion().compareTo("12.12.0.0") and
+    versionCompare >= 0
+  ) and
+  // and that the version argument for the constructor is guaranteed to be Version2
+  isExprAnAccessToSafeClientSideEncryptionVersionValue(versionExpr)
+}
+
+/**
+ * Holds if the expression `e` is an access to a safe version of the enum `ClientSideEncryptionVersion`
+ * or an equivalent numeric value
+ */
+predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
+  exists(EnumConstant ec |
+    ec.hasQualifiedName("Azure.Storage.ClientSideEncryptionVersion.V2_0") and
+    ec.getAnAccess() = e
+  )
+  or
+  e.getValue().toInt() >= 2
+}
+
+from Expr e, Class c, Assembly asm
+where
+  asm = c.getLocation() and
+  (
+    exists(Expr e2 |
+      isCreatingAzureClientSideEncryptionObject(e, c, e2) and
+      not isObjectCreationSafe(c, e2, asm)
+    )
+    or
+    isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+  )
+select e,
+  "Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING). See http://aka.ms/azstorageclientencryptionblog"

java/ql/src/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.java

@@ -0,0 +1,46 @@
+
+// BAD: Using an outdated SDK that does not support client side encryption version V2_0
+new EncryptedBlobClientBuilder()
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);
+
+// BAD: Using the deprecatedd client side encryption version V1_0
+new EncryptedBlobClientBuilder(EncryptionVersion.V1)
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);
+
+
+// GOOD: Using client side encryption version V2_0
+new EncryptedBlobClientBuilder(EncryptionVersion.V2)
+        .blobClient(blobClient)
+        .key(resolver.buildAsyncKeyEncryptionKey(keyid).block(), keyWrapAlgorithm)
+        .buildEncryptedBlobClient()
+        .uploadWithResponse(new BlobParallelUploadOptions(data)
+                        .setMetadata(metadata)
+                        .setHeaders(headers)
+                        .setTags(tags)
+                        .setTier(tier)
+                        .setRequestConditions(requestConditions)
+                        .setComputeMd5(computeMd5)
+                        .setParallelTransferOptions(parallelTransferOptions),
+                timeout, context);

java/ql/src/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v1</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.java" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+
+  </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,71 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id java/azure-storage/unsafe-client-side-encryption-in-use
+ * @problem.severity error
+ * @precision high
+ */
+
+import java
+
+/**
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+ * that takes no arguments, which means that it is using V1 encryption
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(Call call, Class c) {
+  exists(string package, string type, Constructor constructor |
+    c.hasQualifiedName(package, type) and
+    c.getAConstructor() = constructor and
+    call.getCallee() = constructor and
+    (
+      type = "EncryptedBlobClientBuilder" and
+      package = "com.azure.storage.blob.specialized.cryptography" and
+      not exists(Expr e | e = call.getArgument(0))
+      or
+      type = "BlobEncryptionPolicy" and package = "com.microsoft.azure.storage.blob"
+    )
+  )
+}
+
+/** 
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+ * that takes `versionArg` as the argument for the version.
+ */
+predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c, Expr versionArg) {
+  exists(string package, string type, Constructor constructor |
+    c.hasQualifiedName(package, type) and
+    c.getAConstructor() = constructor and
+    call.getCallee() = constructor and
+    type = "EncryptedBlobClientBuilder" and
+    package = "com.azure.storage.blob.specialized.cryptography" and
+    versionArg = call.getArgument(0)
+  )
+}
+
+/**
+ * Holds if the call `call` is an object creation for a class `EncryptedBlobClientBuilder` 
+ * that takes `versionArg` as the argument for the version, and the version number is safe
+ */
+predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
+  isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
+  exists(FieldRead fr, Field f |
+    fr = versionArg and
+    f.getAnAccess() = fr and
+    f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion", "V2")
+  )
+}
+
+from Expr e, Class c
+where
+  exists(Expr argVersion |
+    isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and
+    not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion)
+  )
+  or
+  isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+select e,
+  "Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING). See http://aka.ms/azstorageclientencryptionblog"

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.py

@@ -0,0 +1,7 @@
+blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
+    blob_client.require_encryption = True
+    blob_client.key_encryption_key = kek
+    # GOOD: Must use `encryption_version` set to `2.0`
+    blob_client.encryption_version = '2.0'  # Use Version 2.0!
+   with open(“decryptedcontentfile.txt”, “rb”) as stream:
+        blob_client.upload_blob(stream, overwrite=OVERWRITE_EXISTING)

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v1</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <p>The following example shows an HTTP request parameter being used directly in a forming a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.py" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+
+  </references>
+</qhelp>

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,55 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id python/azure-storage/unsafe-client-side-encryption-in-use
+ * @problem.severity error
+ * @precision medium
+ */
+
+import python
+
+predicate isUnsafeClientSideAzureStorageEncryptionViaAttributes(Call call, AttrNode node) {
+  exists(ControlFlowNode ctrlFlowNode, AssignStmt astmt, Attribute a |
+    astmt.getATarget() = a and
+    a.getAttr() in ["key_encryption_key", "key_resolver_function"] and
+    a.getAFlowNode() = node and
+    node.strictlyReaches(ctrlFlowNode) and
+    node != ctrlFlowNode and
+    call.getAChildNode().(Attribute).getAttr() = "upload_blob" and
+    ctrlFlowNode = call.getAFlowNode() and
+    not astmt.getValue() instanceof None and
+    not exists(AssignStmt astmt2, Attribute a2, AttrNode encryptionVersionSet, StrConst uc |
+      uc = astmt2.getValue() and
+      uc.getLiteralValue().toString() in ["'2.0'", "2.0"] and
+      a2.getAttr() = "encryption_version" and
+      a2.getAFlowNode() = encryptionVersionSet and
+      encryptionVersionSet.strictlyReaches(ctrlFlowNode)
+    )
+  )
+}
+
+predicate isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(Call call, ControlFlowNode node) {
+  exists(Keyword k | k.getAFlowNode() = node |
+    call.getFunc().(Name).getId().toString() in [
+        "ContainerClient", "BlobClient", "BlobServiceClient"
+      ] and
+    k.getArg() = "key_encryption_key" and
+    k = call.getANamedArg() and
+    not k.getValue() instanceof None and
+    not exists(Keyword k2 | k2 = call.getANamedArg() |
+      k2.getArg() = "encryption_version" and
+      k2.getValue().(StrConst).getLiteralValue().toString() in ["'2.0'", "2.0"]
+    )
+  )
+}
+
+from Call call, ControlFlowNode node
+where
+  isUnsafeClientSideAzureStorageEncryptionViaAttributes(call, node) or
+  isUnsafeClientSideAzureStorageEncryptionViaObjectCreation(call, node)
+select node,
+  "Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-PENDING). See http://aka.ms/azstorageclientencryptionblog"