Cryptographic sinks

egregius313 · egregius313 · commit 63677b047640 · 2023-08-01T14:29:42.000-04:00
diff --git a/java/ql/lib/ext/java.security.spec.model.yml b/java/ql/lib/ext/java.security.spec.model.yml
@@ -0,0 +1,17 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.security.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[0..2]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "DSAPrivateKeySpec", False, "DSAPrivateKeySpec", "", "", "Argument[0..3]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "DSAPublicKeySpec", False, "DSAPublicKeySpec", "", "", "Argument[0..3]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "ECPrivateKeySpec", False, "ECPrivateKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "EncodedKeySpec", False, "EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "PKCS8EncodedKeySpec", False, "PKCS8EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "RSAMultiPrimePrivateCrtKeySpec", False, "RSAMultiPrimePrivateCrtKeySpec", "", "", "Argument[0..8]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "RSAPrivateCrtKeySpec", False, "RSAPrivateCrtKeySpec", "", "", "Argument[0..7]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "RSAPrivateKeySpec", False, "RSAPrivateKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "RSAPublicKeySpec", False, "RSAPublicKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
+      - ["java.security.spec", "X509EncodedKeySpec", False, "X509EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      
diff --git a/java/ql/lib/ext/javax.crypto.spec.model.yml b/java/ql/lib/ext/javax.crypto.spec.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.crypto.spec", "DESedeKeySpec", False, "DESedeKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "DESKeySpec", False, "DESKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "DHPrivateKeySpec", False, "DHPrivateKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "DHPublicKeySpec", False, "DHPublicKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "DHPublicKeySpec", False, "DHPublicKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "GCMParameterSpec", False, "GCMParameterSpec", "", "", "Argument[1]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "PBEParameterSpec", False, "PBEParameterSpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "RC2ParameterSpec", False, "RC2ParameterSpec", "", "", "Argument[1]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "RC5ParameterSpec", False, "RC25arameterSpec", "", "", "Argument[3]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+
diff --git a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -4,6 +4,7 @@ import java
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.security.SensitiveActions
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.security.RandomQuery
 
 /**
@@ -108,6 +109,10 @@ private class SensitiveActionSink extends WeakRandomnessSink {
   SensitiveActionSink() { this.asExpr() instanceof SensitiveExpr }
 }
 
+private class CryptographicSink extends WeakRandomnessSink {
+  CryptographicSink() { sinkNode(this, "crypto-parameter") }
+}
+
 /**
  * Holds if there is a method access which converts `bytes` to the string `str`.
  */
