Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Next parameter depending rules may not be handled #16

Closed
n1ckl0sk0rtge opened this issue Jun 12, 2024 · 0 comments · Fixed by #141
Closed

Next parameter depending rules may not be handled #16

n1ckl0sk0rtge opened this issue Jun 12, 2024 · 0 comments · Fixed by #141
Assignees
@n1ckl0sk0rtge
Labels
bug Something isn't working

Comments

@n1ckl0sk0rtge
Copy link
Member

n1ckl0sk0rtge commented Jun 12, 2024
edited
Loading

The problem

Let's consider this code line example:

GCMBlockCipher blockCipher = GCMBlockCipher.newInstance(AESEngine.newInstance())

Suppose we have a rule R1 to detect the call GCMBlockCipher.newInstance, and it has a depending detection rule R2 on its parameter to detect the call AESEngine.newInstance.
When R1 makes a finding, this code gets ultimately executed to handle depending detection rules (where expression is the argument, so here AESEngine.newInstance()):

However, because AESEngine.newInstance() is here a MethodInvocationTree, it will execute the first case and try to resolveValuesInOuterScope, without handling depending rules.

Note that if our code uses a intermediary variable engine instead (like below), this problem does not occur and depending rules are correctly handled.

AESEngine engine = AESEngine.newInstance();
GCMBlockCipher blockCipher = GCMBlockCipher.newInstance(engine)

Solution?

A trivial solution idea would be to just handle depending rules in any case, so removing the last line from the else statement, giving the following code:

if (expression instanceof MethodInvocationTree methodInvocationTree) {
    // methods are part of the outer scope
    resolveValuesInOuterScope(methodInvocationTree, parameter);
} else if (expression instanceof NewClassTree newClassTree
        && assignedSymbol.isEmpty()) {
    // follow expression directly, do not find matching expression in the method
    // scope
    detectionStore.onDetectedDependingParameter(
            parameter, newClassTree, DetectionStore.Scope.EXPRESSION);
}
// handle next rules
detectionStore.onDetectedDependingParameter(
        parameter, expressionTree, DetectionStore.Scope.ENCLOSED_METHOD);

However, while this easy fix correctly fixes our example above, it breaks 3 JCA unit tests (for reasons I have not investigated).
@n1ckl0sk0rtge n1ckl0sk0rtge added the bug Something isn't working label Jun 12, 2024
n1ckl0sk0rtge added a commit that referenced this issue Sep 11, 2024
@n1ckl0sk0rtge
fix #16
5aec2fd 
Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>
@n1ckl0sk0rtge n1ckl0sk0rtge mentioned this issue Sep 11, 2024
Merged
@n1ckl0sk0rtge n1ckl0sk0rtge self-assigned this Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n1ckl0sk0rtge n1ckl0sk0rtge

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix issue #16 IBM/sonar-cryptography
1 participant
@n1ckl0sk0rtge