From 3bf2705668a5b09b4aa91a9620207abb3e9b03b6 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Fri, 25 Aug 2023 17:23:51 +0200 Subject: [PATCH] Python: Move experimental `TimingAttackAgainstHeaderValue` to new dataflow API --- .../TimingAttackAgainstHeaderValue.ql | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql index 1f2ff8f50fb..a1da41530a8 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql @@ -15,20 +15,26 @@ import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking import experimental.semmle.python.security.TimingAttack -import DataFlow::PathGraph /** * A configuration tracing flow from a client Secret obtained by an HTTP header to a unsafe Comparison. */ -class ClientSuppliedSecretConfig extends TaintTracking::Configuration { - ClientSuppliedSecretConfig() { this = "ClientSuppliedSecretConfig" } +private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret } - override predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret } - - override predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink } + predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink } } -from ClientSuppliedSecretConfig config, DataFlow::PathNode source, DataFlow::PathNode sink -where config.hasFlowPath(source, sink) and not sink.getNode().(CompareSink).flowtolen() +module TimingAttackAgainstHeaderValueFlow = + TaintTracking::Global; + +import TimingAttackAgainstHeaderValueFlow::PathGraph + +from + TimingAttackAgainstHeaderValueFlow::PathNode source, + TimingAttackAgainstHeaderValueFlow::PathNode sink +where + TimingAttackAgainstHeaderValueFlow::flowPath(source, sink) and + not sink.getNode().(CompareSink).flowtolen() select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(), "client-supplied token"