diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql index f46b93fb266..7a6a3f946bc 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql @@ -17,21 +17,22 @@ import python import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.TaintTracking import experimental.semmle.python.security.TimingAttack -import DataFlow::PathGraph /** * A configuration that tracks data flow from cryptographic operations * to equality test */ -class PossibleTimingAttackAgainstHash extends TaintTracking::Configuration { - PossibleTimingAttackAgainstHash() { this = "PossibleTimingAttackAgainstHash" } +private module PossibleTimingAttackAgainstHash implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } - override predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } - - override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } } -from PossibleTimingAttackAgainstHash config, DataFlow::PathNode source, DataFlow::PathNode sink -where config.hasFlowPath(source, sink) +module PossibleTimingAttackAgainstHashFlow = TaintTracking::Global; + +import PossibleTimingAttackAgainstHashFlow::PathGraph + +from PossibleTimingAttackAgainstHashFlow::PathNode source, PossibleTimingAttackAgainstHashFlow::PathNode sink +where PossibleTimingAttackAgainstHashFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.", source.getNode().(ProduceCryptoCall).getResultType(), "message"