Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit e89cd16

Browse files
smowtonsmowton
committed
Move query-specific flag definitions into their respective .ql files
1 parent f31ed52 commit e89cd16

3 files changed

Lines changed: 41 additions & 41 deletions

File tree

ql/src/Security/CWE-295/DisabledCertificateCheck.ql

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,25 @@ predicate becomesPartOf(DataFlow::Node part, DataFlow::Node whole) {
3636
exists(Write w | w.writesField(whole.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, part))
3737
}
3838

39+
/**
40+
* Flags suggesting a deliberately insecure certificate setup.
41+
*/
42+
class InsecureCertificateFlag extends FlagKind {
43+
InsecureCertificateFlag() { this = "insecureCertificate" }
44+
45+
bindingset[result]
46+
override string getAFlagName() {
47+
result.regexpMatch("(?i).*(selfCert|selfSign|validat|verif|trust).*")
48+
}
49+
}
50+
51+
/**
52+
* Gets a control-flow node that represents a (likely) flag controlling an insecure certificate setup.
53+
*/
54+
ControlFlow::ConditionGuardNode getAnInsecureCertificateCheck() {
55+
result.ensures(getAFlag(any(InsecureCertificateFlag f)).getANode(), _)
56+
}
57+
3958
/**
4059
* Returns flag kinds relevant to this query: a generic security feature flag, or one
4160
* specifically controlling insecure certificate configuration.

ql/src/Security/CWE-327/InsecureTLS.ql

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,28 @@ predicate isInsecureTlsCipherFlow(DataFlow::PathNode source, DataFlow::PathNode
226226
)
227227
}
228228

229+
/**
230+
* Flags suggesting support for an old or legacy TLS version.
231+
*
232+
* We accept 'intermediate' because it appears to be common for TLS users
233+
* to define three profiles: modern, intermediate, legacy/old, perhaps based
234+
* on https://wiki.mozilla.org/Security/Server_Side_TLS (though note the
235+
* 'intermediate' used there would now pass muster according to this query)
236+
*/
237+
class LegacyTlsVersionFlag extends FlagKind {
238+
LegacyTlsVersionFlag() { this = "legacyTlsVersion" }
239+
240+
bindingset[result]
241+
override string getAFlagName() { result.regexpMatch("(?i).*(old|intermediate|legacy).*") }
242+
}
243+
244+
/**
245+
* Gets a control-flow node that represents a (likely) flag controlling TLS version selection.
246+
*/
247+
ControlFlow::ConditionGuardNode getALegacyTlsVersionCheck() {
248+
result.ensures(getAFlag(any(LegacyTlsVersionFlag f)).getANode(), _)
249+
}
250+
229251
/**
230252
* Returns flag kinds relevant to this query: a generic security feature flag, or one
231253
* specifically controlling TLS version selection.

ql/src/semmle/go/security/InsecureFeatureFlag.qll

Lines changed: 0 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -28,33 +28,6 @@ module InsecureFeatureFlag {
2828
override string getAFlagName() { result.regexpMatch("(?i).*(secure|(en|dis)able).*") }
2929
}
3030

31-
/**
32-
* Flags suggesting support for an old or legacy TLS version.
33-
*
34-
* We accept 'intermediate' because it appears to be common for TLS users
35-
* to define three profiles: modern, intermediate, legacy/old, perhaps based
36-
* on https://wiki.mozilla.org/Security/Server_Side_TLS (though note the
37-
* 'intermediate' used there would now pass muster according to this query)
38-
*/
39-
class LegacyTlsVersionFlag extends FlagKind {
40-
LegacyTlsVersionFlag() { this = "legacyTlsVersion" }
41-
42-
bindingset[result]
43-
override string getAFlagName() { result.regexpMatch("(?i).*(old|intermediate|legacy).*") }
44-
}
45-
46-
/**
47-
* Flags suggesting a deliberately insecure certificate setup.
48-
*/
49-
class InsecureCertificateFlag extends FlagKind {
50-
InsecureCertificateFlag() { this = "insecureCertificate" }
51-
52-
bindingset[result]
53-
override string getAFlagName() {
54-
result.regexpMatch("(?i).*(selfCert|selfSign|validat|verif|trust).*")
55-
}
56-
}
57-
5831
/** Gets a global value number representing a (likely) security flag. */
5932
GVN getAFlag(FlagKind flagKind) {
6033
// a call like `cfg.disableVerification()`
@@ -142,18 +115,4 @@ module InsecureFeatureFlag {
142115
ControlFlow::ConditionGuardNode getASecurityFeatureFlagCheck() {
143116
result.ensures(getAFlag(any(SecurityFeatureFlag f)).getANode(), _)
144117
}
145-
146-
/**
147-
* Gets a control-flow node that represents a (likely) flag controlling TLS version selection.
148-
*/
149-
ControlFlow::ConditionGuardNode getALegacyTlsVersionCheck() {
150-
result.ensures(getAFlag(any(LegacyTlsVersionFlag f)).getANode(), _)
151-
}
152-
153-
/**
154-
* Gets a control-flow node that represents a (likely) flag controlling an insecure certificate setup.
155-
*/
156-
ControlFlow::ConditionGuardNode getAnInsecureCertificateCheck() {
157-
result.ensures(getAFlag(any(InsecureCertificateFlag f)).getANode(), _)
158-
}
159118
}

0 commit comments

Comments
 (0)