Ruby: Add Unsafe HMAC Comparison Query. #13825
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
owen-mc
changed the title
alexrford
requested changes
Jul 28, 2023
| } | ||
| } | ||
|
|
||
| class Configuration extends DataFlow::Configuration { |
There was a problem hiding this comment.
We're moving away from extending DataFlow::Configuration and instead towards implementing the DataFlow::ConfigSig module. This would look something like:
private module UnsafeHmacComparison {
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof OpenSslHmacHexdigest or
source instanceof OpenSslnewHmac or
source instanceof OpenSslHmacbase64digest or
source instanceof OpenSslHmacdigest or
source instanceof OpenSslHmactos
}
// Holds if a given sink is an Equality Operation (== or !=)
predicate isSink(DataFlow::Node sink) {
exists(EqualityOperation eqOp |
eqOp.getLeftOperand() = sink.asExpr().getExpr()
or
eqOp.getRightOperand() = sink.asExpr().getExpr()
)
}
}
import DataFlow::Global<Config>
}and then
from UnsafeHmacComparison::PathNode source, UnsafeHmacComparison::PathNode sink
where UnsafeHmacComparison::flowPath(source, sink)in the query itself.
There aren't that many Ruby examples yet, but rb/xpath-injection uses this format.
There was a problem hiding this comment.
Thanks - will this pattern end up being deprecated at some point? We currently use this in one of our internal query packs.
|
@alexrford - I am getting a compilation error with this query. Could you give me a hand getting it resolved? Thanks. |
alexrford
requested changes
Aug 10, 2023
Co-authored-by: Alex Ford <[email protected]>
Co-authored-by: Alex Ford <[email protected]>
alexrford
approved these changes
Sep 4, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi CodeQL Team,
This adds an experimental query to detect potential Timing Attacks against usages of Ruby HMACs. This rule is partially inspired by the Python one.
The False positive rate seems fairly low on this query, but I did notice a large string of false positives in the Ruby repository after I ran this query against the top 1000 repositories in GitHub. Because I am unsure of why there are so many FP results in that repo, I figured it would be best to have this be an experimental query.