Remove additional taint step

luchua-bc · luchua-bc · commit 39103af71833 · 2021-01-08T13:02:57.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
@@ -50,13 +50,13 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     exists(
-      MethodAccess mda, MethodAccess mua // invoke `md.digest()` with only one call of `md.update(password)`, that is, without the call of `md.update(digest)`
+      MethodAccess mua, MethodAccess mda // invoke `md.digest()` with only one call of `md.update(password)`, that is, without the call of `md.update(digest)`
     |
-      sink.asExpr() = mda.getQualifier() and
+      sink.asExpr() = mua.getArgument(0) and
+      mua.getMethod() instanceof MDUpdateMethod and // md.update(password)
       mda.getMethod() instanceof MDDigestMethod and
       mda.getNumArgument() = 0 and // md.digest()
-      mua.getMethod() instanceof MDUpdateMethod and // md.update(password)
-      mua.getQualifier() = mda.getQualifier().(VarAccess).getVariable().getAnAccess() and
+      mda.getQualifier() = mua.getQualifier().(VarAccess).getVariable().getAnAccess() and
       not exists(MethodAccess mua2 |
         mua2.getMethod() instanceof MDUpdateMethod and // md.update(salt)
         mua2.getQualifier() = mua.getQualifier().(VarAccess).getVariable().getAnAccess() and
@@ -66,7 +66,7 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
     or
     // invoke `md.digest(password)` without another call of `md.update(salt)`
     exists(MethodAccess mda |
-      sink.asExpr() = mda and
+      sink.asExpr() = mda.getArgument(0) and
       mda.getMethod() instanceof MDDigestMethod and // md.digest(password)
       mda.getNumArgument() = 1 and
       not exists(MethodAccess mua |
@@ -75,15 +75,6 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
       )
     )
   }
-
-  /** Holds for additional steps that flow to additional method calls of the type `java.security.MessageDigest`. */
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      ma.getMethod().getDeclaringType() instanceof MessageDigest and
-      pred.asExpr() = ma.getAnArgument() and
-      (succ.asExpr() = ma or succ.asExpr() = ma.getQualifier())
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, HashWithoutSaltConfiguration c
diff --git a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected
@@ -1,11 +1,11 @@
 edges
-| HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:26:9:55 | digest(...) |
-| HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:16:26:16:27 | md |
+| HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:36:9:54 | getBytes(...) |
+| HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:15:13:15:31 | getBytes(...) |
 nodes
-| HashWithoutSalt.java:9:26:9:55 | digest(...) | semmle.label | digest(...) |
 | HashWithoutSalt.java:9:36:9:43 | password : String | semmle.label | password : String |
+| HashWithoutSalt.java:9:36:9:54 | getBytes(...) | semmle.label | getBytes(...) |
 | HashWithoutSalt.java:15:13:15:20 | password : String | semmle.label | password : String |
-| HashWithoutSalt.java:16:26:16:27 | md | semmle.label | md |
+| HashWithoutSalt.java:15:13:15:31 | getBytes(...) | semmle.label | getBytes(...) |
 #select
-| HashWithoutSalt.java:9:26:9:55 | digest(...) | HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:26:9:55 | digest(...) | $@ is hashed without a salt. | HashWithoutSalt.java:9:36:9:43 | password | The password |
-| HashWithoutSalt.java:16:26:16:27 | md | HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:16:26:16:27 | md | $@ is hashed without a salt. | HashWithoutSalt.java:15:13:15:20 | password | The password |
+| HashWithoutSalt.java:9:36:9:54 | getBytes(...) | HashWithoutSalt.java:9:36:9:43 | password : String | HashWithoutSalt.java:9:36:9:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:9:36:9:43 | password | The password |
+| HashWithoutSalt.java:15:13:15:31 | getBytes(...) | HashWithoutSalt.java:15:13:15:20 | password : String | HashWithoutSalt.java:15:13:15:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:15:13:15:20 | password | The password |
