Skip to content

Commit

Permalink
Merge pull request #2710 from LLLXXXCCC/DoNotHardCodedEncryptionKey
Browse files Browse the repository at this point in the history
Hopefully fixed the bug.
  • Loading branch information
LLLXXXCCC authored Jul 29, 2019
2 parents a1c8b3a + 9d09736 commit a1a198d
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 19 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,8 @@ public override void Initialize(AnalysisContext context)
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayInitializerOperation.Parent.Type as IArrayTypeSymbol))
if (arrayInitializerOperation.GetAncestor<IArrayCreationOperation>(OperationKind.ArrayCreation)?.Type is IArrayTypeSymbol arrayTypeSymbol
&& sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayTypeSymbol))
{
lock (rootOperationsNeedingAnalysis)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public void TestMethod(byte[] someOtherBytesForIV)
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -94,11 +94,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateDecryptor_Diagnostic()
public void Test_HardcodedInByteArray_CreateDecryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -113,11 +113,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateDecryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateDecryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateDecryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArrayWithVariable_CreateEncryptor_Diagnostic()
public void Test_HardcodedInByteArrayWithVariable_CreateEncryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -133,11 +133,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(12, 9, 10, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(12, 9, 10, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_KeyProperty_Diagnostic()
public void Test_HardcodedInByteArray_KeyProperty_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -152,11 +152,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.Key = rgbKey;
}
}",
GetCSharpResultAt(11, 9, 9, 36, "byte[] SymmetricAlgorithm.Key", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "byte[] SymmetricAlgorithm.Key", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptorFromDerivedClassOfSymmetricAlgorithm_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptorFromDerivedClassOfSymmetricAlgorithm_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -171,11 +171,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
aes.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_Multivalues_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_Multivalues_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -197,12 +197,12 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(18, 9, 14, 33, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"),
GetCSharpResultAt(18, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(18, 9, 14, 22, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"),
GetCSharpResultAt(18, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_WithoutAssignment_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_WithoutAssignment_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -216,7 +216,7 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(new byte[] {1, 2, 3}, someOtherBytesForIV);
}
}",
GetCSharpResultAt(10, 9, 10, 41, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(10, 9, 10, 30, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
Expand All @@ -241,7 +241,7 @@ public void TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(17, 9, 13, 33, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)"));
GetCSharpResultAt(17, 9, 13, 22, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)"));
}

[Fact]
Expand Down Expand Up @@ -292,6 +292,26 @@ public void CreateEncryptor(byte[] rgbKey)
GetCSharpResultAt(16, 9, 9, 22, "byte[] SymmetricAlgorithm.Key", "void TestClass.CreateEncryptor(byte[] rgbKey)", "byte[] Convert.FromBase64String(string s)", "void TestClass.TestMethod()"));
}

[Fact]
public void Test_HardcodedIn2DByteArray_CreateEncryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
using System.Linq;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(byte[] someOtherBytesForIV)
{
byte[,] rgbKey = new byte[,] { { 1, 2, 3 }, { 4, 5, 6 } };
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
rijn.CreateEncryptor(rgbKey.Cast<byte>().ToArray(), someOtherBytesForIV);
}
}",
GetCSharpResultAt(12, 9, 10, 26, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[,]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_NotHardcoded_CreateEncryptor_NoDiagnostic()
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -343,10 +343,12 @@ public override TaintedDataAbstractValue VisitArrayInitializer(IArrayInitializer
result = TaintedDataAbstractValue.MergeTainted(taintedAbstractValues);
}

if (this.DataFlowAnalysisContext.SourceInfos.IsSourceConstantArrayOfType(operation.Parent.Type as IArrayTypeSymbol)
IArrayCreationOperation arrayCreationOperation = operation.GetAncestor<IArrayCreationOperation>(OperationKind.ArrayCreation);
if (arrayCreationOperation?.Type is IArrayTypeSymbol arrayTypeSymbol
&& this.DataFlowAnalysisContext.SourceInfos.IsSourceConstantArrayOfType(arrayTypeSymbol)
&& operation.ElementValues.All(s => GetValueContentAbstractValue(s).IsLiteralState))
{
TaintedDataAbstractValue taintedDataAbstractValue = TaintedDataAbstractValue.CreateTainted(operation.Parent.Type, operation.Syntax, this.OwningSymbol);
TaintedDataAbstractValue taintedDataAbstractValue = TaintedDataAbstractValue.CreateTainted(arrayTypeSymbol, arrayCreationOperation.Syntax, this.OwningSymbol);
result = result == null ? taintedDataAbstractValue : TaintedDataAbstractValue.MergeTainted(result, taintedDataAbstractValue);
}

Expand Down

0 comments on commit a1a198d

Please sign in to comment.