Skip to content

JS: add crypto.pseudoRandomBytes as source in InsecureRandomness.ql #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 13, 2018
Merged

JS: add crypto.pseudoRandomBytes as source in InsecureRandomness.ql #632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a01a9dc
JS: add crypto.pseudoRandomBytes as source in InsecureRandomness.ql
asger-semmle Dec 6, 2018
4fc27aa
Merge branch 'master' into pseudo-random-bytes
Dec 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions change-notes/1.20/analysis-javascript.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
| **Query** | **Expected impact** | **Change** |
|--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
| Client-side cross-site scripting | More results | This rule now recognizes WinJS functions that are vulnerable to HTML injection. |
| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
| Unused parameter | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |

Expand Down
5 changes: 4 additions & 1 deletion javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ module InsecureRandomness {
* A simple random number generator that is not cryptographically secure.
*/
class DefaultSource extends Source, DataFlow::ValueNode {
override CallExpr astNode;
override InvokeExpr astNode;

DefaultSource() {
exists(DataFlow::ModuleImportNode mod, string name | mod.getPath() = name |
Expand Down Expand Up @@ -98,6 +98,9 @@ module InsecureRandomness {
or
// (new require('chance')).<name>()
this = DataFlow::moduleImport("chance").getAnInstantiation().getAMemberInvocation(_)
or
// require('crypto').pseudoRandomBytes()
this = DataFlow::moduleMember("crypto", "pseudoRandomBytes").getAnInvocation()
}
}

Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/test/library-tests/Security/CWE-338/InsecureRandomnessSource.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@
| tst.js:15:1:15:12 | randomSeed() |
| tst.js:18:1:18:14 | uniqueRandom() |
| tst.js:22:1:22:12 | chance.XYZ() |
| tst.js:25:1:25:29 | crypto. ... es(100) |
| tst.js:26:1:26:33 | new cry ... es(100) |
4 changes: 4 additions & 0 deletions javascript/ql/test/library-tests/Security/CWE-338/tst.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@ uniqueRandom();
var Chance = require('chance'),
chance = new Chance();
chance.XYZ();

let crypto = require('crypto');
crypto.pseudoRandomBytes(100);
new crypto.pseudoRandomBytes(100);