Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hopefully fixed the bug. #2710

Merged
merged 2 commits into from
Jul 29, 2019
Merged

Hopefully fixed the bug. #2710

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
13bf3cd
Hopefully fixed the bug.
LingxiaChen Jul 29, 2019
9d09736
Update.
LingxiaChen Jul 29, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Microsoft.NetCore.Analyzers/Core/Security/SourceTriggeredTaintedDataAnalyzerBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ public override void Initialize(AnalysisContext context)
operationAnalysisContext =>
{
IArrayInitializerOperation arrayInitializerOperation = (IArrayInitializerOperation)operationAnalysisContext.Operation;
if (sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayInitializerOperation.Parent.Type as IArrayTypeSymbol))
if (sourceInfoSymbolMap.IsSourceConstantArrayOfType(arrayInitializerOperation.GetAncestor<IArrayCreationOperation>(OperationKind.ArrayCreation).Type as IArrayTypeSymbol))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we be even more defensive and handle GetAncestor returning null gracefully by using “?.Type”?

{
lock (rootOperationsNeedingAnalysis)
{
Expand Down
52 changes: 36 additions & 16 deletions src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public void TestMethod(byte[] someOtherBytesForIV)
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -94,11 +94,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateDecryptor_Diagnostic()
public void Test_HardcodedInByteArray_CreateDecryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -113,11 +113,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateDecryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateDecryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateDecryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArrayWithVariable_CreateEncryptor_Diagnostic()
public void Test_HardcodedInByteArrayWithVariable_CreateEncryptor_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -133,11 +133,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(12, 9, 10, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(12, 9, 10, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_KeyProperty_Diagnostic()
public void Test_HardcodedInByteArray_KeyProperty_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -152,11 +152,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.Key = rgbKey;
}
}",
GetCSharpResultAt(11, 9, 9, 36, "byte[] SymmetricAlgorithm.Key", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "byte[] SymmetricAlgorithm.Key", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptorFromDerivedClassOfSymmetricAlgorithm_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptorFromDerivedClassOfSymmetricAlgorithm_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -171,11 +171,11 @@ public void TestMethod(byte[] someOtherBytesForIV)
aes.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(11, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_Multivalues_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_Multivalues_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -197,12 +197,12 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(18, 9, 14, 33, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"),
GetCSharpResultAt(18, 9, 9, 36, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(18, 9, 14, 22, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"),
GetCSharpResultAt(18, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_HardcodedInbyteArray_CreateEncryptor_WithoutAssignment_Diagnostic()
public void Test_HardcodedInByteArray_CreateEncryptor_WithoutAssignment_Diagnostic()
{
VerifyCSharpWithDependencies(@"
using System;
Expand All @@ -216,7 +216,7 @@ public void TestMethod(byte[] someOtherBytesForIV)
rijn.CreateEncryptor(new byte[] {1, 2, 3}, someOtherBytesForIV);
}
}",
GetCSharpResultAt(10, 9, 10, 41, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
GetCSharpResultAt(10, 9, 10, 30, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
Expand All @@ -241,7 +241,7 @@ public void TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)
rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
}
}",
GetCSharpResultAt(17, 9, 13, 33, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)"));
GetCSharpResultAt(17, 9, 13, 22, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte[] rgbKey)"));
}

[Fact]
Expand Down Expand Up @@ -292,6 +292,26 @@ public void CreateEncryptor(byte[] rgbKey)
GetCSharpResultAt(16, 9, 9, 22, "byte[] SymmetricAlgorithm.Key", "void TestClass.CreateEncryptor(byte[] rgbKey)", "byte[] Convert.FromBase64String(string s)", "void TestClass.TestMethod()"));
}

[Fact]
public void Test_HardcodedIn2DByteArray_CreateEncryptor_Diagnostic()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test_HardcodedIn2DByteArray_CreateEncryptor_Diagnostic [](start = 20, length = 54)

It'd be good to add a test for a jagged array (like byte[][]) also.

Is there a test case that covers the assert from #2708?

{
VerifyCSharpWithDependencies(@"
using System;
using System.Linq;
using System.Security.Cryptography;

class TestClass
{
public void TestMethod(byte[] someOtherBytesForIV)
{
byte[,] rgbKey = new byte[,] { { 1, 2, 3 }, { 4, 5, 6 } };
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
rijn.CreateEncryptor(rgbKey.Cast<byte>().ToArray(), someOtherBytesForIV);
}
}",
GetCSharpResultAt(12, 9, 10, 26, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[,]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
}

[Fact]
public void Test_NotHardcoded_CreateEncryptor_NoDiagnostic()
{
Expand Down
6 changes: 4 additions & 2 deletions ...wAnalysis/Analysis/TaintedDataAnalysis/TaintedDataAnalysis.TaintedDataOperationVisitor.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,10 +343,12 @@ public override TaintedDataAbstractValue VisitArrayInitializer(IArrayInitializer
result = TaintedDataAbstractValue.MergeTainted(taintedAbstractValues);
}

if (this.DataFlowAnalysisContext.SourceInfos.IsSourceConstantArrayOfType(operation.Parent.Type as IArrayTypeSymbol)
IArrayCreationOperation arrayCreationOperation = operation.GetAncestor<IArrayCreationOperation>(OperationKind.ArrayCreation);
IArrayTypeSymbol arrayTypeSymbol = arrayCreationOperation.Type as IArrayTypeSymbol;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. I would handle null value return by GetAncestor and also null check before invoking IsSourceConstantArrayOfType (unless that method handles null input).

if (this.DataFlowAnalysisContext.SourceInfos.IsSourceConstantArrayOfType(arrayTypeSymbol)
&& operation.ElementValues.All(s => GetValueContentAbstractValue(s).IsLiteralState))
{
TaintedDataAbstractValue taintedDataAbstractValue = TaintedDataAbstractValue.CreateTainted(operation.Parent.Type, operation.Syntax, this.OwningSymbol);
TaintedDataAbstractValue taintedDataAbstractValue = TaintedDataAbstractValue.CreateTainted(arrayTypeSymbol, arrayCreationOperation.Syntax, this.OwningSymbol);
result = result == null ? taintedDataAbstractValue : TaintedDataAbstractValue.MergeTainted(result, taintedDataAbstractValue);
}

Expand Down