-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathThreadUnsafeICryptoTransform.ql
More file actions
93 lines (86 loc) · 3.36 KB
/
ThreadUnsafeICryptoTransform.ql
File metadata and controls
93 lines (86 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/**
* @name Class defines a field that uses an ICryptoTransform class in a way that would be unsafe for concurrent threads.
* @description The class has a field that directly or indirectly make use of a static System.Security.Cryptography.ICryptoTransform object.
* Using this an instance of this class in concurrent threads is dangerous as it may not only result in an error,
* but under some circumstances may also result in incorrect results.
* @kind problem
* @problem.severity warning
* @precision medium
* @id cs/thread-unsafe-icryptotransform-field-in-class
* @tags concurrency
* security
* external/cwe/cwe-362
*/
import csharp
class ICryptoTransform extends Class {
ICryptoTransform() {
this.getABaseType*().hasQualifiedName("System.Security.Cryptography", "ICryptoTransform")
}
}
predicate usesICryptoTransformType( Type t ) {
exists( ICryptoTransform ict |
ict = t
or usesICryptoTransformType( t.getAChild*() )
)
}
predicate hasICryptoTransformMember( Class c) {
exists( Field f |
f = c.getAMember*()
and (
exists( ICryptoTransform ict | ict = f.getType() )
or hasICryptoTransformMember(f.getType())
or usesICryptoTransformType(f.getType())
)
)
}
predicate hasICryptoTransformStaticMemberNested( Class c ) {
exists( Field f |
f = c.getAMember() |
hasICryptoTransformStaticMemberNested( f.getType() )
or (
f.isStatic() and hasICryptoTransformMember(f.getType())
and not exists( Attribute a
| a = f.getAnAttribute() |
a.getType().getQualifiedName() = "System.ThreadStaticAttribute"
)
)
)
}
predicate hasICryptoTransformStaticMember( Class c, string msg) {
exists( Field f |
f = c.getAMember*()
and f.isStatic()
and not exists( Attribute a
| a = f.getAnAttribute()
and a.getType().getQualifiedName() = "System.ThreadStaticAttribute"
)
and (
exists( ICryptoTransform ict |
ict = f.getType()
and msg = "Static field " + f + " of type " + f.getType() + ", implements 'System.Security.Cryptography.ICryptoTransform', but it does not have an attribute [ThreadStatic]. The usage of this class is unsafe for concurrent threads."
)
or
(
not exists( ICryptoTransform ict | ict = f.getType() ) // Avoid dup messages
and exists( Type t | t = f.getType() |
usesICryptoTransformType(t)
and msg = "Static field " + f + " of type " + f.getType() + " makes usage of 'System.Security.Cryptography.ICryptoTransform', but it does not have an attribute [ThreadStatic]. The usage of this class is unsafe for concurrent threads."
)
)
)
)
or
exists( Field f |
f = c.getAMember*()
and not f.isStatic()
and ( hasICryptoTransformStaticMember( f.getType(), _ )
and msg = "Non-static field " + f + " of type " + f.getType() + " internally makes use of an static object that implements 'System.Security.Cryptography.ICryptoTransform'. This causes that usage of this class member is unsafe for concurrent threads."
)
)
or ( hasICryptoTransformStaticMemberNested(c)
and msg = "Class" + c + " implementation depends on a static object of type 'System.Security.Cryptography.ICryptoTransform' in a way that is unsafe for concurrent threads."
)
}
from Class c , string s
where hasICryptoTransformStaticMember(c, s)
select c, s