Merge branch 'main' into redsun82/swift-file-label-caching

Author: redsun82

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.cs

@@ -0,0 +1,44 @@
+
+{
+    SymmetricKey aesKey = new SymmetricKey(kid: "symencryptionkey");
+
+    // BAD: Using the outdated client side encryption version V1_0
+    BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key: aesKey, keyResolver: null);
+    BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
+
+    MemoryStream stream = new MemoryStream(buffer);
+    blob.UploadFromStream(stream, length: size, accessCondition: null, options: uploadOptions);
+}
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using an outdated SDK that does not support client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions() 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // BAD: Using the outdated client side encryption version V1_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});
+
+var client = new BlobClient(myConnectionString, new SpecializedBlobClientOptions()
+{
+    // GOOD: Using client side encryption version V2_0
+    ClientSideEncryption = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V2_0) 
+    {
+        KeyEncryptionKey = myKey,
+        KeyResolver = myKeyResolver,
+        KeyWrapAlgorihm = myKeyWrapAlgorithm
+    }
+});

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+
+  <overview>
+    <p>Azure Storage .NET, Java, and Python SDKs support encryption on the client with a customer-managed key that is maintained in Azure Key Vault or another key store.</p>
+    <p>Current release versions of the Azure Storage SDKs use cipher block chaining (CBC mode) for client-side encryption (referred to as <code>v1</code>).</p>
+
+  </overview>
+  <recommendation>
+
+    <p>Consider switching to <code>v2</code> client-side encryption.</p>
+
+  </recommendation>
+  <example>
+
+    <sample src="UnsafeUsageOfClientSideEncryptionVersion.cs" />
+
+  </example>
+  <references>
+    <li>
+      <a href="http://aka.ms/azstorageclientencryptionblog">Azure Storage Client Encryption Blog.</a>
+    </li>
+    <li>
+      <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30187">CVE-2022-30187</a>
+    </li>
+
+  </references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -0,0 +1,81 @@
+/**
+ * @name Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
+ * @description Unsafe usage of v1 version of Azure Storage client-side encryption, please refer to http://aka.ms/azstorageclientencryptionblog
+ * @kind problem
+ * @tags security
+ *       cryptography
+ *       external/cwe/cwe-327
+ * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
+ * @problem.severity error
+ * @precision high
+ */
+
+import csharp
+
+/**
+ * Holds if `oc` is creating an object of type `c` = `Azure.Storage.ClientSideEncryptionOptions`
+ * and `e` is the `version` argument to the constructor
+ */
+predicate isCreatingAzureClientSideEncryptionObject(ObjectCreation oc, Class c, Expr e) {
+  exists(Parameter p | p.hasName("version") |
+    c.hasQualifiedName("Azure.Storage.ClientSideEncryptionOptions") and
+    oc.getTarget() = c.getAConstructor() and
+    e = oc.getArgumentForParameter(p)
+  )
+}
+
+/**
+ * Holds if `oc` is an object creation of the outdated type `c` = `Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy`
+ */
+predicate isCreatingOutdatedAzureClientSideEncryptionObject(ObjectCreation oc, Class c) {
+  c.hasQualifiedName("Microsoft.Azure.Storage.Blob.BlobEncryptionPolicy") and
+  oc.getTarget() = c.getAConstructor()
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption
+ */
+predicate doesAzureStorageAssemblySupportSafeClientSideEncryption(Assembly asm) {
+  exists(int versionCompare |
+    versionCompare = asm.getVersion().compareTo("12.12.0.0") and
+    versionCompare >= 0
+  ) and
+  asm.getName() = "Azure.Storage.Common"
+}
+
+/**
+ * Holds if the Azure.Storage assembly for `c` is a version known to support
+ * version 2+ for client-side encryption and if the argument for the constructor `version`
+ * is set to a secure value.
+ */
+predicate isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(Expr versionExpr, Assembly asm) {
+  // Check if the Azure.Storage assembly version has the fix
+  doesAzureStorageAssemblySupportSafeClientSideEncryption(asm) and
+  // and that the version argument for the constructor is guaranteed to be Version2
+  isExprAnAccessToSafeClientSideEncryptionVersionValue(versionExpr)
+}
+
+/**
+ * Holds if the expression `e` is an access to a safe version of the enum `ClientSideEncryptionVersion`
+ * or an equivalent numeric value
+ */
+predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
+  exists(EnumConstant ec |
+    ec.hasQualifiedName("Azure.Storage.ClientSideEncryptionVersion.V2_0") and
+    ec.getAnAccess() = e
+  )
+}
+
+from Expr e, Class c, Assembly asm
+where
+  asm = c.getLocation() and
+  (
+    exists(Expr e2 |
+      isCreatingAzureClientSideEncryptionObject(e, c, e2) and
+      not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
+    )
+    or
+    isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
+  )
+select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."

docs/codeql/query-help/cpp.rst

@@ -3,7 +3,9 @@ CodeQL query help for C and C++
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/cpp/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/cpp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/cpp/ql/examples>`__.
 
 .. include:: toc-cpp.rst
 

docs/codeql/query-help/csharp.rst

@@ -3,6 +3,8 @@ CodeQL query help for C#
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/csharp/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/csharp-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/csharp/ql/examples>`__.
 
 .. include:: toc-csharp.rst

docs/codeql/query-help/go.rst

@@ -3,6 +3,8 @@ CodeQL query help for Go
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/go/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/go-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/go/ql/examples>`__.
 
 .. include:: toc-go.rst

docs/codeql/query-help/java.rst

@@ -3,6 +3,8 @@ CodeQL query help for Java
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/java/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/java-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/java/ql/examples>`__.
 
 .. include:: toc-java.rst

docs/codeql/query-help/javascript.rst

@@ -3,6 +3,8 @@ CodeQL query help for JavaScript
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/javascript/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/javascript-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/javascript/ql/examples>`__.
 
 .. include:: toc-javascript.rst

docs/codeql/query-help/python.rst

@@ -3,6 +3,8 @@ CodeQL query help for Python
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/python/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/python-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/examples>`__.
 
 .. include:: toc-python.rst

docs/codeql/query-help/ruby.rst

@@ -3,6 +3,8 @@ CodeQL query help for Ruby
 
 .. include:: ../reusables/query-help-overview.rst
 
-For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/main/ruby/ql/examples>`__.
+These queries are published in the CodeQL query pack ``codeql/ruby-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src>`__).
+
+For shorter queries that you can use as building blocks when writing your own queries, see the `example queries in the CodeQL repository <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/examples>`__.
 
 .. include:: toc-ruby.rst