ruby: add BlockMode concept

Author: alexrford

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -844,6 +844,13 @@ module Cryptography {
 
     /** Holds if this encryption operation is known to be weak. */
     predicate isWeak() { super.isWeak() }
+
+    /**
+     * Gets the block mode used to perform this cryptographic operation.
+     * This may have no result - for example if the `CryptographicAlgorithm` used
+     * is a stream cipher rather than a block cipher.
+     */
+    BlockMode getBlockMode() { result = super.getBlockMode() }
   }
 
   /** Provides classes for modeling new applications of a cryptographic algorithms. */
@@ -864,6 +871,24 @@ module Cryptography {
 
       /** Holds if this encryption operation is known to be weak. */
       abstract predicate isWeak();
+
+      /**
+       * Gets the block mode used to perform this cryptographic operation.
+       * This may have no result - for example if the `CryptographicAlgorithm` used
+       * is a stream cipher rather than a block cipher.
+       */
+      abstract BlockMode getBlockMode();
     }
   }
+
+  /**
+   * A cryptographic block cipher mode of operation. This can be used to encrypt
+   * data of arbitrary length using a block encryption algorithm.
+   */
+  class BlockMode extends string {
+    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR"] }
+
+  /** Holds if this block mode is considered to be insecure. */
+  predicate isWeak() { this = "ECB" }
+}
 }

ruby/ql/lib/codeql/ruby/security/OpenSSL.qll

@@ -29,7 +29,9 @@ private string rankedInsecureAlgorithm(int i) {
   // weak hash algorithms and block modes as well.
   result =
     rank[i](string s |
-      isWeakEncryptionAlgorithm(s) or isWeakHashingAlgorithm(s) or isWeakBlockMode(s)
+      isWeakEncryptionAlgorithm(s) or
+      isWeakHashingAlgorithm(s) or
+      s.(Cryptography::BlockMode).isWeak()
     )
 }
 
@@ -329,21 +331,18 @@ private API::Node cipherApi() {
   result = API::getTopLevelMember("OpenSSL").getMember("Cipher").getMember("Cipher")
 }
 
-private class BlockMode extends string {
-  BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR"] }
-}
-
 private newtype TCipherMode =
   TStreamCipher() or
-  TBlockMode(BlockMode blockMode)
+  TBlockMode(Cryptography::BlockMode blockMode)
 
 /**
  * Represents the mode used by this stream cipher.
  * If this cipher uses a block encryption algorithm, then this is a specific
  * block mode.
  */
 private class CipherMode extends TCipherMode {
-  private BlockMode getBlockMode() { this = TBlockMode(result) }
+  /** Gets the underlying block mode, if any. */
+  Cryptography::BlockMode getBlockMode() { this = TBlockMode(result) }
 
   /** Gets a textual representation of this node. */
   string toString() {
@@ -360,7 +359,7 @@ private class CipherMode extends TCipherMode {
   predicate isBlockMode(string s) { this.getBlockMode() = s.toUpperCase() }
 
   /** Holds if this cipher mode is a weak block mode. */
-  predicate isWeak() { isWeakBlockMode(this.getBlockMode()) }
+  predicate isWeak() { this.getBlockMode().isWeak() }
 }
 
 private string getStringArgument(DataFlow::CallNode call, int i) {
@@ -549,4 +548,8 @@ private class CipherOperation extends Cryptography::CryptographicOperation::Rang
     cipherNode.getCipher().isWeak() or
     cipherNode.getCipherMode().isWeak()
   }
+
+  override Cryptography::BlockMode getBlockMode() {
+    result = cipherNode.getCipherMode().getBlockMode()
+  }
 }

ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll

@@ -65,8 +65,3 @@ predicate isStrongPasswordHashingAlgorithm(string name) {
  * Holds if `name` corresponds to a weak password hashing algorithm.
  */
 predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" }
-
-/**
- * Holds if `name` corresponds to a weak block cipher mode of operation.
- */
-predicate isWeakBlockMode(string name) { name = "ECB" }