JS: Use shared CryptographicOperation concept

[alexrford]

This mostly affects JS, but also changes some behaviour for Ruby and Python as well. This change should allow us to add the Python version of weak-cryptographic-algorithm as a (new) JS query.

The JS and Ruby/Python versions of CryptographicOperation were pretty similar, with 2 main differences:

• getInput() in JS vs getAnInput() in Ruby/Python
• JS lacked the BlockMode getBlockMode() predicate

I added a deprecated getInput() predicate to the shared concept for the first difference, and implemented getBlockMode() for the existing JS CryptographicOperation implementations. There were 10 implementations in CryptoLibraries.qll, but only 4 of these libraries seemed to support encryption using block ciphers.

There are a couple of other changes that affect all languages.

• The first is the addition of a BlockMode#matchesString(string) predicate for convenience
• The other is a pair of more significant change to make CryptographicAlgorithm#matchesName(string).
  • We now consider splitting the candidate name on underscores - e.g. asmCrypto uses "AES_OFB" as an algorithm name to specify AES encryption using the OFB block mode - previously matchesString would have just read this as "AESOFB" and not matched against AES
  • matchesName now only holds when the algorithm is the "most specific" matching algorithm - in practice this means the matching algorithm with the longest name. This is specifically for things like "SHA3_224" which has a valid match as both SHA3 and SHA3_224, but the latter is a more precise match. This is relevant for e.g. https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_224.html

[erik-krogh]

Looks good, with some minor comments.

But we need a loud change-note, and some more instructions on how to migrate to the new code (both in change-note and QLDoc).

[erik-krogh]

This is problematic.
You are changing an abstract class to a non abstract class that instead uses the ::Range pattern.

This will at minimum require a loud change-note.
CryptographicOperation is on the "global" scope in JavaScript, so we can't leave a deprecated class behind.
Anyone overridding the old CryptographicOperation class will get deprecation warnings, so I think it's good enough with a change-note.

[alexrford]

I've added a change note that hopefully explains the required changes to any external implementations of CryptographicOperation clearly enough.

[erik-krogh]

This will cause compile-errors for any external users that have extended this.
(Also see my former comment about CryptographicOperation and change-note).

I think we'll have to use breaking in the change-note.

I think the QLDoc should loudly explain what to do, which is both extend getAnInput instead, and make sure you extend CryptographicOperation::Range instead of CryptographicOperation.

[alexrford]

I've updated the QLDoc to mention this (the predicate itself has moved to Concepts.qll to avoid introducing a deprecated predicate to Ruby/Py as well). It's a little bit clumsy as the deprecation message has to read properly for both users and implementers of CryptographicOperation#getInput().

[erik-krogh]

Same as above.

[alexrford]

CryptographicOperation::Range#getInput() has been removed - I don't think there's a need to include this as the ::Range class is new for JS.

[RasmusWL]

Overall looks good to me 👍 Thanks for moving our languages closer to each other 💪

I'm wondering whether the changes in b968b59 to matchesName is important for anything, or it just seemed like a good idea? -- We've previously seen performance problems with the Python analysis when doing too much string manipulation, so that is why I'm interested in this bit in particular (and would at least like to see a performance evaluation before giving a final approval for this)

[RasmusWL]

NIT: We don't need to add this deprecated predicate to the shared file, it's possible to only have it part of JS like we've done for Ruby in the past (example).

[alexrford]

👍 it seems worth avoiding adding a deprecated predicate for all languages.

[alexrford]

I've removed this from Ruby/Py in c7aaad9. The explicit aliases feel a bit clumsy, but I'm not aware of a good way to avoid them.

[RasmusWL]

Thanks, yes those aliases are a bit clumsy. I wonder if the new shadowing mechanism in QL would allow us to do it more nicely 🤔

[RasmusWL]

As mentioned in other comments, it's possible to do this change of making it non-abstract for JS only.

My default stance on this is that it's nicer if the predicates you're supposed to implement are abstract, since that means you won't forget to do it. However, there is also part of me that is annoyed at having to implement getBlockMode for hashing cryptographic operations...

So I guess now is a good time to think about whether we want to change this to have a default of none() for all languages or not. What are your own thoughts on this?

[alexrford]

I've been uncertain on this as the need to implement this for hashing operations is irritating. I'd briefly considered creating separate EncryptionOperation and HashingOperation (and maybe also PasswordHashingOperation) classes and only including the getBlockMode() predicate in EncryptionOperation, but I think this is maybe overcomplicating things since getAlgorithm() already works to restrict the operation to a particular kind of operation.

On reflection I think this change to have a default none() is a mistake. It's too easy to just forget to implement this predicate entirely if it's not abstract. I also don't think there's a need to make this change for JS specifically, since this is already a breaking change which will require changes to external implementations of CryptographicOperation.

My plan here is to change this back to being abstract (for all languages) and to improve the documentation on this to make it clearer when this should be implemented with a non-none() result (i.e. only when this is an encryption operation using a block cipher).

[RasmusWL]

sounds good to me 👍

[alexrford]

I'm wondering whether the changes in b968b59 to matchesName is important for anything, or it just seemed like a good idea? -- We've previously seen performance problems with the Python analysis when doing too much string manipulation, so that is why I'm interested in this bit in particular (and would at least like to see a performance evaluation before giving a final approval for this)

There were some specific cases that I was trying to cover here. In asmCrypto (JS) we have:

asmCrypto.AES_OFB.encrypt(input, key, iv)

where the version of matchesName before this PR would try to match against the string AESOFB (as \w includes underscores) and would not match against AES as it should. I started to address this in 1435ef1, but found that it meant that Cryptodome (Py) had ambiguity in cases like:

from Cryptodome.Hash import SHA3_224

hasher = SHA3_224.new()

which would match against both SHA3 alone (split before the underscore) and SHA3224 (full string). Both are "correct", but including both means that getAlgorithm() doesn't necessarily have a unique result and it seems redundant to return SHA3 when SHA3224 is more precise, hence b968b59.

I'll start some DCA runs for all languages after a few changes are finalized here.

[erik-krogh]

JS 👍

[alexrford]

@RasmusWL I finally got together 3 successful DCA runs - I didn't notice any performance differences, though admittedly the test suites don't have that many projects.

[RasmusWL]

LGTM 👍 Thanks for making the changes. Performance evaluation looked fine as well 👍