Flow from insecure random number to sensitive sink#346
Open
Flow from insecure random number to sensitive sink#346
Conversation
Detects use of Get-Random cmdlet and System.Random class which are not cryptographically secure. Policy: Microsoft.Security.Cryptography.10017 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MathiasVP
reviewed
Apr 16, 2026
Collaborator
MathiasVP
left a comment
MathiasVP
left a comment
There was a problem hiding this comment.
A couple of small comments. I'd prefer that we move NextBytes into a MaD model in this PR as I'm afraid we'd otherwise forget about it, but if you have any issues doing that I'm also okay with leaving this as-is.
Comment on lines
+23
to
+30
| // When .NextBytes() is called on a System.Random instance, | ||
| // taint flows from the qualifier to the argument (the byte array is filled with random bytes). | ||
| exists(DataFlow::CallNode call | | ||
| call.matchesName("NextBytes") and | ||
| node1 = call.getQualifier() and | ||
| node2.(DataFlow::PostUpdateNode).getPreUpdateNode() = call.getArgument(0) | ||
| ) | ||
| } |
Collaborator
There was a problem hiding this comment.
We should probably just add this as a MaD summary model instead of this. Could you add a summary model row to https://github.com/microsoft/codeql/blob/main/powershell/ql/lib/semmle/code/powershell/frameworks/System.model.yml with this instead? It should be something along the lines of:
- addsTo:
pack: microsoft/powershell-all
extensible: summaryModel
data:
- ["system.random", "Method[nextbytes]", "Argument[this]", "Argument[0]", "taint"]
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
…nto MaD summary model
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.