hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revamp the query to reduce FPs introduced by wrapper calls

Browse Source
This commit is contained in:
luchua-bc
2021-01-18 04:23:30 +00:00
parent 3af8773dd6
commit 048167d39a
3 changed files with 72 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java
View File

@@ -64,7 +64,43 @@ public class HashWithoutSalt {
return Base64.getEncoder().encodeToString(messageDigest);
}
private String hash(String payload) {
public void update(SHA256 sha256, byte[] foo, int start, int len) throws NoSuchAlgorithmException {
sha256.update(foo, start, len);
}
public void update2(SHA256 sha256, byte[] foo, int start, int len) throws NoSuchAlgorithmException {
sha256.update(foo, start, len);
}
// GOOD - Invoke a wrapper implementation with a salt.
public String getSHA256Hash4(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] salt = getSalt();
byte[] passBytes = password.getBytes();
sha256.update(passBytes, 0, passBytes.length);
sha256.update(salt, 0, salt.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
// GOOD - Invoke a wrapper implementation with a salt.
public String getSHA256Hash5(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] salt = getSalt();
byte[] passBytes = password.getBytes();
sha256.update(passBytes, 0, passBytes.length);
update(sha256, salt, 0, salt.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
// BAD - Invoke a wrapper implementation without a salt.
public String getSHA256Hash6(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] passBytes = password.getBytes();
sha256.update(passBytes, 0, passBytes.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
private String hash(String payload) throws NoSuchAlgorithmException {
MessageDigest alg = MessageDigest.getInstance("SHA-256");
return Base64.getEncoder().encodeToString(alg.digest(payload.getBytes(java.nio.charset.StandardCharsets.UTF_8)));
}

7
java/ql/test/experimental/query-tests/security/CWE-759/SHA256.java
View File

@@ -1,20 +1,21 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class SHA256 {
MessageDigest md;
public int getBlockSize() {return 32;}
public void init() throws Exception {
public void init() throws NoSuchAlgorithmException {
try { md = MessageDigest.getInstance("SHA-256"); }
catch (Exception e){
System.err.println(e);
}
}
public void update(byte[] foo, int start, int len) throws Exception {
public void update(byte[] foo, int start, int len) throws NoSuchAlgorithmException {
md.update(foo, start, len);
}
public byte[] digest() throws Exception {
public byte[] digest() throws NoSuchAlgorithmException {
return md.digest();
}
}