hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revamp the source and the sink of the query

Browse Source
This commit is contained in:
luchua-bc
2021-03-06 22:41:54 +00:00
parent 1784c202a7
commit 0ef3eee4ed
3 changed files with 121 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.expected
View File

@@ -1,11 +1,19 @@
edges
| HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) |
| HashWithoutSalt.java:17:13:17:20 | password : String | HashWithoutSalt.java:17:13:17:31 | getBytes(...) |
| HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) |
| HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:94:17:94:25 | passBytes |
| HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:112:18:112:26 | passBytes |
nodes
| HashWithoutSalt.java:10:36:10:43 | password : String | semmle.label | password : String |
| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | semmle.label | getBytes(...) |
| HashWithoutSalt.java:17:13:17:20 | password : String | semmle.label | password : String |
| HashWithoutSalt.java:17:13:17:31 | getBytes(...) | semmle.label | getBytes(...) |
| HashWithoutSalt.java:25:13:25:20 | password : String | semmle.label | password : String |
| HashWithoutSalt.java:25:13:25:31 | getBytes(...) | semmle.label | getBytes(...) |
| HashWithoutSalt.java:93:22:93:29 | password : String | semmle.label | password : String |
| HashWithoutSalt.java:94:17:94:25 | passBytes | semmle.label | passBytes |
| HashWithoutSalt.java:111:22:111:29 | password : String | semmle.label | password : String |
| HashWithoutSalt.java:112:18:112:26 | passBytes | semmle.label | passBytes |
#select
| HashWithoutSalt.java:10:36:10:54 | getBytes(...) | HashWithoutSalt.java:10:36:10:43 | password : String | HashWithoutSalt.java:10:36:10:54 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:10:36:10:43 | password : String | The password |
| HashWithoutSalt.java:17:13:17:31 | getBytes(...) | HashWithoutSalt.java:17:13:17:20 | password : String | HashWithoutSalt.java:17:13:17:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:17:13:17:20 | password : String | The password |
| HashWithoutSalt.java:25:13:25:31 | getBytes(...) | HashWithoutSalt.java:25:13:25:20 | password : String | HashWithoutSalt.java:25:13:25:31 | getBytes(...) | $@ is hashed without a salt. | HashWithoutSalt.java:25:13:25:20 | password : String | The password |
| HashWithoutSalt.java:94:17:94:25 | passBytes | HashWithoutSalt.java:93:22:93:29 | password : String | HashWithoutSalt.java:94:17:94:25 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:93:22:93:29 | password : String | The password |
| HashWithoutSalt.java:112:18:112:26 | passBytes | HashWithoutSalt.java:111:22:111:29 | password : String | HashWithoutSalt.java:112:18:112:26 | passBytes | $@ is hashed without a salt. | HashWithoutSalt.java:111:22:111:29 | password : String | The password |

54
java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java
View File

@@ -11,14 +11,6 @@ public class HashWithoutSalt {
return Base64.getEncoder().encodeToString(messageDigest);
}
// BAD - Hash without a salt.
public String getSHA256Hash2(String password) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(password.getBytes());
byte[] messageDigest = md.digest();
return Base64.getEncoder().encodeToString(messageDigest);
}
// GOOD - Hash with a salt.
public String getSHA256Hash(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
@@ -27,6 +19,14 @@ public class HashWithoutSalt {
return Base64.getEncoder().encodeToString(messageDigest);
}
// BAD - Hash without a salt.
public String getSHA256Hash2(String password) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(password.getBytes());
byte[] messageDigest = md.digest();
return Base64.getEncoder().encodeToString(messageDigest);
}
// GOOD - Hash with a salt.
public String getSHA256Hash2(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
@@ -77,8 +77,8 @@ public class HashWithoutSalt {
sha256.update(foo, start, len);
}
// BAD - Invoking a wrapper implementation without a salt is not detected.
public String getSHA256Hash4(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
// GOOD - Invoking a wrapper implementation through qualifier with a salt.
public String getWrapperSHA256Hash(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
SHA256 sha256 = new SHA256();
byte[] salt = getSalt();
byte[] passBytes = password.getBytes();
@@ -87,8 +87,16 @@ public class HashWithoutSalt {
return Base64.getEncoder().encodeToString(sha256.digest());
}
// BAD - Invoking a wrapper implementation without a salt is not detected.
public String getSHA256Hash5(String password) throws NoSuchAlgorithmException {
// BAD - Invoking a wrapper implementation through qualifier without a salt.
public String getWrapperSHA256Hash2(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
SHA256 sha256 = new SHA256();
byte[] passBytes = password.getBytes();
sha256.update(passBytes, 0, passBytes.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
// GOOD - Invoking a wrapper implementation through qualifier and argument with a salt.
public String getWrapperSHA256Hash3(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] salt = getSalt();
byte[] passBytes = password.getBytes();
@@ -97,16 +105,26 @@ public class HashWithoutSalt {
return Base64.getEncoder().encodeToString(sha256.digest());
}
// BAD - Invoking a wrapper implementation without a salt is not detected.
public String getSHA512Hash6(String password) throws NoSuchAlgorithmException {
SHA512 sha512 = new SHA512();
// BAD - Invoking a wrapper implementation through argument without a salt.
public String getWrapperSHA256Hash4(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] passBytes = password.getBytes();
sha512.update(passBytes, 0, passBytes.length);
return Base64.getEncoder().encodeToString(sha512.digest());
update(sha256, passBytes, 0, passBytes.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
// GOOD - Invoking a wrapper implementation through argument with a salt.
public String getWrapperSHA256Hash5(String password) throws NoSuchAlgorithmException {
SHA256 sha256 = new SHA256();
byte[] salt = getSalt();
byte[] passBytes = password.getBytes();
update(sha256, passBytes, 0, passBytes.length);
update(sha256, salt, 0, salt.length);
return Base64.getEncoder().encodeToString(sha256.digest());
}
// BAD - Invoke a wrapper implementation with a salt, which is not detected with an interface type variable.
public String getSHA512Hash7(byte[] passphrase) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
public String getSHA512Hash8(byte[] passphrase) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException {
Class c = Class.forName("SHA512");
HASH sha512 = (HASH) (c.newInstance());
byte[] tmp = new byte[4];