hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13943 from geoffw0/weakhashexample

Browse Source 
Swift: Update the weak sensitive data hashing examples and qhelp
This commit is contained in:
Geoffrey White
2023-08-30 10:36:23 +01:00
committed by GitHub
parent f88428f3fd 125629a7e2
commit 39b45fa24f
3 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.qhelp
View File

@@ -51,18 +51,25 @@
</li> </li>
</ul> </ul>
<p>
Note that special purpose algorithms, which are used to ensure that a message comes from a particular sender, exist for message authentication. These algorithms should be used when appropriate, as they address common vulnerabilities of simple hashing schemes in this context.
</p>
</recommendation> </recommendation>
<example> <example>
<p> <p>
The following examples show a function for checking whether the hash The following examples show a function for fetching data from a
of a certificate matches a known value -- to prevent tampering. URL along with a hash of the data, perhaps to check the data has
not been tampered with.
</p>
<p>
In the first case the MD5 hashing algorithm is used that is known to be vulnerable to collision attacks. In the first case the MD5 hashing algorithm is used that is known to be vulnerable to collision attacks.
</p> </p>
<sample src="WeakSensitiveDataHashingBad.swift"/> <sample src="WeakSensitiveDataHashingBad.swift"/>
<p>
<p>
Here is the same function using SHA-512, which is a strong cryptographic hashing function. Here is the same function using SHA-512, which is a strong cryptographic hashing function.
</p> </p>
<sample src="WeakSensitiveDataHashingGood.swift"/> <sample src="WeakSensitiveDataHashingGood.swift"/>

11
swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingBad.swift
View File

@@ -1,5 +1,10 @@
typealias Hasher = Crypto.Insecure.MD5 func getContentsAndHash(url: URL) -> (Data, String)? {
guard let data = try? Data(contentsOf: url) else {
return nil
}
func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool let digest = Insecure.MD5.hash(data: data)
return Hasher.hash(data: cert) == hash // BAD let hash = digest.map { String(format: "%02hhx", $0) }.joined()
return (data, hash)
} }

12
swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashingGood.swift
View File

@@ -1,4 +1,10 @@
typealias Hasher = Crypto.SHA512 func getContentsAndHash(url: URL) -> (Data, String)? {
guard let data = try? Data(contentsOf: url) else {
return nil
}
func checkCertificate(cert: Array[UInt8], hash: Array[UInt8]) -> Bool let digest = SHA512.hash(data: data)
return Hasher.hash(data: cert) == hash // GOOD let hash = digest.map { String(format: "%02hhx", $0) }.joined()
return (data, hash)
}