Move test files to the test folder

2025-12-20 10:46:30 +01:00 · 2021-01-20 03:51:46 +00:00
parent 07f45a51f8
commit 46fd5bd92e
5 changed files with 15 additions and 18 deletions
--- a/Features/CWE-759/HashWithoutSalt.cs
+++ b/Features/CWE-759/HashWithoutSalt.cs
@@ -1,74 +0,0 @@
-// semmle-extractor-options: /r:System.Security.Cryptography.Primitives.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll
-
-using System;
-using System.Security.Cryptography;
-
-using Windows.Security.Cryptography;
-using Windows.Security.Cryptography.Core;
-using Windows.Storage.Streams;
-
-public class Test
-{
-    private const int SaltSize = 32;
-
-    // BAD - Hash without a salt.
-    public static String HashPassword(string password, string strAlgName ="SHA256")
-    {
-        IBuffer passBuff = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf8);
-        HashAlgorithmProvider algProvider = HashAlgorithmProvider.OpenAlgorithm(strAlgName);
-        IBuffer hashBuff = algProvider.HashData(passBuff);
-        return CryptographicBuffer.EncodeToBase64String(hashBuff);
-    }
-
-    // GOOD - Hash with a salt.
-    public static string HashPassword2(string password, string salt, string strAlgName ="SHA256")
-    {
-        // Concatenate the salt with the password.
-        IBuffer passBuff = CryptographicBuffer.ConvertStringToBinary(password+salt, BinaryStringEncoding.Utf8);
-        HashAlgorithmProvider algProvider = HashAlgorithmProvider.OpenAlgorithm(strAlgName);
-        IBuffer hashBuff = algProvider.HashData(passBuff);
-        return CryptographicBuffer.EncodeToBase64String(hashBuff);
-    }
-
-    // BAD - Hash without a salt.
-    public static string HashPassword(string password)
-    {
-        SHA256 sha256Hash = SHA256.Create();
-        byte[] passBytes = System.Text.Encoding.ASCII.GetBytes(password);
-        byte[] hashBytes = sha256Hash.ComputeHash(passBytes);
-        return Convert.ToBase64String(hashBytes);
-    }
-
-    // GOOD - Hash with a salt.
-    public static string HashPassword2(string password)
-    {
-        byte[] passBytes = System.Text.Encoding.ASCII.GetBytes(password);
-        byte[] saltBytes = GenerateSalt();
-
-        // Add the salt to the hash.
-        byte[] rawSalted  = new byte[passBytes.Length + saltBytes.Length]; 
-        passBytes.CopyTo(rawSalted, 0);
-        saltBytes.CopyTo(rawSalted, passBytes.Length);
-
-        //Create the salted hash.         
-        SHA256 sha256 = SHA256.Create();
-        byte[] saltedPassBytes = sha256.ComputeHash(rawSalted);
-
-        // Add the salt value to the salted hash.
-        byte[] dbPassword  = new byte[saltedPassBytes.Length + saltBytes.Length];
-        saltedPassBytes.CopyTo(dbPassword, 0);
-        saltBytes.CopyTo(dbPassword, saltedPassBytes.Length);
-
-        return Convert.ToBase64String(dbPassword);
-    }
-
-    public static byte[] GenerateSalt()
-    {
-        using (var rng = new RNGCryptoServiceProvider())
-        {
-            var randomNumber = new byte[SaltSize];
-            rng.GetBytes(randomNumber);
-            return randomNumber;
-        }
-    }
-}
--- a/Features/CWE-759/HashWithoutSalt.expected
+++ b/Features/CWE-759/HashWithoutSalt.expected
@@ -1,13 +0,0 @@
-edges
-| HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff |
-| HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] | HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes |
-| HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] |
-nodes
-| HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | semmle.label | access to parameter password : String |
-| HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | semmle.label | access to local variable passBuff |
-| HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
-| HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | semmle.label | access to parameter password : String |
-| HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | semmle.label | access to local variable passBytes |
-#select
-| HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | $@ is hashed without a salt. | HashWithoutSalt.cs:17:70:17:77 | access to parameter password | The password |
-| HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | $@ is hashed without a salt. | HashWithoutSalt.cs:37:64:37:71 | access to parameter password | The password |
--- a/Features/CWE-759/HashWithoutSalt.ql
+++ b/Features/CWE-759/HashWithoutSalt.ql
@@ -22,19 +22,17 @@ class HashAlgorithmProvider extends RefType {
  }
 }

-/** The method call `ComputeHash()` declared in `System.Security.Cryptography.SHA...`. */
-class ComputeHashMethodCall extends MethodCall {
-  ComputeHashMethodCall() {
-    this.getQualifier().getType() instanceof SHA and
-    this.getTarget().hasName("ComputeHash")
-  }
-}
-
-/** The method call `ComputeHash()` declared in `System.Security.Cryptography.SHA...`. */
-class HashDataMethodCall extends MethodCall {
-  HashDataMethodCall() {
-    this.getQualifier().getType() instanceof HashAlgorithmProvider and
-    this.getTarget().hasName("HashData")
+/**
+ * The method `ComputeHash()` declared in `System.Security.Cryptography.SHA...` and
+ * the method `HashData()` declared in `Windows.Security.Cryptography.Core.HashAlgorithmProvider`.
+ */
+class HashMethod extends Method {
+  HashMethod() {
+    this.getDeclaringType() instanceof SHA and
+    this.hasName("ComputeHash")
+    or
+    this.getDeclaringType() instanceof HashAlgorithmProvider and
+    this.hasName("HashData")
  }
 }

@@ -55,11 +53,9 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof PasswordVarExpr }

  override predicate isSink(DataFlow::Node sink) {
-    exists(ComputeHashMethodCall mc |
-      sink.asExpr() = mc.getArgument(0) // sha256Hash.ComputeHash(rawDatabytes)
-    ) or
-    exists(HashDataMethodCall mc |
-      sink.asExpr() = mc.getArgument(0) // algProv.HashData(rawDatabytes)
+    exists(MethodCall mc |
+      sink.asExpr() = mc.getArgument(0) and
+      mc.getTarget() instanceof HashMethod
    )
  }

--- a/csharp/ql/src/experimental/Security
+++ b/csharp/ql/src/experimental/Security
@@ -1,45 +0,0 @@
-namespace Windows.Security.Cryptography
-{
-    public enum BinaryStringEncoding
-    {
-        Utf8,
-        Utf16LE,
-        Utf16BE
-    }
-
-    public static class CryptographicBuffer
-    {
-        public static Windows.Storage.Streams.IBuffer ConvertStringToBinary(string value, BinaryStringEncoding encoding) => throw null;
-
-        public static string EncodeToBase64String(Windows.Storage.Streams.IBuffer buffer) => throw null;
-    }
-}
-
-namespace Windows.Storage.Streams
-{
-    public interface IBuffer {
-        public uint Capacity { get; }
-
-        public uint Length { get; set; }
-     }
-}
-
-namespace Windows.Security.Cryptography.Core
-{
-    public sealed class CryptographicKey { }
-
-    public sealed class SymmetricKeyAlgorithmProvider
-    {
-        public CryptographicKey CreateSymmetricKey(Windows.Storage.Streams.IBuffer keyMaterial) => throw null;
-    }
-
-    public sealed class HashAlgorithmProvider {
-        public string AlgorithmName { get; }
-
-        public uint HashLength { get; }
-
-        public static HashAlgorithmProvider OpenAlgorithm(string algorithm) => throw null;
-
-        public Windows.Storage.Streams.IBuffer HashData(Windows.Storage.Streams.IBuffer data) => throw null;
-    }
-}