Crypto: adding initial weak hash query overhaul and tests, but no expected file yet.

2026-05-04 21:25:44 +02:00 · 2025-10-13 12:04:51 -04:00
parent 08abdb8c85
commit 4b241d7065
4 changed files with 60 additions and 7 deletions
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHash.qlref
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHash.qlref
@@ -0,0 +1,4 @@
+query: experimental/quantum/Examples/WeakHash.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java
@@ -0,0 +1,44 @@
+package test.cwe327.semmle.tests;
+
+import java.util.Properties;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class WeakHashing {
+    void hashing() throws NoSuchAlgorithmException, IOException {
+        java.util.Properties props = new java.util.Properties();
+        props.load(new FileInputStream("example.properties"));
+
+        // BAD: Using a weak hashing algorithm even with a secure default
+        MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1"));
+
+        // BAD: Using a weak hashing algorithm even with a secure default
+        MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256"));
+
+        // BAD: Using a strong hashing algorithm but with a weak default
+        MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));
+
+        // BAD: Property does not exist and default (used value) is unknown
+        MessageDigest bad4 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default"));
+
+        // GOOD: Using a strong hashing algorithm
+        MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
+
+        // BAD?: Property does not exist (considered unknown) and but default is secure
+        MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256"));
+
+        // GOOD: Using a strong hashing algorithm
+        MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
+
+         // GOOD: Using a strong hashing algorithm
+        MessageDigest ok4 = MessageDigest.getInstance("SHA384");
+
+        props.load(new FileInputStream("unobserved-file.properties"));
+
+        // BAD: "hashalg1" is not visible since the file isn't known, this is an 'unknown' hash
+        // False positive/negative
+        MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256"));
+    }
+}
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/example.properties
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/example.properties
@@ -0,0 +1,2 @@
+hashAlg1=MD5
+hashAlg2=SHA-256