Merge pull request #14040 from egregius313/egregius313/weak-hashing-properties

Java: Add support for algorithm names specified in `.properties` files to `java/potentially-weak-cryptographic-algorithm`

java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected

@@ -1,6 +1,8 @@
 edges
 nodes
 | Test.java:34:48:34:52 | "foo" | semmle.label | "foo" |
+| WeakHashing.java:15:55:15:83 | getProperty(...) | semmle.label | getProperty(...) |
 subpaths
 #select
 | Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | foo |
+| WeakHashing.java:15:29:15:84 | getInstance(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:15:55:15:83 | getProperty(...) | MD5 |

java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java

@@ -0,0 +1,20 @@
+package test.cwe327.semmle.tests;
+
+import java.util.Properties;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class WeakHashing {
+    void hashing() throws NoSuchAlgorithmException, IOException {
+        java.util.Properties props = new java.util.Properties();
+        props.load(new FileInputStream("example.properties"));
+
+        // BAD: Using a weak hashing algorithm
+        MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1"));
+
+        // GOOD: Using a strong hashing algorithm
+        MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
+    }
+}

java/ql/test/query-tests/security/CWE-327/semmle/tests/example.properties

@@ -0,0 +1,2 @@
+hashAlg1=MD5
+hashAlg2=SHA-256