add cryptographic key model to the crypto-js library

2026-04-30 11:15:13 +02:00 · 2021-11-01 15:32:21 +01:00
parent 028799deb6
commit 62039b866c
4 changed files with 41 additions and 2 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
@@ -1,2 +1,5 @@
 | tst.js:3:14:3:71 | crypto. ... 1024 }) | Creation of an asymmetric RSA key uses 1024 bits, which is below 2048 and considered breakable. |
 | tst.js:7:14:7:59 | crypto. ... : 64 }) | Creation of an symmetric key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:14:14:14:56 | CryptoJ ... e: 2 }) | Creation of an symmetric PBKDF2 key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:15:14:15:60 | CryptoJ ... e: 2 }) | Creation of an symmetric PBKDF2 key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:16:14:16:60 | CryptoJ ... e: 2 }) | Creation of an symmetric EVPKDF key uses 64 bits, which is below 128 and considered breakable. |
--- a/javascript/ql/test/query-tests/Security/CWE-326/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.js
@@ -6,4 +6,11 @@ const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK

 const bad2 = crypto.generateKeySync("hmac", { length: 64 }); // NOT OK

-const good2 = crypto.generateKeySync("aes", { length: 256 }); // OK
+const good2 = crypto.generateKeySync("aes", { length: 256 }); // OK
+
+var CryptoJS = require("crypto-js");
+
+const bad3 = CryptoJS.algo.PBKDF2.create({ keySize: 2 }); // NOT OK
+const bad4 = CryptoJS.PBKDF2(password, salt, { keySize: 2 }); // NOT OK
+const bad5 = CryptoJS.EvpKDF(password, salt, { keySize: 2 }); // NOT OK
+const bad4 = CryptoJS.PBKDF2(password, salt, { keySize: 8 }); // OK