Merge pull request #12825 from smiddy007/JS-Allow-Truncated-Hash-Forge-NonKeyCipher

JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…
2026-04-28 10:15:14 +02:00 · 2023-05-02 13:59:30 +02:00
parent 353d5f82a6 a2a82fcde9
commit 67afbee06d
2 changed files with 14 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
@@ -627,6 +627,15 @@ private module Forge {
        // require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog');
        this =
          getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall()
+        or
+        // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog');
+        this =
+          getAnImportNode()
+              .getMember("md")
+              .getMember(algorithmName)
+              .getAMember()
+              .getMember("create")
+              .getACall()
      )
    }

--- a/javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md
+++ b/javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+  SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.