hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add query help examples

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-11-03 13:23:11 +00:00
committed by Owen Mansel-Chan
parent 69ecdcb4cd
commit 8d7b2757bf
5 changed files with 64 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
go/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
View File

@@ -28,10 +28,10 @@
<example> <example>
<p> <p>
The following code uses the different packages to encrypt/hash The following code uses the different packages to encrypt
some secret data. The first few examples uses DES, MD5, RC4, and SHA1, some secret data. The first example uses DES,
which are older algorithms that are now considered weak. The following which is an older algorithm that is now considered weak. The following
examples use AES and SHA256, which are stronger, more modern algorithms. example uses AES, which is a stronger, more modern algorithm.
</p> </p>
<sample src="examples/Crypto.go" /> <sample src="examples/Crypto.go" />

23
go/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
View File

@@ -65,35 +65,28 @@
<p> <p>
The following example shows two functions for checking whether the hash The following example shows two functions for checking whether the hash
of a certificate matches a known value -- to prevent tampering. of a secret matches a known value.
The first function uses MD5 that is known to be vulnerable to collision attacks. The first function uses SHA-1 that is known to be vulnerable to collision attacks.
The second function uses SHA-256 that is a strong cryptographic hashing function. The second function uses SHA-256 that is a strong cryptographic hashing function.
</p> </p>
<sample src="examples/weak_certificate_hashing.rb" /> <sample src="examples/WeakSecretHashing.go" />
</example> </example>
<example> <example>
<p> <p>
The following example shows two functions for hashing passwords. The following example shows two functions for hashing passwords.
The first function uses SHA-256 to hash passwords. Although SHA-256 is a The first example uses SHA-256 to hash passwords. Although
strong cryptographic hash function, it is not suitable for password SHA-256 is a strong cryptographic hash function, it is not suitable for password
hashing since it is not computationally expensive. hashing since it is not computationally expensive.
The second function uses PBKDF2, which is a strong password hashing algorithm.
</p> </p>
<sample src="examples/weak_password_hashing_bad.rb" /> <sample src="examples/WeakPasswordHashing.go" />
<p>
The second function uses Argon2 (through the <code>argon2</code>
gem), which is a strong password hashing algorithm (and
includes a per-password salt by default).
</p>
<sample src="examples/weak_password_hashing_good.rb" />
</example> </example>

57
go/ql/src/Security/CWE-327/examples/Crypto.go
View File

@@ -3,51 +3,18 @@ package main
import ( import (
"crypto/aes" "crypto/aes"
"crypto/des" "crypto/des"
"crypto/md5"
"crypto/rc4"
"crypto/sha1"
"crypto/sha256"
) )
func main() { func EncryptMessageWeak(key []byte, message []byte) (dst []byte) {
public := []byte("hello") // BAD, DES is a weak crypto algorithm
block, _ := des.NewCipher(key)
password := []byte("123456") block.Encrypt(dst, message)
buf := password // testing dataflow by passing into different variable return
}
// BAD, des is a weak crypto algorithm and password is sensitive data
des.NewTripleDESCipher(buf) func EncryptMessageStrong(key []byte, message []byte) (dst []byte) {
// GOOD, AES is a weak crypto algorithm
// BAD, md5 is a weak crypto algorithm and password is sensitive data block, _ := aes.NewCipher(key)
md5.Sum(buf) block.Encrypt(dst, message)
return
// BAD, rc4 is a weak crypto algorithm and password is sensitive data
rc4.NewCipher(buf)
// BAD, sha1 is a weak crypto algorithm and password is sensitive data
sha1.Sum(buf)
// GOOD, password is sensitive data but aes is a strong crypto algorithm
aes.NewCipher(buf)
// GOOD, password is sensitive data but sha256 is a strong crypto algorithm
sha256.Sum256(buf)
// GOOD, des is a weak crypto algorithm but public is not sensitive data
des.NewTripleDESCipher(public)
// GOOD, md5 is a weak crypto algorithm but public is not sensitive data
md5.Sum(public)
// GOOD, rc4 is a weak crypto algorithm but public is not sensitive data
rc4.NewCipher(public)
// GOOD, sha1 is a weak crypto algorithm but public is not sensitive data
sha1.Sum(public)
// GOOD, aes is a strong crypto algorithm and public is not sensitive data
aes.NewCipher(public)
// GOOD, sha256 is a strong crypto algorithm and public is not sensitive data
sha256.Sum256(public)
} }

21
go/ql/src/Security/CWE-327/examples/WeakPasswordHashing.go Normal file
View File

@@ -0,0 +1,21 @@
package main
import (
"crypto/pbkdf2"
"crypto/rand"
"crypto/sha256"
"crypto/sha512"
)
func GetPasswordHashBad(password string) [32]byte {
// BAD, SHA256 is a strong hashing algorithm but it is not computationally expensive
return sha256.Sum256([]byte(password))
}
func GetPasswordHashGood(password string) []byte {
// GOOD, PBKDF2 is a strong hashing algorithm and it is computationally expensive
salt := make([]byte, 16)
rand.Read(salt)
key, _ := pbkdf2.Key(sha512.New, password, salt, 4096, 32)
return key
}

19
go/ql/src/Security/CWE-327/examples/WeakSecretHashing.go Normal file
View File

@@ -0,0 +1,19 @@
package main
import (
"crypto/sha1"
"crypto/sha256"
"slices"
)
func SecretMatchesKnownHashBad(secret []byte, known_hash []byte) bool {
// BAD, SHA1 is a weak crypto algorithm and secret is sensitive data
h := sha1.New()
return slices.Equal(h.Sum(secret), known_hash)
}
func SecretMatchesKnownHashGood(secret []byte, known_hash []byte) bool {
// GOOD, SHA256 is a strong hashing algorithm
h := sha256.New()
return slices.Equal(h.Sum(secret), known_hash)
}