hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add the c# program to src and address the issue with algorithm type

Browse Source
This commit is contained in:
luchua-bc
2021-01-26 17:29:52 +00:00
parent 46fd5bd92e
commit 8ed2bc59ad
2 changed files with 73 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.cs Normal file
View File

@@ -0,0 +1,65 @@
public class Test
{
private const int SaltSize = 32;
// BAD - Hash without a salt.
public static String HashPassword(string password, string strAlgName ="SHA256")
{
IBuffer passBuff = CryptographicBuffer.ConvertStringToBinary(password, BinaryStringEncoding.Utf8);
HashAlgorithmProvider algProvider = HashAlgorithmProvider.OpenAlgorithm(strAlgName);
IBuffer hashBuff = algProvider.HashData(passBuff);
return CryptographicBuffer.EncodeToBase64String(hashBuff);
}
// GOOD - Hash with a salt.
public static string HashPassword2(string password, string salt, string strAlgName ="SHA256")
{
// Concatenate the salt with the password.
IBuffer passBuff = CryptographicBuffer.ConvertStringToBinary(password+salt, BinaryStringEncoding.Utf8);
HashAlgorithmProvider algProvider = HashAlgorithmProvider.OpenAlgorithm(strAlgName);
IBuffer hashBuff = algProvider.HashData(passBuff);
return CryptographicBuffer.EncodeToBase64String(hashBuff);
}
// BAD - Hash without a salt.
public static string HashPassword(string password)
{
SHA256 sha256Hash = SHA256.Create();
byte[] passBytes = System.Text.Encoding.ASCII.GetBytes(password);
byte[] hashBytes = sha256Hash.ComputeHash(passBytes);
return Convert.ToBase64String(hashBytes);
}
// GOOD - Hash with a salt.
public static string HashPassword2(string password)
{
byte[] passBytes = System.Text.Encoding.ASCII.GetBytes(password);
byte[] saltBytes = GenerateSalt();
// Add the salt to the hash.
byte[] rawSalted = new byte[passBytes.Length + saltBytes.Length];
passBytes.CopyTo(rawSalted, 0);
saltBytes.CopyTo(rawSalted, passBytes.Length);
//Create the salted hash.
SHA256 sha256 = SHA256.Create();
byte[] saltedPassBytes = sha256.ComputeHash(rawSalted);
// Add the salt value to the salted hash.
byte[] dbPassword = new byte[saltedPassBytes.Length + saltBytes.Length];
saltedPassBytes.CopyTo(dbPassword, 0);
saltBytes.CopyTo(dbPassword, saltedPassBytes.Length);
return Convert.ToBase64String(dbPassword);
}
public static byte[] GenerateSalt()
{
using (var rng = new RNGCryptoServiceProvider())
{
var randomNumber = new byte[SaltSize];
rng.GetBytes(randomNumber);
return randomNumber;
}
}
}

15
csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
View File

@@ -11,24 +11,25 @@ import csharp
import semmle.code.csharp.dataflow.TaintTracking import semmle.code.csharp.dataflow.TaintTracking
import DataFlow::PathGraph import DataFlow::PathGraph
/** The C# class `System.Security.Cryptography.SHA...` other than the weak `SHA1`. */ /** The C# class `Windows.Security.Cryptography.Core.HashAlgorithmProvider`. */
class SHA extends RefType {
SHA() { this.getQualifiedName().regexpMatch("System\\.Security\\.Cryptography\\.SHA\\d{2,3}") }
}
class HashAlgorithmProvider extends RefType { class HashAlgorithmProvider extends RefType {
HashAlgorithmProvider() { HashAlgorithmProvider() {
this.hasQualifiedName("Windows.Security.Cryptography.Core", "HashAlgorithmProvider") this.hasQualifiedName("Windows.Security.Cryptography.Core", "HashAlgorithmProvider")
} }
} }
/** The C# class `System.Security.Cryptography.HashAlgorithm`. */
class HashAlgorithm extends RefType {
HashAlgorithm() { this.hasQualifiedName("System.Security.Cryptography", "HashAlgorithm") }
}
/** /**
* The method `ComputeHash()` declared in `System.Security.Cryptography.SHA...` and * The method `ComputeHash()` declared in `System.Security.Cryptography.HashAlgorithm` and
* the method `HashData()` declared in `Windows.Security.Cryptography.Core.HashAlgorithmProvider`. * the method `HashData()` declared in `Windows.Security.Cryptography.Core.HashAlgorithmProvider`.
*/ */
class HashMethod extends Method { class HashMethod extends Method {
HashMethod() { HashMethod() {
this.getDeclaringType() instanceof SHA and this.getDeclaringType() instanceof HashAlgorithm and
this.hasName("ComputeHash") this.hasName("ComputeHash")
or or
this.getDeclaringType() instanceof HashAlgorithmProvider and this.getDeclaringType() instanceof HashAlgorithmProvider and