From a70d74220f5a3d77adb7394d25ec832ef16f0d9f Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 18 Nov 2025 22:56:49 +0000
Subject: [PATCH] Add test for good password hashing

---
 .../CWE-327/WeakSensitiveDataHashing.expected | 34 ++++++++++---------
 .../query-tests/Security/CWE-327/hashing.go   | 16 +++++++--
 2 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/go/ql/test/query-tests/Security/CWE-327/WeakSensitiveDataHashing.expected b/go/ql/test/query-tests/Security/CWE-327/WeakSensitiveDataHashing.expected
index 301658e22cb..e2ee4bdd7a7 100644
--- a/go/ql/test/query-tests/Security/CWE-327/WeakSensitiveDataHashing.expected
+++ b/go/ql/test/query-tests/Security/CWE-327/WeakSensitiveDataHashing.expected
@@ -1,22 +1,24 @@
 #select
-| hashing.go:20:8:20:22 | secretByteSlice | hashing.go:20:8:20:22 | secretByteSlice | hashing.go:20:8:20:22 | secretByteSlice | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:20:8:20:22 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:21:10:21:24 | secretByteSlice | hashing.go:21:10:21:24 | secretByteSlice | hashing.go:21:10:21:24 | secretByteSlice | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:21:10:21:24 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:22:20:22:31 | secretString | hashing.go:22:20:22:31 | secretString | hashing.go:22:20:22:31 | secretString | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:22:20:22:31 | secretString | Sensitive data (secret) |
+| hashing.go:22:8:22:22 | secretByteSlice | hashing.go:22:8:22:22 | secretByteSlice | hashing.go:22:8:22:22 | secretByteSlice | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:22:8:22:22 | secretByteSlice | Sensitive data (secret) |
 | hashing.go:23:10:23:24 | secretByteSlice | hashing.go:23:10:23:24 | secretByteSlice | hashing.go:23:10:23:24 | secretByteSlice | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:23:10:23:24 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:25:17:25:31 | secretByteSlice | hashing.go:25:17:25:31 | secretByteSlice | hashing.go:25:17:25:31 | secretByteSlice | $@ is used in a hashing algorithm (SHA1) that is insecure. | hashing.go:25:17:25:31 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:26:11:26:25 | secretByteSlice | hashing.go:26:11:26:25 | secretByteSlice | hashing.go:26:11:26:25 | secretByteSlice | $@ is used in a hashing algorithm (SHA1) that is insecure. | hashing.go:26:11:26:25 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:28:16:28:30 | secretByteSlice | hashing.go:28:16:28:30 | secretByteSlice | hashing.go:28:16:28:30 | secretByteSlice | $@ is used in a hashing algorithm (MD4) that is insecure. | hashing.go:28:16:28:30 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:29:22:29:36 | secretByteSlice | hashing.go:29:22:29:36 | secretByteSlice | hashing.go:29:22:29:36 | secretByteSlice | $@ is used in a hashing algorithm (RIPEMD160) that is insecure. | hashing.go:29:22:29:36 | secretByteSlice | Sensitive data (secret) |
-| hashing.go:80:16:80:23 | password | hashing.go:80:16:80:23 | password | hashing.go:80:16:80:23 | password | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | hashing.go:80:16:80:23 | password | Sensitive data (password) |
+| hashing.go:24:20:24:31 | secretString | hashing.go:24:20:24:31 | secretString | hashing.go:24:20:24:31 | secretString | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:24:20:24:31 | secretString | Sensitive data (secret) |
+| hashing.go:25:10:25:24 | secretByteSlice | hashing.go:25:10:25:24 | secretByteSlice | hashing.go:25:10:25:24 | secretByteSlice | $@ is used in a hashing algorithm (MD5) that is insecure. | hashing.go:25:10:25:24 | secretByteSlice | Sensitive data (secret) |
+| hashing.go:27:17:27:31 | secretByteSlice | hashing.go:27:17:27:31 | secretByteSlice | hashing.go:27:17:27:31 | secretByteSlice | $@ is used in a hashing algorithm (SHA1) that is insecure. | hashing.go:27:17:27:31 | secretByteSlice | Sensitive data (secret) |
+| hashing.go:28:11:28:25 | secretByteSlice | hashing.go:28:11:28:25 | secretByteSlice | hashing.go:28:11:28:25 | secretByteSlice | $@ is used in a hashing algorithm (SHA1) that is insecure. | hashing.go:28:11:28:25 | secretByteSlice | Sensitive data (secret) |
+| hashing.go:30:16:30:30 | secretByteSlice | hashing.go:30:16:30:30 | secretByteSlice | hashing.go:30:16:30:30 | secretByteSlice | $@ is used in a hashing algorithm (MD4) that is insecure. | hashing.go:30:16:30:30 | secretByteSlice | Sensitive data (secret) |
+| hashing.go:31:22:31:36 | secretByteSlice | hashing.go:31:22:31:36 | secretByteSlice | hashing.go:31:22:31:36 | secretByteSlice | $@ is used in a hashing algorithm (RIPEMD160) that is insecure. | hashing.go:31:22:31:36 | secretByteSlice | Sensitive data (secret) |
+| hashing.go:82:23:82:38 | type conversion | hashing.go:82:30:82:37 | password | hashing.go:82:23:82:38 | type conversion | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | hashing.go:82:30:82:37 | password | Sensitive data (password) |
 edges
+| hashing.go:82:30:82:37 | password | hashing.go:82:23:82:38 | type conversion | provenance |  |
 nodes
-| hashing.go:20:8:20:22 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:21:10:21:24 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:22:20:22:31 | secretString | semmle.label | secretString |
+| hashing.go:22:8:22:22 | secretByteSlice | semmle.label | secretByteSlice |
 | hashing.go:23:10:23:24 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:25:17:25:31 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:26:11:26:25 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:28:16:28:30 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:29:22:29:36 | secretByteSlice | semmle.label | secretByteSlice |
-| hashing.go:80:16:80:23 | password | semmle.label | password |
+| hashing.go:24:20:24:31 | secretString | semmle.label | secretString |
+| hashing.go:25:10:25:24 | secretByteSlice | semmle.label | secretByteSlice |
+| hashing.go:27:17:27:31 | secretByteSlice | semmle.label | secretByteSlice |
+| hashing.go:28:11:28:25 | secretByteSlice | semmle.label | secretByteSlice |
+| hashing.go:30:16:30:30 | secretByteSlice | semmle.label | secretByteSlice |
+| hashing.go:31:22:31:36 | secretByteSlice | semmle.label | secretByteSlice |
+| hashing.go:82:23:82:38 | type conversion | semmle.label | type conversion |
+| hashing.go:82:30:82:37 | password | semmle.label | password |
 subpaths
diff --git a/go/ql/test/query-tests/Security/CWE-327/hashing.go b/go/ql/test/query-tests/Security/CWE-327/hashing.go
index 0b0cbb56e74..002e94568a2 100644
--- a/go/ql/test/query-tests/Security/CWE-327/hashing.go
+++ b/go/ql/test/query-tests/Security/CWE-327/hashing.go
@@ -5,6 +5,8 @@ package main
 
 import (
 	"crypto/md5"
+	"crypto/pbkdf2"
+	"crypto/rand"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha3"
@@ -75,7 +77,15 @@ func StrongHashes() {
 	sha3.SumSHAKE256(secretByteSlice, 100)             // $ CryptographicOperation="SHAKE256. init from 0 lines above."
 }
 
-func PasswordHashing() {
-	password := []byte("")
-	sha256.Sum256(password) // $ Alert[go/weak-sensitive-data-hashing] CryptographicOperation="SHA256. init from 0 lines above."
+func GetPasswordHashBad(password string) [32]byte {
+	// BAD, SHA256 is a strong hashing algorithm but it is not computationally expensive
+	return sha256.Sum256([]byte(password)) // $ Alert[go/weak-sensitive-data-hashing] CryptographicOperation="SHA256. init from 0 lines above."
+}
+
+func GetPasswordHashGood(password string) []byte {
+	// GOOD, PBKDF2 is a strong hashing algorithm and it is computationally expensive
+	salt := make([]byte, 16)
+	rand.Read(salt)
+	key, _ := pbkdf2.Key(sha512.New, password, salt, 4096, 32)
+	return key
 }