hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add py/weak-sensitive-data-hashing query

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2021-04-22 11:49:38 +02:00
parent 499adc26a3
commit ac83c695ad
12 changed files with 488 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/README.md Normal file
View File

@@ -0,0 +1,3 @@
Note that the tests in this directory are very shallow, and simply show that the query is able to produce alerts.
More in-depth tests can be found for the individual frameworks that we have modeled `Cryptography::CryptographicOperation` for.

27
python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected Normal file
View File

@@ -0,0 +1,27 @@
edges
| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous |
| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous |
| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous |
| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous |
| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous |
| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous |
nodes
| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
#select
| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) |
| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) |
| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) |
| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) |

1
python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-327/WeakSensitiveDataHashing.ql

25
python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py Normal file
View File

@@ -0,0 +1,25 @@
from Cryptodome.Hash import MD5, SHA256
from my_module import get_password, get_certificate
def get_badly_hashed_certificate():
dangerous = get_certificate()
hasher = MD5.new()
hasher.update(dangerous) # NOT OK
return hasher.hexdigest()
def get_badly_hashed_password():
dangerous = get_password()
hasher = MD5.new()
hasher.update(dangerous) # NOT OK
return hasher.hexdigest()
def get_badly_hashed_password2():
dangerous = get_password()
# Although SHA-256 is a strong cryptographic hash functions,
# it is not suitable for password hashing.
hasher = SHA256.new()
hasher.update(dangerous) # NOT OK
return hasher.hexdigest()

29
python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py Normal file
View File

@@ -0,0 +1,29 @@
from cryptography.hazmat.primitives import hashes
from binascii import hexlify
from my_module import get_password, get_certificate
def get_badly_hashed_certificate():
dangerous = get_certificate()
hasher = hashes.Hash(hashes.MD5())
hasher.update(dangerous) # NOT OK
digest = hasher.finalize()
return hexlify(digest).decode("utf-8")
def get_badly_hashed_password():
dangerous = get_password()
hasher = hashes.Hash(hashes.MD5())
hasher.update(dangerous) # NOT OK
digest = hasher.finalize()
return hexlify(digest).decode("utf-8")
def get_badly_hashed_password2():
dangerous = get_password()
# Although SHA-256 is a strong cryptographic hash functions,
# it is not suitable for password hashing.
hasher = hashes.Hash(hashes.SHA256())
hasher.update(dangerous) # NOT OK
digest = hasher.finalize()
return hexlify(digest).decode("utf-8")