Rust: Additional test cases for weak sensitive data hashing.

2026-06-24 22:27:03 +02:00 · 2026-06-17 17:14:31 +01:00
parent 3aaeb68553
commit b86cb6df63
3 changed files with 78 additions and 0 deletions
--- a/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/CryptographicOperations.expected
+++ b/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/CryptographicOperations.expected
@@ -7,3 +7,6 @@
 | test.rs:74:9:74:23 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
 | test.rs:133:26:133:40 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
 | test.rs:156:26:156:40 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:176:13:176:23 | ...::new(...) | EncryptionAlgorithm SEED   |
+| test.rs:199:22:199:32 | ...::new(...) | HashingAlgorithm SHA1 WEAK  |
+| test.rs:211:13:211:35 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |
--- a/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
+++ b/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
@@ -1,9 +1,13 @@
 #select
 | test.rs:20:9:20:24 | ...::compute | test.rs:20:26:20:39 | credit_card_no | test.rs:20:9:20:24 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure. | test.rs:20:26:20:39 | credit_card_no | Sensitive data (private) |
 | test.rs:21:9:21:24 | ...::compute | test.rs:21:26:21:33 | password | test.rs:21:9:21:24 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:21:26:21:33 | password | Sensitive data (password) |
+| test.rs:211:13:211:28 | ...::compute | test.rs:226:29:226:36 | password | test.rs:211:13:211:28 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:226:29:226:36 | password | Sensitive data (password) |
 edges
 | test.rs:20:26:20:39 | credit_card_no | test.rs:20:9:20:24 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
 | test.rs:21:26:21:33 | password | test.rs:21:9:21:24 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
+| test.rs:210:20:210:30 | ...: ... | test.rs:211:30:211:34 | value | provenance |  |
+| test.rs:211:30:211:34 | value | test.rs:211:13:211:28 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
+| test.rs:226:29:226:36 | password | test.rs:210:20:210:30 | ...: ... | provenance |  |
 models
 | 1 | Sink: md5::compute; Argument[0]; hasher-input |
 nodes
@@ -11,4 +15,8 @@ nodes
 | test.rs:20:26:20:39 | credit_card_no | semmle.label | credit_card_no |
 | test.rs:21:9:21:24 | ...::compute | semmle.label | ...::compute |
 | test.rs:21:26:21:33 | password | semmle.label | password |
+| test.rs:210:20:210:30 | ...: ... | semmle.label | ...: ... |
+| test.rs:211:13:211:28 | ...::compute | semmle.label | ...::compute |
+| test.rs:211:30:211:34 | value | semmle.label | value |
+| test.rs:226:29:226:36 | password | semmle.label | password |
 subpaths
--- a/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/test.rs
+++ b/rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/test.rs
@@ -158,3 +158,70 @@ fn test_hash_file(
    _ = std::io::copy(&mut password_file, &mut md5_hasher); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
    _ = md5_hasher.finalize();
 }
+
+// ---
+
+struct Seed {
+}
+
+impl Seed {
+    fn new() -> Self {
+        Seed { }
+    }
+}
+
+fn test_seed() {
+    // this will be misrecognized as a use of the SEED algorithm, but being a strong
+    // algorithm there is no query result anyway.
+    let _ = Seed::new(); // $ Alert[rust/summary/cryptographic-operations]
+}
+
+// ---
+
+struct Sha1 {
+}
+
+impl Sha1 {
+    const fn new() -> Self {
+        Sha1 { }
+    }
+
+    const fn update(&mut self, _data: &[u8]) {
+        // ...
+    }
+
+    const fn finalize(self) -> [u8; 20] {
+        [0; 20]
+    }
+}
+
+fn sha1_test(password: &[u8]) {
+    let mut hasher = Sha1::new(); // $ Alert[rust/summary/cryptographic-operations]
+    hasher.update(password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
+    _ = hasher.finalize();
+}
+
+// ---
+
+struct HashCollection {
+}
+
+impl HashCollection {
+    pub fn add_sig(value: &str) -> Self {
+        _ = md5_alt::compute(value); // $ Alert[rust/summary/cryptographic-operations] Alert[rust/weak-sensitive-data-hashing]
+
+        // ...
+
+        HashCollection { }
+    }
+}
+
+fn test_hash_collection() {
+    // this indirectly performs MD5 hashing, but the data is not sensitive
+    let id: &str = "my_id_1234567890";
+    HashCollection::add_sig(id);
+
+    // this indirectly performs MD5 hashing, and the data is sensitive; the result is reported here
+    let password: &str = "password123";
+    HashCollection::add_sig(password); // $ Source
+}