hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: add tests for rb/weak-sensitive-data-hashing

Browse Source
This commit is contained in:
Alex Ford
2024-06-18 17:47:32 +01:00
parent 81ec6861f9
commit d994959720
3 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected Normal file
View File

@@ -0,0 +1,28 @@
edges
| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:6:1:6:1 | x | provenance | |
| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | provenance | |
| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | provenance | |
| weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | provenance | |
| weak_hashing.rb:6:1:6:1 | x | weak_hashing.rb:13:23:13:23 | x | provenance | |
| weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | provenance | |
nodes
| weak_hashing.rb:3:1:3:8 | password | semmle.label | password |
| weak_hashing.rb:4:1:4:8 | username | semmle.label | username |
| weak_hashing.rb:6:1:6:1 | x | semmle.label | x |
| weak_hashing.rb:10:23:10:30 | password | semmle.label | password |
| weak_hashing.rb:11:32:11:39 | password | semmle.label | password |
| weak_hashing.rb:12:23:12:30 | username | semmle.label | username |
| weak_hashing.rb:13:23:13:23 | x | semmle.label | x |
| weak_hashing.rb:24:23:24:36 | call to get_password | semmle.label | call to get_password |
| weak_hashing.rb:28:23:28:42 | ...[...] | semmle.label | ...[...] |
| weak_hashing.rb:30:25:30:38 | password_param | semmle.label | password_param |
| weak_hashing.rb:32:25:32:38 | password_param | semmle.label | password_param |
subpaths
#select
| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) |
| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) |
| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) |
| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) |

1
ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref Normal file
View File

@@ -0,0 +1 @@
queries/security/cwe-327/WeakSensitiveDataHashing.ql

33
ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb Normal file
View File

@@ -0,0 +1,33 @@
require 'openssl'
password = "abcde"
username = "some_user"
some_data = "foo"
x = password
Digest::MD5.hexdigest(some_data) # OK: input is not sensitive
Digest::SHA256.hexdigest(password) # OK: strong hash algorithm
Digest::MD5.hexdigest(password) # BAD: weak hash function used for sensitive data
OpenSSL::Digest.digest('SHA1', password) # BAD: weak hash function used for sensitive data
Digest::MD5.hexdigest(username) # BAD: weak hash function used for sensitive data
Digest::MD5.hexdigest(x) # BAD: weak hash function used for sensitive data
def get_safe_data()
return "hello"
end
def get_password()
return "changeme"
end
# FIXME
Digest::MD5.hexdigest(get_safe_data()) # OK: input is not sensitive
Digest::MD5.hexdigest(get_password()) # BAD: weak hash function used for sensitive data
some_hash = {password: "changeme", foo: "bar"}
Digest::MD5.hexdigest(some_hash[:foo]) # OK: input is not sensitive
Digest::MD5.hexdigest(some_hash[:password]) # BAD: weak hash function used for sensitive data
def a_method(safe_data, password_param)
Digest::MD5.hexdigest(safe_data) # OK: input is not sensitive
Digest::MD5.hexdigest(password_param) # BAD: weak hash function used for sensitive data
end