Merge pull request #12666 from smiddy007/improve-insufficient-pw-hash-query

JS: Improve insufficient pw hash query

javascript/ql/src/Security/CWE-916/examples/InsufficientPasswordHash_CryptoJS.js

@@ -0,0 +1,8 @@
+const crypto = require('crypto-js')
+function hashPassword(email, password) {
+  var algo = crypto.algo.SHA512.create()
+  algo.update(password, 'utf-8') // BAD
+  algo.update(email.toLowerCase(), 'utf-8')
+  var hash = algo.finalize()
+  return hash.toString(crypto.enc.Base64)
+}

javascript/ql/src/Security/CWE-916/examples/InsufficientPasswordHash_CryptoJS_fixed

@@ -0,0 +1,8 @@
+const crypto = require('crypto-js')
+function hashPassword(email, password) {
+  var algo = crypto.algo.PBKDF2.create()
+  algo.update(password, 'utf-8') // GOOD
+  algo.update(email.toLowerCase(), 'utf-8')
+  var hash = algo.finalize()
+  return hash.toString(crypto.enc.Base64)
+}