Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS library.

2025-12-24 04:36:35 +01:00 · 2023-04-13 23:16:20 -04:00
parent 15d5ad7a66
commit ec97cdc8a0
2 changed files with 9 additions and 0 deletions
--- a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash
+++ b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+* SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
--- a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
@@ -627,6 +627,10 @@ private module Forge {
        // require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog');
        this =
          getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall()
+        or
+        // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog');
+        this =
+          getAnImportNode().getMember("md").getMember(algorithmName).getAMember().getMember("create").getACall()
      )
    }