hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.22.1
codeql/rust/ql/test/query-tests/security/CWE-328/test.rs
Geoffrey White bfe9cdfed5 Rust: Add model for str.trim and as_bytes.
2025-04-15 11:26:52 +01:00

161 lines
6.5 KiB
Rust
Raw Permalink Blame History

use md5::{Digest};
use serde::{Serialize};
use argon2::{PasswordHasher};
// --- tests ---
fn test_hash_algorithms(
harmless: &str, credit_card_no: &str, password: &str, encrypted_password: &str, salt: &str
) {
// test hashing with different algorithms and data
// MD5
_ = md5::Md5::digest(harmless);
_ = md5::Md5::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(encrypted_password);
// MD5 (alternative / older library)
_ = md5_alt::compute(harmless);
_ = md5_alt::compute(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5_alt::compute(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5_alt::compute(encrypted_password);
// SHA-1
_ = sha1::Sha1::digest(harmless);
_ = sha1::Sha1::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1::Sha1::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1::Sha1::digest(encrypted_password);
// SHA-1 checked
_ = sha1_checked::Sha1::digest(harmless);
_ = sha1_checked::Sha1::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1_checked::Sha1::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1_checked::Sha1::digest(encrypted_password);
// SHA-256 (appropriate for sensitive data hashing)
_ = sha3::Sha3_256::digest(harmless);
_ = sha3::Sha3_256::digest(credit_card_no);
_ = sha3::Sha3_256::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha3::Sha3_256::digest(encrypted_password);
// Argon2 (appropriate for password hashing)
let argon2_salt = argon2::password_hash::Salt::from_b64(salt).unwrap();
_ = argon2::Argon2::default().hash_password(harmless.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(credit_card_no.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(password.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(encrypted_password.as_bytes(), argon2_salt).unwrap().to_string();
}
fn test_hash_code_patterns(
harmless: &str, password: &str,
harmless_str: String, password_str: String,
harmless_arr: &[u8], password_arr: &[u8],
harmless_vec: Vec<u8>, password_vec: Vec<u8>
) {
// test hashing with different code patterns
// hash different types of data
_ = md5::Md5::digest(harmless_str);
_ = md5::Md5::digest(password_str); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless_arr);
_ = md5::Md5::digest(password_arr); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless_vec);
_ = md5::Md5::digest(password_vec); // $ Alert[rust/weak-sensitive-data-hashing]
// hash through a hasher object
let mut md5_hasher = md5::Md5::new();
md5_hasher.update(b"abc");
md5_hasher.update(harmless);
md5_hasher.update(password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
_ = md5::Md5::new().chain_update(harmless).chain_update(harmless).chain_update(harmless).finalize();
_ = md5::Md5::new().chain_update(harmless).chain_update(password).chain_update(harmless).finalize(); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::new_with_prefix(harmless).finalize();
_ = md5::Md5::new_with_prefix(password).finalize(); // $ Alert[rust/weak-sensitive-data-hashing]
// hash transformed data
_ = md5::Md5::digest(harmless.trim());
_ = md5::Md5::digest(password.trim()); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless.as_bytes());
_ = md5::Md5::digest(password.as_bytes()); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(std::str::from_utf8(harmless_arr).unwrap());
_ = md5::Md5::digest(std::str::from_utf8(password_arr).unwrap()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
}
#[derive(Serialize)]
struct MyStruct1 {
id: u64,
data: String,
}
#[derive(Serialize)]
struct MyStruct2 {
id: u64,
credit_card_no: String,
}
#[derive(Serialize)]
struct MyStruct3 {
id: u64,
password: String,
}
fn test_hash_structs() {
// test hashing with data in a struct
let s1 = MyStruct1 {
id: 1,
data: "0123456789".to_string(),
};
let s2 = MyStruct2 {
id: 2,
credit_card_no: "0123456789".to_string(),
};
let s3 = MyStruct3 {
id: 3,
password: "0123456789".to_string(),
};
// serialize with serde
let str1a = serde_json::to_string(&s1).unwrap();
let str2a = serde_json::to_string(&s2).unwrap();
let str3a = serde_json::to_string(&s3).unwrap();
let str1b = serde_json::to_vec(&s1).unwrap();
let str2b = serde_json::to_vec(&s2).unwrap();
let str3b = serde_json::to_vec(&s3).unwrap();
let str1c = serde_urlencoded::to_string(&s1).unwrap();
let str2c = serde_urlencoded::to_string(&s2).unwrap();
let str3c = serde_urlencoded::to_string(&s3).unwrap();
// hash with MD5
let mut md5_hasher = md5::Md5::new();
md5_hasher.update(s1.data);
md5_hasher.update(s2.credit_card_no); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(s3.password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1a);
md5_hasher.update(str2a); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3a); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1b);
md5_hasher.update(str2b); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3b); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1c);
md5_hasher.update(str2c); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3c); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
}
fn test_hash_file(
harmless_filename: &str, password_filename: &str
) {
// test hashing files
let mut harmless_file = std::fs::File::open(harmless_filename).unwrap();
let mut password_file = std::fs::File::open(password_filename).unwrap();
let mut md5_hasher = md5::Md5::new();
_ = std::io::copy(&mut harmless_file, &mut md5_hasher);
_ = std::io::copy(&mut password_file, &mut md5_hasher); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
}
Reference in New Issue View Git Blame Copy Permalink