hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ginsbach/NewOverlayLocalJava
codeql/rust/ql/test/query-tests/security/CWE-328/test.rs
Asger F cd0fd02e74 Rust: Remove 'Source' annotations from same line as Alert 
Source tags should no longer be used when on the same line as the Alert.

The ones in this file went unnoticed however because *all* of them were on the same line as an Alert, which made the test library ignore all Source tags.
2025-02-21 14:44:48 +01:00

161 lines
6.5 KiB
Rust
Raw Permalink Blame History

use md5::{Digest};
use serde::{Serialize};
use argon2::{PasswordHasher};
// --- tests ---
fn test_hash_algorithms(
harmless: &str, credit_card_no: &str, password: &str, encrypted_password: &str, salt: &str
) {
// test hashing with different algorithms and data
// MD5
_ = md5::Md5::digest(harmless);
_ = md5::Md5::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(encrypted_password);
// MD5 (alternative / older library)
_ = md5_alt::compute(harmless);
_ = md5_alt::compute(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5_alt::compute(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5_alt::compute(encrypted_password);
// SHA-1
_ = sha1::Sha1::digest(harmless);
_ = sha1::Sha1::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1::Sha1::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1::Sha1::digest(encrypted_password);
// SHA-1 checked
_ = sha1_checked::Sha1::digest(harmless);
_ = sha1_checked::Sha1::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1_checked::Sha1::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha1_checked::Sha1::digest(encrypted_password);
// SHA-256 (appropriate for sensitive data hashing)
_ = sha3::Sha3_256::digest(harmless);
_ = sha3::Sha3_256::digest(credit_card_no);
_ = sha3::Sha3_256::digest(password); // $ Alert[rust/weak-sensitive-data-hashing]
_ = sha3::Sha3_256::digest(encrypted_password);
// Argon2 (appropriate for password hashing)
let argon2_salt = argon2::password_hash::Salt::from_b64(salt).unwrap();
_ = argon2::Argon2::default().hash_password(harmless.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(credit_card_no.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(password.as_bytes(), argon2_salt).unwrap().to_string();
_ = argon2::Argon2::default().hash_password(encrypted_password.as_bytes(), argon2_salt).unwrap().to_string();
}
fn test_hash_code_patterns(
harmless: &str, password: &str,
harmless_str: String, password_str: String,
harmless_arr: &[u8], password_arr: &[u8],
harmless_vec: Vec<u8>, password_vec: Vec<u8>
) {
// test hashing with different code patterns
// hash different types of data
_ = md5::Md5::digest(harmless_str);
_ = md5::Md5::digest(password_str); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless_arr);
_ = md5::Md5::digest(password_arr); // $ Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless_vec);
_ = md5::Md5::digest(password_vec); // $ Alert[rust/weak-sensitive-data-hashing]
// hash through a hasher object
let mut md5_hasher = md5::Md5::new();
md5_hasher.update(b"abc");
md5_hasher.update(harmless);
md5_hasher.update(password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
_ = md5::Md5::new().chain_update(harmless).chain_update(harmless).chain_update(harmless).finalize();
_ = md5::Md5::new().chain_update(harmless).chain_update(password).chain_update(harmless).finalize(); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::new_with_prefix(harmless).finalize();
_ = md5::Md5::new_with_prefix(password).finalize(); // $ Alert[rust/weak-sensitive-data-hashing]
// hash transformed data
_ = md5::Md5::digest(harmless.trim());
_ = md5::Md5::digest(password.trim()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(harmless.as_bytes());
_ = md5::Md5::digest(password.as_bytes()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5::Md5::digest(std::str::from_utf8(harmless_arr).unwrap());
_ = md5::Md5::digest(std::str::from_utf8(password_arr).unwrap()); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
}
#[derive(Serialize)]
struct MyStruct1 {
id: u64,
data: String,
}
#[derive(Serialize)]
struct MyStruct2 {
id: u64,
credit_card_no: String,
}
#[derive(Serialize)]
struct MyStruct3 {
id: u64,
password: String,
}
fn test_hash_structs() {
// test hashing with data in a struct
let s1 = MyStruct1 {
id: 1,
data: "0123456789".to_string(),
};
let s2 = MyStruct2 {
id: 2,
credit_card_no: "0123456789".to_string(),
};
let s3 = MyStruct3 {
id: 3,
password: "0123456789".to_string(),
};
// serialize with serde
let str1a = serde_json::to_string(&s1).unwrap();
let str2a = serde_json::to_string(&s2).unwrap();
let str3a = serde_json::to_string(&s3).unwrap();
let str1b = serde_json::to_vec(&s1).unwrap();
let str2b = serde_json::to_vec(&s2).unwrap();
let str3b = serde_json::to_vec(&s3).unwrap();
let str1c = serde_urlencoded::to_string(&s1).unwrap();
let str2c = serde_urlencoded::to_string(&s2).unwrap();
let str3c = serde_urlencoded::to_string(&s3).unwrap();
// hash with MD5
let mut md5_hasher = md5::Md5::new();
md5_hasher.update(s1.data);
md5_hasher.update(s2.credit_card_no); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(s3.password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1a);
md5_hasher.update(str2a); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3a); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1b);
md5_hasher.update(str2b); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3b); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str1c);
md5_hasher.update(str2c); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
md5_hasher.update(str3c); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
}
fn test_hash_file(
harmless_filename: &str, password_filename: &str
) {
// test hashing files
let mut harmless_file = std::fs::File::open(harmless_filename).unwrap();
let mut password_file = std::fs::File::open(password_filename).unwrap();
let mut md5_hasher = md5::Md5::new();
_ = std::io::copy(&mut harmless_file, &mut md5_hasher);
_ = std::io::copy(&mut password_file, &mut md5_hasher); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
_ = md5_hasher.finalize();
}
Reference in New Issue View Git Blame Copy Permalink