Skip to content

Commit a7b3a4c

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add YAML rules for insecure C/C++ hash detection and XML parsing audit (#162)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * insecure-hash-c * libxml2-audit-parser-c * Added test file for dont-call-system-c * insecure-hash-cpp * libxml2-audit-parser-cpp --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 2024633 commit a7b3a4c

14 files changed

+2324
-0
lines changed

rules/c/security/insecure-hash-c.yml

Lines changed: 293 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,293 @@
1+
id: insecure-hash-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
This hashing algorithm is insecure. If this hash is used in a security
6+
context, such as password hashing, it should be converted to a stronger
7+
hashing algorithm.
8+
note: >-
9+
[CWE-328] Use of Weak Hash.
10+
[REFERENCES]
11+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+
ast-grep-essentials: true
13+
utils:
14+
MATCH_PATTERN_ONE:
15+
kind: expression_statement
16+
has:
17+
stopBy: neighbor
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: identifier
23+
regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$
24+
- has:
25+
stopBy: neighbor
26+
kind: argument_list
27+
28+
MATCH_PATTERN_TWO_(EVP_MD_fetch):
29+
kind: expression_statement
30+
has:
31+
stopBy: neighbor
32+
kind: call_expression
33+
all:
34+
- has:
35+
stopBy: neighbor
36+
kind: identifier
37+
regex: ^(EVP_MD_fetch)$
38+
- has:
39+
stopBy: neighbor
40+
kind: argument_list
41+
has:
42+
kind: string_literal
43+
all:
44+
- nthChild:
45+
position: 2
46+
ofRule:
47+
not:
48+
kind: comment
49+
- has:
50+
kind: string_content
51+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
52+
53+
MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch):
54+
kind: expression_statement
55+
all:
56+
- has:
57+
stopBy: neighbor
58+
kind: call_expression
59+
all:
60+
- has:
61+
stopBy: neighbor
62+
kind: identifier
63+
regex: "^(EVP_MD_fetch)$"
64+
- has:
65+
stopBy: neighbor
66+
kind: argument_list
67+
has:
68+
stopBy: neighbor
69+
kind: identifier
70+
pattern: $Q
71+
nthChild:
72+
position: 2
73+
ofRule:
74+
not:
75+
kind: comment
76+
- any:
77+
- follows:
78+
stopBy: end
79+
kind: declaration
80+
has:
81+
stopBy: end
82+
kind: init_declarator
83+
all:
84+
- has:
85+
stopBy: neighbor
86+
kind: pointer_declarator
87+
has:
88+
stopBy: neighbor
89+
kind: identifier
90+
pattern: $Q
91+
- has:
92+
stopBy: neighbor
93+
kind: string_literal
94+
has:
95+
stopBy: neighbor
96+
kind: string_content
97+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
98+
- inside:
99+
stopBy: end
100+
follows:
101+
stopBy: end
102+
kind: declaration
103+
has:
104+
stopBy: end
105+
kind: init_declarator
106+
all:
107+
- has:
108+
stopBy: neighbor
109+
kind: pointer_declarator
110+
has:
111+
stopBy: neighbor
112+
kind: identifier
113+
pattern: $Q
114+
- has:
115+
stopBy: neighbor
116+
kind: string_literal
117+
has:
118+
stopBy: neighbor
119+
kind: string_content
120+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
121+
122+
MATCH_PATTERN_THREE:
123+
kind: expression_statement
124+
has:
125+
stopBy: neighbor
126+
kind: call_expression
127+
all:
128+
- has:
129+
stopBy: neighbor
130+
kind: identifier
131+
regex: ^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract)$
132+
- has:
133+
stopBy: neighbor
134+
kind: argument_list
135+
has:
136+
stopBy: end
137+
kind: identifier
138+
regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$
139+
nthChild:
140+
position: 2
141+
ofRule:
142+
not:
143+
kind: comment
144+
145+
MATCH_PATTERN_TWO_(EVP_get_digestbyname):
146+
kind: expression_statement
147+
has:
148+
stopBy: neighbor
149+
kind: call_expression
150+
all:
151+
- has:
152+
stopBy: neighbor
153+
kind: identifier
154+
regex: ^(EVP_get_digestbyname)$
155+
- has:
156+
stopBy: neighbor
157+
kind: argument_list
158+
has:
159+
kind: string_literal
160+
all:
161+
- nthChild:
162+
position: 1
163+
ofRule:
164+
not:
165+
kind: comment
166+
- has:
167+
kind: string_content
168+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
169+
not:
170+
has:
171+
nthChild:
172+
position: 2
173+
ofRule:
174+
not:
175+
kind: comment
176+
177+
MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname):
178+
kind: expression_statement
179+
all:
180+
- has:
181+
stopBy: neighbor
182+
kind: call_expression
183+
all:
184+
- has:
185+
stopBy: neighbor
186+
kind: identifier
187+
regex: "^(EVP_get_digestbyname)$"
188+
- has:
189+
stopBy: neighbor
190+
kind: argument_list
191+
has:
192+
stopBy: neighbor
193+
kind: identifier
194+
pattern: $Q
195+
nthChild:
196+
position: 1
197+
ofRule:
198+
not:
199+
kind: comment
200+
not:
201+
has:
202+
nthChild:
203+
position: 2
204+
ofRule:
205+
not:
206+
kind: comment
207+
- any:
208+
- follows:
209+
stopBy: end
210+
kind: declaration
211+
has:
212+
stopBy: end
213+
kind: init_declarator
214+
all:
215+
- has:
216+
stopBy: neighbor
217+
kind: pointer_declarator
218+
has:
219+
stopBy: neighbor
220+
kind: identifier
221+
pattern: $Q
222+
- has:
223+
stopBy: neighbor
224+
kind: string_literal
225+
has:
226+
stopBy: neighbor
227+
kind: string_content
228+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
229+
- inside:
230+
stopBy: end
231+
follows:
232+
stopBy: end
233+
kind: declaration
234+
has:
235+
stopBy: end
236+
kind: init_declarator
237+
all:
238+
- has:
239+
stopBy: neighbor
240+
kind: pointer_declarator
241+
has:
242+
stopBy: neighbor
243+
kind: identifier
244+
pattern: $Q
245+
- has:
246+
stopBy: neighbor
247+
kind: string_literal
248+
has:
249+
stopBy: neighbor
250+
kind: string_content
251+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
252+
253+
MATCH_PATTERN_THREE_(gcry_md_hash_buffers):
254+
kind: expression_statement
255+
has:
256+
stopBy: neighbor
257+
kind: call_expression
258+
all:
259+
- has:
260+
stopBy: neighbor
261+
kind: identifier
262+
regex: ^(gcry_md_hash_buffers|gcry_md_hash_buffer)$
263+
- has:
264+
stopBy: neighbor
265+
kind: argument_list
266+
has:
267+
stopBy: end
268+
kind: identifier
269+
regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$
270+
nthChild:
271+
position: 1
272+
ofRule:
273+
not:
274+
kind: comment
275+
rule:
276+
any:
277+
- kind: expression_statement
278+
any:
279+
- matches: MATCH_PATTERN_ONE
280+
- matches: MATCH_PATTERN_TWO_(EVP_MD_fetch)
281+
- matches: MATCH_PATTERN_TWO_with_instance_(EVP_MD_fetch)
282+
- matches: MATCH_PATTERN_THREE
283+
- matches: MATCH_PATTERN_TWO_(EVP_get_digestbyname)
284+
- matches: MATCH_PATTERN_TWO_with_instance_(EVP_get_digestbyname)
285+
- matches: MATCH_PATTERN_THREE_(gcry_md_hash_buffers)
286+
not:
287+
all:
288+
- has:
289+
stopBy: end
290+
kind: ERROR
291+
- inside:
292+
stopBy: end
293+
kind: ERROR

0 commit comments

Comments
 (0)