Skip to content

Commit f3a3bd7

Browse files
ESS-ENNESS-ENN
committed
insecure-hash-cpp
1 parent f7fb1b1 commit f3a3bd7

File tree

3 files changed

+422
-0
lines changed

3 files changed

+422
-0
lines changed

rules/cpp/insecure-hash-cpp.yml

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
id: insecure-hash-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
This hashing algorithm is insecure. If this hash is used in a security
6+
context, such as password hashing, it should be converted to a stronger
7+
hashing algorithm.
8+
note: >-
9+
[CWE-328] Use of Weak Hash.
10+
[REFERENCES]
11+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+
ast-grep-essentials: true
13+
utils:
14+
MATCH_PATTERN_ONE:
15+
kind: expression_statement
16+
has:
17+
stopBy: neighbor
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: identifier
23+
regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$
24+
- has:
25+
stopBy: neighbor
26+
kind: argument_list
27+
28+
MATCH_PATTERN_TWO:
29+
kind: expression_statement
30+
has:
31+
stopBy: neighbor
32+
kind: call_expression
33+
all:
34+
- has:
35+
stopBy: neighbor
36+
kind: identifier
37+
regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$"
38+
- has:
39+
stopBy: neighbor
40+
kind: argument_list
41+
has:
42+
stopBy: end
43+
kind: string_content
44+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
45+
46+
MATCH_PATTERN_TWO_with_instance:
47+
kind: expression_statement
48+
all:
49+
- has:
50+
stopBy: neighbor
51+
kind: call_expression
52+
all:
53+
- has:
54+
stopBy: neighbor
55+
kind: identifier
56+
regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$"
57+
- has:
58+
stopBy: neighbor
59+
kind: argument_list
60+
has:
61+
stopBy: neighbor
62+
kind: identifier
63+
pattern: $Q
64+
- follows:
65+
stopBy: end
66+
kind: declaration
67+
has:
68+
stopBy: end
69+
kind: init_declarator
70+
all:
71+
- has:
72+
stopBy: neighbor
73+
any:
74+
- kind: array_declarator
75+
has:
76+
stopBy: neighbor
77+
kind: identifier
78+
pattern: $Q
79+
- kind: pointer_declarator
80+
has:
81+
stopBy: neighbor
82+
kind: identifier
83+
pattern: $Q
84+
- kind: identifier
85+
pattern: $Q
86+
87+
- has:
88+
stopBy: neighbor
89+
kind: string_literal
90+
has:
91+
stopBy: neighbor
92+
kind: string_content
93+
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
94+
95+
MATCH_PATTERN_THREE:
96+
kind: expression_statement
97+
has:
98+
stopBy: neighbor
99+
kind: call_expression
100+
all:
101+
- has:
102+
stopBy: neighbor
103+
kind: identifier
104+
regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$"
105+
- has:
106+
stopBy: neighbor
107+
kind: argument_list
108+
has:
109+
stopBy: end
110+
kind: identifier
111+
regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$
112+
rule:
113+
any:
114+
- kind: expression_statement
115+
any:
116+
- matches: MATCH_PATTERN_ONE
117+
- matches: MATCH_PATTERN_TWO
118+
- matches: MATCH_PATTERN_TWO_with_instance
119+
- matches: MATCH_PATTERN_THREE
120+
not:
121+
all:
122+
- has:
123+
stopBy: end
124+
kind: ERROR
125+
- inside:
126+
stopBy: end
127+
kind: ERROR

tests/__snapshots__/insecure-hash-cpp-snapshot.yml

Lines changed: 266 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,266 @@
1+
id: insecure-hash-cpp
2+
snapshots:
3+
? |
4+
EVP_MD_fetch(NULL, "MD2", NULL);
5+
: labels:
6+
- source: EVP_MD_fetch(NULL, "MD2", NULL);
7+
style: primary
8+
start: 0
9+
end: 32
10+
- source: EVP_MD_fetch
11+
style: secondary
12+
start: 0
13+
end: 12
14+
- source: MD2
15+
style: secondary
16+
start: 20
17+
end: 23
18+
- source: (NULL, "MD2", NULL)
19+
style: secondary
20+
start: 12
21+
end: 31
22+
- source: EVP_MD_fetch(NULL, "MD2", NULL)
23+
style: secondary
24+
start: 0
25+
end: 31
26+
? |
27+
EVP_MD_fetch(NULL, "MD4", NULL);
28+
: labels:
29+
- source: EVP_MD_fetch(NULL, "MD4", NULL);
30+
style: primary
31+
start: 0
32+
end: 32
33+
- source: EVP_MD_fetch
34+
style: secondary
35+
start: 0
36+
end: 12
37+
- source: MD4
38+
style: secondary
39+
start: 20
40+
end: 23
41+
- source: (NULL, "MD4", NULL)
42+
style: secondary
43+
start: 12
44+
end: 31
45+
- source: EVP_MD_fetch(NULL, "MD4", NULL)
46+
style: secondary
47+
start: 0
48+
end: 31
49+
? |
50+
EVP_MD_fetch(NULL, "MD5", NULL);
51+
: labels:
52+
- source: EVP_MD_fetch(NULL, "MD5", NULL);
53+
style: primary
54+
start: 0
55+
end: 32
56+
- source: EVP_MD_fetch
57+
style: secondary
58+
start: 0
59+
end: 12
60+
- source: MD5
61+
style: secondary
62+
start: 20
63+
end: 23
64+
- source: (NULL, "MD5", NULL)
65+
style: secondary
66+
start: 12
67+
end: 31
68+
- source: EVP_MD_fetch(NULL, "MD5", NULL)
69+
style: secondary
70+
start: 0
71+
end: 31
72+
? |
73+
EVP_get_digestbyname("MD2");
74+
: labels:
75+
- source: EVP_get_digestbyname("MD2");
76+
style: primary
77+
start: 0
78+
end: 28
79+
- source: EVP_get_digestbyname
80+
style: secondary
81+
start: 0
82+
end: 20
83+
- source: MD2
84+
style: secondary
85+
start: 22
86+
end: 25
87+
- source: ("MD2")
88+
style: secondary
89+
start: 20
90+
end: 27
91+
- source: EVP_get_digestbyname("MD2")
92+
style: secondary
93+
start: 0
94+
end: 27
95+
? |
96+
EVP_get_digestbyname("MD4");
97+
: labels:
98+
- source: EVP_get_digestbyname("MD4");
99+
style: primary
100+
start: 0
101+
end: 28
102+
- source: EVP_get_digestbyname
103+
style: secondary
104+
start: 0
105+
end: 20
106+
- source: MD4
107+
style: secondary
108+
start: 22
109+
end: 25
110+
- source: ("MD4")
111+
style: secondary
112+
start: 20
113+
end: 27
114+
- source: EVP_get_digestbyname("MD4")
115+
style: secondary
116+
start: 0
117+
end: 27
118+
? |
119+
EVP_get_digestbyname("MD5");
120+
: labels:
121+
- source: EVP_get_digestbyname("MD5");
122+
style: primary
123+
start: 0
124+
end: 28
125+
- source: EVP_get_digestbyname
126+
style: secondary
127+
start: 0
128+
end: 20
129+
- source: MD5
130+
style: secondary
131+
start: 22
132+
end: 25
133+
- source: ("MD5")
134+
style: secondary
135+
start: 20
136+
end: 27
137+
- source: EVP_get_digestbyname("MD5")
138+
style: secondary
139+
start: 0
140+
end: 27
141+
? |
142+
MD2_Init(ctx);
143+
: labels:
144+
- source: MD2_Init(ctx);
145+
style: primary
146+
start: 0
147+
end: 14
148+
- source: MD2_Init
149+
style: secondary
150+
start: 0
151+
end: 8
152+
- source: (ctx)
153+
style: secondary
154+
start: 8
155+
end: 13
156+
- source: MD2_Init(ctx)
157+
style: secondary
158+
start: 0
159+
end: 13
160+
? |
161+
MD2_Update(ctx, data, size);
162+
: labels:
163+
- source: MD2_Update(ctx, data, size);
164+
style: primary
165+
start: 0
166+
end: 28
167+
- source: MD2_Update
168+
style: secondary
169+
start: 0
170+
end: 10
171+
- source: (ctx, data, size)
172+
style: secondary
173+
start: 10
174+
end: 27
175+
- source: MD2_Update(ctx, data, size)
176+
style: secondary
177+
start: 0
178+
end: 27
179+
? |
180+
MD5_Init(ctx);
181+
: labels:
182+
- source: MD5_Init(ctx);
183+
style: primary
184+
start: 0
185+
end: 14
186+
- source: MD5_Init
187+
style: secondary
188+
start: 0
189+
end: 8
190+
- source: (ctx)
191+
style: secondary
192+
start: 8
193+
end: 13
194+
- source: MD5_Init(ctx)
195+
style: secondary
196+
start: 0
197+
end: 13
198+
? |
199+
gcry_md_extract(handle, GCRY_MD_SHA1, output);
200+
: labels:
201+
- source: gcry_md_extract(handle, GCRY_MD_SHA1, output);
202+
style: primary
203+
start: 0
204+
end: 46
205+
- source: gcry_md_extract
206+
style: secondary
207+
start: 0
208+
end: 15
209+
- source: GCRY_MD_SHA1
210+
style: secondary
211+
start: 24
212+
end: 36
213+
- source: (handle, GCRY_MD_SHA1, output)
214+
style: secondary
215+
start: 15
216+
end: 45
217+
- source: gcry_md_extract(handle, GCRY_MD_SHA1, output)
218+
style: secondary
219+
start: 0
220+
end: 45
221+
? |
222+
gcry_md_hash_buffer(GCRY_MD_MD4, data, size);
223+
: labels:
224+
- source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size);
225+
style: primary
226+
start: 0
227+
end: 45
228+
- source: gcry_md_hash_buffer
229+
style: secondary
230+
start: 0
231+
end: 19
232+
- source: GCRY_MD_MD4
233+
style: secondary
234+
start: 20
235+
end: 31
236+
- source: (GCRY_MD_MD4, data, size)
237+
style: secondary
238+
start: 19
239+
end: 44
240+
- source: gcry_md_hash_buffer(GCRY_MD_MD4, data, size)
241+
style: secondary
242+
start: 0
243+
end: 44
244+
? |
245+
gcry_md_open(handle, GCRY_MD_MD2, 0);
246+
: labels:
247+
- source: gcry_md_open(handle, GCRY_MD_MD2, 0);
248+
style: primary
249+
start: 0
250+
end: 37
251+
- source: gcry_md_open
252+
style: secondary
253+
start: 0
254+
end: 12
255+
- source: GCRY_MD_MD2
256+
style: secondary
257+
start: 21
258+
end: 32
259+
- source: (handle, GCRY_MD_MD2, 0)
260+
style: secondary
261+
start: 12
262+
end: 36
263+
- source: gcry_md_open(handle, GCRY_MD_MD2, 0)
264+
style: secondary
265+
start: 0
266+
end: 36

0 commit comments

Comments
 (0)