diff --git a/rules/c/security/insecure-hash-c.yml b/rules/c/security/insecure-hash-c.yml new file mode 100644 index 00000000..6ed80bae --- /dev/null +++ b/rules/c/security/insecure-hash-c.yml @@ -0,0 +1,109 @@ +id: insecure-hash-c +language: c +severity: warning +message: >- + This hashing algorithm is insecure. If this hash is used in a security + context, such as password hashing, it should be converted to a stronger + hashing algorithm. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +utils: + MATCH_PATTERN_ONE: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ + - has: + stopBy: neighbor + kind: argument_list + + MATCH_PATTERN_TWO: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ + + MATCH_PATTERN_TWO_with_instance: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + pattern: $Q + - follows: + stopBy: end + kind: declaration + has: + stopBy: end + kind: init_declarator + all: + - has: + stopBy: neighbor + kind: pointer_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $Q + - has: + stopBy: neighbor + kind: string_literal + has: + stopBy: neighbor + kind: string_content + regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ + + MATCH_PATTERN_THREE: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: identifier + regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ +rule: + any: + - kind: expression_statement + any: + - matches: MATCH_PATTERN_ONE + - matches: MATCH_PATTERN_TWO + - matches: MATCH_PATTERN_TWO_with_instance + - matches: MATCH_PATTERN_THREE diff --git a/rules/cpp/security/insecure-hash-cpp.yml b/rules/cpp/security/insecure-hash-cpp.yml new file mode 100644 index 00000000..7aa44cc6 --- /dev/null +++ b/rules/cpp/security/insecure-hash-cpp.yml @@ -0,0 +1,109 @@ +id: insecure-hash-cpp +language: cpp +severity: warning +message: >- + This hashing algorithm is insecure. If this hash is used in a security + context, such as password hashing, it should be converted to a stronger + hashing algorithm. +note: >- + [CWE-328] Use of Weak Hash. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +utils: + MATCH_PATTERN_ONE: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ + - has: + stopBy: neighbor + kind: argument_list + + MATCH_PATTERN_TWO: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ + + MATCH_PATTERN_TWO_with_instance: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + pattern: $Q + - follows: + stopBy: end + kind: declaration + has: + stopBy: end + kind: init_declarator + all: + - has: + stopBy: neighbor + kind: pointer_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $Q + - has: + stopBy: neighbor + kind: string_literal + has: + stopBy: neighbor + kind: string_content + regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ + + MATCH_PATTERN_THREE: + kind: expression_statement + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: identifier + regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ +rule: + any: + - kind: expression_statement + any: + - matches: MATCH_PATTERN_ONE + - matches: MATCH_PATTERN_TWO + - matches: MATCH_PATTERN_TWO_with_instance + - matches: MATCH_PATTERN_THREE diff --git a/tests/__snapshots__/insecure-hash-c-snapshot.yml b/tests/__snapshots__/insecure-hash-c-snapshot.yml new file mode 100644 index 00000000..bd4945a4 --- /dev/null +++ b/tests/__snapshots__/insecure-hash-c-snapshot.yml @@ -0,0 +1,28 @@ +id: insecure-hash-c +snapshots: + ? | + MD2_Init(); + SHA1_Init(); + const char *md4 = "MD4"; + EVP_MD_fetch(NULL, md4, NULL); + EVP_get_digestbyname(md4); + const char *sha1 = "SHA1"; + EVP_MD_fetch(NULL, sha1, NULL); + EVP_get_digestbyname(sha1); + : labels: + - source: MD2_Init(); + style: primary + start: 0 + end: 11 + - source: MD2_Init + style: secondary + start: 0 + end: 8 + - source: () + style: secondary + start: 8 + end: 10 + - source: MD2_Init() + style: secondary + start: 0 + end: 10 diff --git a/tests/__snapshots__/insecure-hash-cpp-snapshot.yml b/tests/__snapshots__/insecure-hash-cpp-snapshot.yml new file mode 100644 index 00000000..8c45cf53 --- /dev/null +++ b/tests/__snapshots__/insecure-hash-cpp-snapshot.yml @@ -0,0 +1,28 @@ +id: insecure-hash-cpp +snapshots: + ? | + MD2_Init(); + SHA1_Init(); + const char *md4 = "MD4"; + EVP_MD_fetch(NULL, md4, NULL); + EVP_get_digestbyname(md4); + const char *sha1 = "SHA1"; + EVP_MD_fetch(NULL, sha1, NULL); + EVP_get_digestbyname(sha1); + : labels: + - source: MD2_Init(); + style: primary + start: 0 + end: 11 + - source: MD2_Init + style: secondary + start: 0 + end: 8 + - source: () + style: secondary + start: 8 + end: 10 + - source: MD2_Init() + style: secondary + start: 0 + end: 10 diff --git a/tests/c/insecure-hash-c-test.yml b/tests/c/insecure-hash-c-test.yml new file mode 100644 index 00000000..d0be7610 --- /dev/null +++ b/tests/c/insecure-hash-c-test.yml @@ -0,0 +1,14 @@ +id: insecure-hash-c +valid: + - | + MD5Final(digest,ctx); +invalid: + - | + MD2_Init(); + SHA1_Init(); + const char *md4 = "MD4"; + EVP_MD_fetch(NULL, md4, NULL); + EVP_get_digestbyname(md4); + const char *sha1 = "SHA1"; + EVP_MD_fetch(NULL, sha1, NULL); + EVP_get_digestbyname(sha1); diff --git a/tests/cpp/insecure-hash-cpp-test.yml b/tests/cpp/insecure-hash-cpp-test.yml new file mode 100644 index 00000000..a8240276 --- /dev/null +++ b/tests/cpp/insecure-hash-cpp-test.yml @@ -0,0 +1,14 @@ +id: insecure-hash-cpp +valid: + - | + MD5Final(digest,ctx); +invalid: + - | + MD2_Init(); + SHA1_Init(); + const char *md4 = "MD4"; + EVP_MD_fetch(NULL, md4, NULL); + EVP_get_digestbyname(md4); + const char *sha1 = "SHA1"; + EVP_MD_fetch(NULL, sha1, NULL); + EVP_get_digestbyname(sha1);