checkers(javascript): detect usage of SHA-1 algorithm inside js code using scope and data-flow logic

Author: unnxt30

checkers/javascript/sha1_detector.go

@@ -0,0 +1,114 @@
+package javascript
+
+import (
+	"slices"
+
+	sitter "github.com/smacker/go-tree-sitter"
+	"globstar.dev/analysis"
+)
+
+var Sha1 = &analysis.Analyzer{
+	Name:        "sha1_detector",
+	Language:    analysis.LangJs,
+	Description: "Avoid using SHA1 for cryptographic purposes",
+	Category:    analysis.CategorySecurity,
+	Severity:    analysis.SeverityWarning,
+	Requires:    []*analysis.Analyzer{DataFlowAnalyzer},
+	Run:         detectSha1Usage,
+}
+
+func detectSha1Usage(pass *analysis.Pass) (interface{}, error) {
+	pkgs := []string{"jssha", "jssha/sha1", "jssha/dist/sha1"}
+
+	// Will be used to track the Encrypting library being used
+	var pkgDeclaratorVar *analysis.Variable
+
+	dfg := pass.ResultOf[DataFlowAnalyzer].(*DataFlowGraph)
+
+	if dfg == nil {
+		return nil, nil
+	}
+
+	scopeTree := dfg.ScopeTree
+
+	if scopeTree == nil {
+		return nil, nil
+	}
+
+	// gather the variable linking to the js-sha package.
+	analysis.Preorder(pass, func(node *sitter.Node) {
+		if node == nil {
+			return
+		}
+
+		if node.Type() == "variable_declarator" {
+			nameNode := node.ChildByFieldName("name")
+			valueNode := node.ChildByFieldName("value")
+			if valueNode != nil {
+				if valueNode.Type() == "call_expression" {
+					funcNode := valueNode.ChildByFieldName("function")
+					if funcNode != nil && funcNode.Type() == "member_expression" {
+						if funcNode.Content(pass.FileContext.Source) == "require" {
+							// check if the value inside the `require` is a valid package
+							packageName := valueNode.ChildByFieldName("arguments").Child(0)
+							if packageName != nil && packageName.Type() == "string" {
+								packageNameContent := packageName.Content(pass.FileContext.Source)
+								if !slices.Contains(pkgs, packageNameContent) {
+									// If the package is not in the list, we can ignore it
+									return
+								}
+							}
+						}
+					}
+				}
+			}
+
+			if nameNode != nil && nameNode.Type() == "identifier" {
+				varName := nameNode.Content(pass.FileContext.Source)
+				if varName != "" {
+					nameVar := scopeTree.GetScope(node).Lookup(varName)
+					if nameVar != nil {
+						pkgDeclaratorVar = nameVar
+					}
+				}
+			}
+		}
+	})
+
+	analysis.Preorder(pass, func(node *sitter.Node) {
+		if node == nil {
+			return
+		}
+
+		if node.Type() == "new_expression" {
+			// fmt.Println("+++++++++++++++++", node.Content(pass.FileContext.Source))
+			ctor := node.ChildByFieldName("constructor")
+			arg := node.ChildByFieldName("arguments")
+			if ctor != nil && arg != nil {
+				ctorVar := scopeTree.GetScope(ctor).Lookup(ctor.Content(pass.FileContext.Source))
+				// fmt.Println("++++++ctorVar+++++++", ctorVar, "++++++++++++")
+				// fmt.Println("++++++pkgDeclaratorVar+++++++", pkgDeclaratorVar, "++++++++++++")
+				if ctorVar != nil && ctorVar == pkgDeclaratorVar {
+					hashAlgo := arg.NamedChild(0)
+					// fmt.Println("++++++hashAlgo+++++++", hashAlgo, "++++++++++++")
+					if hashAlgo == nil {
+						return
+					}
+
+					hashAlgoStr := hashAlgo.NamedChild(0)
+					hashAlgoName := hashAlgoStr.Content(pass.FileContext.Source)
+					// fmt.Println("++++++hashAlgoName+++++++", hashAlgoName, "++++++++++++")
+					if hashAlgoName == "SHA-1" {
+						// fmt.Println("++++++hashAlgoNameConditionTrue+++++++", hashAlgoName, "++++++++++++")
+						pass.Report(pass, node, "SHA-1 is not recommended for cryptographic purposes")
+					}
+
+				}
+			}
+
+		}
+	})
+
+	return nil, nil
+
+}

checkers/javascript/testdata/sha1_detector.test.js

@@ -0,0 +1,7 @@
+const jsSHA = require("jssha");
+
+// ok
+new jsSHA("SHA-512", "TEXT", { encoding: "UTF8" });
+
+// <expect-error>
+new jsSHA("SHA-1", "TEXT", { encoding: "UTF8" });

pkg/analysis/scope_ts_test.go

@@ -25,12 +25,12 @@ func Test_BuildScopeTree(t *testing.T) {
 
 		scopeTree := MakeScopeTree(parsed.Language, parsed.Ast, parsed.Source)
 		require.NotNil(t, scopeTree)
-
-		varX, exists := scopeTree.Root.Variables["x"]
+		globalScope := scopeTree.Root.Children[0]
+		varX, exists := globalScope.Variables["x"]
 		require.True(t, exists)
 		require.NotNil(t, varX)
 
-		varY, exists := scopeTree.Root.Children[0].Variables["y"]
+		varY, exists := globalScope.Children[0].Variables["y"]
 		require.True(t, exists)
 		require.NotNil(t, varY)
 		require.Equal(t, VarKindVariable, varY.Kind)
@@ -63,9 +63,9 @@ func Test_BuildScopeTree(t *testing.T) {
 
 		scopeTree := MakeScopeTree(parsed.Language, parsed.Ast, parsed.Source)
 		require.NotNil(t, scopeTree)
-
+		globalScope := scopeTree.Root.Children[0]
 		{
-			varR, exists := scopeTree.Root.Variables["r"]
+			varR, exists := globalScope.Variables["r"]
 			require.True(t, exists)
 			require.NotNil(t, varR)
 
@@ -77,7 +77,7 @@ func Test_BuildScopeTree(t *testing.T) {
 		}
 
 		{
-			varExtname, exists := scopeTree.Root.Variables["extname"]
+			varExtname, exists := globalScope.Variables["extname"]
 			require.True(t, exists)
 			require.NotNil(t, varExtname)
 
@@ -102,11 +102,11 @@ func Test_BuildScopeTree(t *testing.T) {
 		parsed := parseFile(t, source)
 		require.NotNil(t, parsed)
 		scopeTree := MakeScopeTree(parsed.Language, parsed.Ast, parsed.Source)
+		globalScope := scopeTree.Root.Children[0]
 		// Checking function declaration
-		t.Log(scopeTree.Root.Variables)
-		funcVar := scopeTree.Root.Lookup("greet")
+		funcVar := globalScope.Lookup("greet")
 		require.NotNil(t, funcVar)
-		funcVariable, exists := scopeTree.Root.Variables["greet"] // tagged as an Identifier
+		funcVariable, exists := globalScope.Variables["greet"] // tagged as an Identifier
 		require.True(t, exists)
 		require.NotNil(t, funcVariable)