Merge pull request github#12825 from smiddy007/JS-Allow-Truncated-Hash-Forge-NonKeyCipher

asgerf · web-flow · commit 67afbee06dbf · 2023-05-02T13:59:30.000+02:00
JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
@@ -627,6 +627,15 @@ private module Forge {
         // require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog');
         this =
           getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall()
+        or
+        // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog');
+        this =
+          getAnImportNode()
+              .getMember("md")
+              .getMember(algorithmName)
+              .getAMember()
+              .getMember("create")
+              .getACall()
       )
     }
 
diff --git a/javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md b/javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+  SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
