Enhance the query to check more scenarios

luchua-bc · luchua-bc · commit 6a2c7d54cdef · 2021-06-14T03:24:16.000Z
diff --git a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
@@ -33,8 +33,9 @@ class KeyedHashAlgorithm extends RefType {
 }
 
 /**
- * The method `ComputeHash()`, `ComputeHashAsync`, `TryComputeHash`, `HashData`, or `TryHashData` declared in `System.Security.Cryptography.HashAlgorithm` and
- * the method `HashData()` declared in `Windows.Security.Cryptography.Core.HashAlgorithmProvider`.
+ * The method `ComputeHash()`, `ComputeHashAsync`, `TryComputeHash`, `HashData`, or
+ * `TryHashData` declared in `System.Security.Cryptography.HashAlgorithm` and the method
+ * `HashData()` declared in `Windows.Security.Cryptography.Core.HashAlgorithmProvider`.
  */
 class HashMethod extends Method {
   HashMethod() {
@@ -46,8 +47,11 @@ class HashMethod extends Method {
   }
 }
 
-/** Gets a regular expression for matching common names of variables that indicate the value being held is a password. */
-string getPasswordRegex() { result = "(?i).*pass(wd|word|code|phrase).*" }
+/**
+ * Gets a regular expression for matching common names of variables that indicate the
+ * value being held is a password.
+ */
+string getPasswordRegex() { result = "(?i)pass(wd|word|code|phrase)" }
 
 /** Finds variables that hold password information judging by their names. */
 class PasswordVarExpr extends Expr {
@@ -56,21 +60,65 @@ class PasswordVarExpr extends Expr {
   }
 }
 
+/**
+ * Holds if `mc` is a hashing method call or invokes a hashing method call
+ * directly or indirectly.
+ */
+predicate isHashCall(MethodCall mc) {
+  mc.getTarget() instanceof HashMethod
+  or
+  exists(MethodCall mcc |
+    mc.getTarget().calls(mcc.getTarget()) and
+    isHashCall(mcc) and
+    DataFlow::localExprFlow(mc.getTarget().getAParameter().getAnAccess(), mcc.getAnArgument())
+  )
+}
+
 /** Holds if there is another hashing method call. */
 predicate hasAnotherHashCall(MethodCall mc) {
-  exists(Call mc2, DataFlow2::Node src, DataFlow2::Node sink |
+  exists(MethodCall mc2, DataFlow2::Node src, DataFlow2::Node sink |
+    isHashCall(mc2) and
+    mc2 != mc and
     (
-      mc2.getTarget() instanceof HashMethod or
-      mc2.(ObjectCreation).getObjectType().getABaseType+() instanceof HashAlgorithm
+      src.asExpr() = mc.getQualifier() or
+      src.asExpr() = mc.getAnArgument() or
+      src.asExpr() = mc
     ) and
-    mc2 != mc and
-    src.asExpr() = mc.getAReachableElement() and
-    sink.asExpr() = mc2.getAChildExpr() and
-    TaintTracking2::localTaint(src, sink)
+    (
+      sink.asExpr() = mc2.getQualifier() or
+      sink.asExpr() = mc2.getAnArgument()
+    ) and
+    DataFlow::localFlow(src, sink)
+  )
+}
+
+/** Holds if a password hash without salt is further processed in another method call. */
+predicate hasFurtherProcessing(MethodCall mc) {
+  mc.getTarget().fromLibrary() and
+  (
+    mc.getTarget().hasQualifiedName("System.Array", "Copy") or // Array.Copy(passwordHash, 0, password.Length), 0, key, 0, keyLen);
+    mc.getTarget().hasQualifiedName("System.String", "Concat") or // string.Concat(passwordHash, saltkey)
+    mc.getTarget().hasQualifiedName("System.Buffer", "BlockCopy") or // Buffer.BlockCopy(passwordHash, 0, allBytes, 0, 20)
+    mc.getTarget().hasQualifiedName("System.String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password)
   )
 }
 
-/** Taint configuration tracking flow from an expression whose name suggests it holds password data to a method call that generates a hash without a salt. */
+/**
+ * Holds if `mc` is part of a call graph that satisfies `isHashCall` but is not at the
+ * top of the call hierarchy.
+ */
+predicate hasHashAncestor(MethodCall mc) {
+  exists(MethodCall mpc |
+    mpc.getTarget().calls(mc.getTarget()) and
+    isHashCall(mpc) and
+    DataFlow::localExprFlow(mpc.getTarget().getAParameter().getAnAccess(), mc.getAnArgument())
+  )
+}
+
+/**
+ * Taint configuration tracking flow from an expression whose name suggests it holds
+ * password data to a method call that generates a hash without a salt.
+ */
 class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
   HashWithoutSaltConfiguration() { this = "HashWithoutSaltConfiguration" }
 
@@ -79,8 +127,23 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(MethodCall mc |
       sink.asExpr() = mc.getArgument(0) and
-      mc.getTarget() instanceof HashMethod and
-      not hasAnotherHashCall(mc)
+      isHashCall(mc) and
+      not hasAnotherHashCall(mc) and
+      not hasHashAncestor(mc) and
+      not exists(MethodCall mmc |
+        hasFurtherProcessing(mmc) and
+        DataFlow::localExprFlow(mc, mmc.getAnArgument())
+      ) and
+      not exists(Call c |
+        (
+          c.getTarget().getDeclaringType().getABaseType*() instanceof HashAlgorithm or
+          c.getTarget()
+              .getDeclaringType()
+              .getABaseType*()
+              .hasQualifiedName("System.Security.Cryptography", "DeriveBytes")
+        ) and
+        DataFlow::localExprFlow(mc, c.getAnArgument())
+      )
     )
   }
 
@@ -104,26 +167,27 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
    */
   override predicate isSanitizer(DataFlow::Node node) {
     exists(MethodCall mc |
-      mc.getTarget().fromLibrary() and
-      (
-        mc.getTarget().hasQualifiedName("System.Array", "CopyTo") or // passBytes.CopyTo(rawSalted, 0)
-        mc.getTarget().hasQualifiedName("System.String", "Concat") or // string.Concat(password, saltkey)
-        mc.getTarget().hasQualifiedName("System.Buffer", "BlockCopy") or // Buffer.BlockCopy(salt, 0, allBytes, 0, 20)
-        mc.getTarget().hasQualifiedName("System.String", "Format") // String.Format("{0}:{1}:{2}", username, salt, password)
-      ) and
+      hasFurtherProcessing(mc) and
       mc.getAnArgument() = node.asExpr()
     )
     or
     exists(AddExpr e | node.asExpr() = e.getAnOperand()) // password+salt
     or
     exists(InterpolatedStringExpr e | node.asExpr() = e.getAnInsert())
     or
+    exists(Call c |
+      c.getTarget()
+          .getDeclaringType()
+          .getABaseType*()
+          .hasQualifiedName("System.Security.Cryptography", "DeriveBytes")
+    )
+    or
     // a salt or key is included in subclasses of `KeyedHashAlgorithm`
-    exists(MethodCall mc, Assignment ass, ObjectCreation oc |
-      ass.getRValue() = oc and
+    exists(MethodCall mc, Assignment a, ObjectCreation oc |
+      a.getRValue() = oc and
       oc.getObjectType().getABaseType+() instanceof KeyedHashAlgorithm and
       mc.getTarget() instanceof HashMethod and
-      ass.getLValue() = mc.getQualifier().(VariableAccess).getTarget().getAnAccess() and
+      a.getLValue() = mc.getQualifier().(VariableAccess).getTarget().getAnAccess() and
       mc.getArgument(0) = node.asExpr()
     )
   }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-759/HashWithoutSalt.cs b/csharp/ql/test/experimental/Security Features/CWE-759/HashWithoutSalt.cs
@@ -1,6 +1,7 @@
 // semmle-extractor-options: /r:System.Security.Cryptography.Primitives.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll
 
 using System;
+using System.Text;
 using System.Security.Cryptography;
 
 using Windows.Security.Cryptography;
@@ -130,4 +131,72 @@ public static byte[] CalculateKeys(string password, string userid)
         }
         return hmacbytes;
     }
+
+    private byte[] TryDecrypt(byte[] buffer, int offset, int length, byte[] password, int keyLen) {
+        byte[] key = new byte[16];
+        Array.Copy(SHA1.Create().ComputeHash(password, 0, password.Length), 0, key, 0, keyLen);
+        byte[] ret = Aes.Create().CreateDecryptor(key, null).TransformFinalBlock(buffer, offset, length);
+        return ret;
+    }
+
+    // GOOD - Use password hash without a salt having further processing.
+    public byte[] encrypt(byte[] pass, byte[] salt, byte[] blob) {
+        byte[] key = new byte[salt.Length + pass.Length];
+        Array.Copy(salt, 0, key, 0, salt.Length);
+        Array.Copy(pass, 0, key, salt.Length, pass.Length);
+        byte[] pkb = TryDecrypt(blob, 8, blob.Length - 8, key, 16);
+        return pkb;
+    }
+
+    public string CreatePasswordHash(string password, string saltkey)
+    {
+        var saltAndPassword = string.Concat(password, saltkey);
+        HashAlgorithm algorithm = SHA256.Create();
+        var hashByteArray = algorithm.ComputeHash(Encoding.UTF8.GetBytes(saltAndPassword));
+        return BitConverter.ToString(hashByteArray).Replace("-", "");
+    }
+
+    private string GetMD5HashBinHex (string toBeHashed)
+    {
+        MD5 hash = MD5.Create ();
+        byte[] result = hash.ComputeHash (Encoding.ASCII.GetBytes (toBeHashed));
+
+        StringBuilder sb = new StringBuilder ();
+        foreach (byte b in result)
+            sb.Append (b.ToString ("x2"));
+        
+        return sb.ToString ();
+    }
+
+    // GOOD: Password concatenated with other information before hashing
+    public string CreatePasswordHash2(string username, string realm, string password)
+    {
+        string A1 = String.Format ("{0}:{1}:{2}", username, realm, password);
+
+        string HA1 = GetMD5HashBinHex (A1);
+        return HA1;
+    }
+
+    private byte[] Xor(byte[] array1, byte[] array2) {
+        var result = new byte[array1.Length];
+
+        for (int i = 0; i < array1.Length; i++) {
+            result[i] = (byte)(array1[i] ^ array2[i]);
+        }
+
+        return result;
+    }
+
+    // GOOD: Password hash without salt is further hashed with salt
+    public byte[] GetScrable(byte[] password, byte[] decodedSalt) {
+        var first20SaltBytes = new byte[20];
+        Array.Copy(decodedSalt, first20SaltBytes, 20);
+
+        var step1 = Sha1Utils.Hash(password);
+        var step2 = Sha1Utils.Hash(step1);
+        var step3 = Sha1Utils.Hash(first20SaltBytes, step2);
+        var scrambleBytes = Xor(step1, step3);
+
+        return scrambleBytes;
+    }
 }
diff --git a/csharp/ql/test/experimental/Security Features/CWE-759/HashWithoutSalt.expected b/csharp/ql/test/experimental/Security Features/CWE-759/HashWithoutSalt.expected
@@ -1,19 +1,19 @@
 edges
-| HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff |
-| HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] | HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes |
-| HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] |
-| HashWithoutSalt.cs:69:28:69:72 | call to method GetBytes : Byte[] | HashWithoutSalt.cs:70:48:70:56 | access to local variable passBytes |
-| HashWithoutSalt.cs:69:64:69:71 | access to parameter password : String | HashWithoutSalt.cs:69:28:69:72 | call to method GetBytes : Byte[] |
+| HashWithoutSalt.cs:18:70:18:77 | access to parameter password : String | HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff |
+| HashWithoutSalt.cs:38:28:38:72 | call to method GetBytes : Byte[] | HashWithoutSalt.cs:39:51:39:59 | access to local variable passBytes |
+| HashWithoutSalt.cs:38:64:38:71 | access to parameter password : String | HashWithoutSalt.cs:38:28:38:72 | call to method GetBytes : Byte[] |
+| HashWithoutSalt.cs:70:28:70:72 | call to method GetBytes : Byte[] | HashWithoutSalt.cs:71:48:71:56 | access to local variable passBytes |
+| HashWithoutSalt.cs:70:64:70:71 | access to parameter password : String | HashWithoutSalt.cs:70:28:70:72 | call to method GetBytes : Byte[] |
 nodes
-| HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | semmle.label | access to parameter password : String |
-| HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | semmle.label | access to local variable passBuff |
-| HashWithoutSalt.cs:37:28:37:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
-| HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | semmle.label | access to parameter password : String |
-| HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | semmle.label | access to local variable passBytes |
-| HashWithoutSalt.cs:69:28:69:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
-| HashWithoutSalt.cs:69:64:69:71 | access to parameter password : String | semmle.label | access to parameter password : String |
-| HashWithoutSalt.cs:70:48:70:56 | access to local variable passBytes | semmle.label | access to local variable passBytes |
+| HashWithoutSalt.cs:18:70:18:77 | access to parameter password : String | semmle.label | access to parameter password : String |
+| HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff | semmle.label | access to local variable passBuff |
+| HashWithoutSalt.cs:38:28:38:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| HashWithoutSalt.cs:38:64:38:71 | access to parameter password : String | semmle.label | access to parameter password : String |
+| HashWithoutSalt.cs:39:51:39:59 | access to local variable passBytes | semmle.label | access to local variable passBytes |
+| HashWithoutSalt.cs:70:28:70:72 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
+| HashWithoutSalt.cs:70:64:70:71 | access to parameter password : String | semmle.label | access to parameter password : String |
+| HashWithoutSalt.cs:71:48:71:56 | access to local variable passBytes | semmle.label | access to local variable passBytes |
 #select
-| HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | HashWithoutSalt.cs:17:70:17:77 | access to parameter password : String | HashWithoutSalt.cs:19:49:19:56 | access to local variable passBuff | $@ is hashed without a salt. | HashWithoutSalt.cs:17:70:17:77 | access to parameter password | The password |
-| HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | HashWithoutSalt.cs:37:64:37:71 | access to parameter password : String | HashWithoutSalt.cs:38:51:38:59 | access to local variable passBytes | $@ is hashed without a salt. | HashWithoutSalt.cs:37:64:37:71 | access to parameter password | The password |
-| HashWithoutSalt.cs:70:48:70:56 | access to local variable passBytes | HashWithoutSalt.cs:69:64:69:71 | access to parameter password : String | HashWithoutSalt.cs:70:48:70:56 | access to local variable passBytes | $@ is hashed without a salt. | HashWithoutSalt.cs:69:64:69:71 | access to parameter password | The password |
+| HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff | HashWithoutSalt.cs:18:70:18:77 | access to parameter password : String | HashWithoutSalt.cs:20:49:20:56 | access to local variable passBuff | $@ is hashed without a salt. | HashWithoutSalt.cs:18:70:18:77 | access to parameter password | The password |
+| HashWithoutSalt.cs:39:51:39:59 | access to local variable passBytes | HashWithoutSalt.cs:38:64:38:71 | access to parameter password : String | HashWithoutSalt.cs:39:51:39:59 | access to local variable passBytes | $@ is hashed without a salt. | HashWithoutSalt.cs:38:64:38:71 | access to parameter password | The password |
+| HashWithoutSalt.cs:71:48:71:56 | access to local variable passBytes | HashWithoutSalt.cs:70:64:70:71 | access to parameter password : String | HashWithoutSalt.cs:71:48:71:56 | access to local variable passBytes | $@ is hashed without a salt. | HashWithoutSalt.cs:70:64:70:71 | access to parameter password | The password |
diff --git a/csharp/ql/test/experimental/Security Features/CWE-759/Sha1Utils.cs b/csharp/ql/test/experimental/Security Features/CWE-759/Sha1Utils.cs
@@ -0,0 +1,53 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+internal static class Sha1Utils
+{
+    public static byte[] Hash(string str)
+    {
+        var bytes = str == null ? new byte[0] : Encoding.UTF8.GetBytes(str);
+
+        return Hash(bytes);
+    }
+
+    public static byte[] Hash(byte[] bytes)
+    {
+        var sha1 = SHA1.Create();
+        var hashBytes = sha1.ComputeHash(bytes);
+
+        return hashBytes;
+    }
+
+    public static string HexStringFromBytes(byte[] bytes)
+    {
+        var sb = new StringBuilder();
+        foreach (var b in bytes)
+        {
+            var hex = b.ToString("x2");
+            sb.Append(hex);
+        }
+        return sb.ToString();
+    }
+
+    public static byte[] Hash(byte[] salt, byte[] str)
+    {
+        var salted = new byte[salt.Length + str.Length];
+        Array.Copy(salt, salted, salt.Length);
+        Array.Copy(str, 0, salted, salt.Length, str.Length);
+
+        return Hash(salted);
+    }
+
+    public static byte[] Xor(byte[] array1, byte[] array2)
+    {
+        var result = new byte[array1.Length];
+
+        for (int i = 0; i < array1.Length; i++)
+        {
+            result[i] = (byte)(array1[i] ^ array2[i]);
+        }
+
+        return result;
+    }
+}
