Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS library.

smiddy007 · smiddy007 · commit ec97cdc8a020 · 2023-04-13T23:16:20.000-04:00
diff --git a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224,
+* SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll
@@ -627,6 +627,10 @@ private module Forge {
         // require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog');
         this =
           getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall()
+        or
+        // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog');
+        this =
+          getAnImportNode().getMember("md").getMember(algorithmName).getAMember().getMember("create").getACall()
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -627,6 +627,10 @@ private module Forge {`
`627`	`627`	`// require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog');`
`628`	`628`	`this =`
`629`	`629`	`getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall()`
	`630`	`+ or`
	`631`	`+ // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog');`
	`632`	`+ this =`
	`633`	`+ getAnImportNode().getMember("md").getMember(algorithmName).getAMember().getMember("create").getACall()`
`630`	`634`	`)`
`631`	`635`	`}`
`632`	`636`