Weak Hashing Property initial query

Author: egregius313

java/ql/lib/semmle/code/java/security/WeakHashingAlgorithmPropertyQuery.qll

@@ -0,0 +1,57 @@
+/** Provides classes and predicates to reason about property files and weak hashing algorithms. */
+
+import java
+private import semmle.code.configfiles.ConfigFiles
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.frameworks.Properties
+private import semmle.code.java.dataflow.RangeUtils
+
+class GetPropertyMethodAccess extends MethodAccess {
+  GetPropertyMethodAccess() { this.getMethod() instanceof PropertiesGetPropertyMethod }
+
+  private ConfigPair getPair() {
+    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
+  }
+
+  string getValue() {
+    result = this.getPair().getValueElement().getValue() or
+    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
+  }
+}
+
+string getWeakHashingAlgorithm(DataFlow::Node node) {
+/**
+ * Get the name of the weak cryptographic algorithm represented by `node`.
+ */
+string getWeakHashingAlgorithmName(DataFlow::Node node) {
+  exists(MethodAccess ma, ConfigPair pair |
+    node.asExpr() = ma and ma.getMethod() instanceof PropertiesGetPropertyMethod
+  |
+    ma.getArgument(0).(ConstantStringExpr).getStringValue() = pair.getNameElement().getName() and
+    pair.getValueElement().getValue() = result and
+    not pair.getValueElement().getValue().regexpMatch(getSecureAlgorithmRegex())
+  )
+}
+
+/**
+ * Dataflow configuration from a configuration pair in a properties file to the use of a cryptographic algorithm.
+ */
+module InsecureAlgorithmPropertyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) {
+    exists(MethodAccess ma, ConfigPair pair |
+      n.asExpr() = ma and ma.getMethod() instanceof PropertiesGetPropertyMethod
+    |
+      ma.getArgument(0).(ConstantStringExpr).getStringValue() = pair.getNameElement().getName() and
+      not pair.getValueElement().getValue().regexpMatch(getSecureAlgorithmRegex())
+    )
+  }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() = any(CryptoAlgoSpec c).getAlgoSpec() }
+}
+
+/**
+ * Dataflow from a configuration pair in a properties file to the use of a cryptographic algorithm.
+ */
+module InsecureAlgorithmPropertyFlow = TaintTracking::Global<InsecureAlgorithmPropertyConfig>;

java/ql/src/Security/CWE/CWE-328/WeakHashingProperty.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="../CWE-327/BrokenCryptoAlgorithm.qhelp" /></qhelp>

java/ql/src/Security/CWE/CWE-328/WeakHashingProperty.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Weak Hashing Property
+ * @description Using weak cryptographic algorithms can allow an attacker to compromise security.
+ * @id java/weak-hashing-property
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *      external/cwe/cwe-328
+ */
+
+import java
+import semmle.code.java.security.WeakHashingAlgorithmPropertyQuery
+import InsecureAlgorithmPropertyFlow::PathGraph
+
+from InsecureAlgorithmPropertyFlow::PathNode source, InsecureAlgorithmPropertyFlow::PathNode sink
+where InsecureAlgorithmPropertyFlow::flowPath(source, sink)
+select sink.getNode(), sink, source, "The $@ algorithm is insecure.", source,
+  getWeakHashingAlgorithmName(source.getNode())

java/ql/src/change-notes/2023-08-23-weak-cryptographic-algorithm-from-properties-file.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* Added the `java/weak-hashing-property` query to detect the use of weak cryptographic algorithms where the algorithm name comes from a `.properties` configuration file.
+