Ruby: add tests for rb/weak-sensitive-data-hashing

alexrford · alexrford · commit d994959720e7 · 2024-06-18T17:47:32.000+01:00
diff --git a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.expected
@@ -0,0 +1,28 @@
+edges
+| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:6:1:6:1 | x | provenance |  |
+| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | provenance |  |
+| weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | provenance |  |
+| weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | provenance |  |
+| weak_hashing.rb:6:1:6:1 | x | weak_hashing.rb:13:23:13:23 | x | provenance |  |
+| weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | provenance |  |
+nodes
+| weak_hashing.rb:3:1:3:8 | password | semmle.label | password |
+| weak_hashing.rb:4:1:4:8 | username | semmle.label | username |
+| weak_hashing.rb:6:1:6:1 | x | semmle.label | x |
+| weak_hashing.rb:10:23:10:30 | password | semmle.label | password |
+| weak_hashing.rb:11:32:11:39 | password | semmle.label | password |
+| weak_hashing.rb:12:23:12:30 | username | semmle.label | username |
+| weak_hashing.rb:13:23:13:23 | x | semmle.label | x |
+| weak_hashing.rb:24:23:24:36 | call to get_password | semmle.label | call to get_password |
+| weak_hashing.rb:28:23:28:42 | ...[...] | semmle.label | ...[...] |
+| weak_hashing.rb:30:25:30:38 | password_param | semmle.label | password_param |
+| weak_hashing.rb:32:25:32:38 | password_param | semmle.label | password_param |
+subpaths
+#select
+| weak_hashing.rb:10:23:10:30 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:10:23:10:30 | password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
+| weak_hashing.rb:11:32:11:39 | password | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:11:32:11:39 | password | $@ is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
+| weak_hashing.rb:12:23:12:30 | username | weak_hashing.rb:4:1:4:8 | username | weak_hashing.rb:12:23:12:30 | username | $@ is used in a hashing algorithm (MD5) that is insecure. | weak_hashing.rb:4:1:4:8 | username | Sensitive data (id) |
+| weak_hashing.rb:13:23:13:23 | x | weak_hashing.rb:3:1:3:8 | password | weak_hashing.rb:13:23:13:23 | x | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:3:1:3:8 | password | Sensitive data (password) |
+| weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | weak_hashing.rb:24:23:24:36 | call to get_password | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:24:23:24:36 | call to get_password | Sensitive data (password) |
+| weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | weak_hashing.rb:28:23:28:42 | ...[...] | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:28:23:28:42 | ...[...] | Sensitive data (password) |
+| weak_hashing.rb:32:25:32:38 | password_param | weak_hashing.rb:30:25:30:38 | password_param | weak_hashing.rb:32:25:32:38 | password_param | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | weak_hashing.rb:30:25:30:38 | password_param | Sensitive data (password) |
diff --git a/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref b/ruby/ql/test/query-tests/security/cwe-327/WeakSensitiveDataHashing.qlref
@@ -0,0 +1 @@
+queries/security/cwe-327/WeakSensitiveDataHashing.ql
diff --git a/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb b/ruby/ql/test/query-tests/security/cwe-327/weak_hashing.rb
@@ -0,0 +1,33 @@
+require 'openssl'
+
+password = "abcde"
+username = "some_user"
+some_data = "foo"
+x = password
+
+Digest::MD5.hexdigest(some_data) # OK: input is not sensitive
+Digest::SHA256.hexdigest(password) # OK: strong hash algorithm
+Digest::MD5.hexdigest(password) # BAD: weak hash function used for sensitive data
+OpenSSL::Digest.digest('SHA1', password) # BAD: weak hash function used for sensitive data
+Digest::MD5.hexdigest(username) # BAD: weak hash function used for sensitive data
+Digest::MD5.hexdigest(x) # BAD: weak hash function used for sensitive data
+
+def get_safe_data()
+  return "hello"
+end
+def get_password()
+  return "changeme"
+end
+
+# FIXME
+Digest::MD5.hexdigest(get_safe_data()) # OK: input is not sensitive
+Digest::MD5.hexdigest(get_password()) # BAD: weak hash function used for sensitive data
+
+some_hash = {password: "changeme", foo: "bar"}
+Digest::MD5.hexdigest(some_hash[:foo]) # OK: input is not sensitive
+Digest::MD5.hexdigest(some_hash[:password]) # BAD: weak hash function used for sensitive data
+
+def a_method(safe_data, password_param)
+  Digest::MD5.hexdigest(safe_data) # OK: input is not sensitive
+  Digest::MD5.hexdigest(password_param) # BAD: weak hash function used for sensitive data
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-327/WeakSensitiveDataHashing.ql`