Merge pull request github#5635 from RasmusWL/port-weak-crypto-algorithm

Approved by yoff

Author: codeql-ci

config/identical-files.json

@@ -439,7 +439,7 @@
   ],
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
   ],
   "SensitiveDataHeuristics Python/JS": [
     "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",

python/change-notes/2021-04-09-split-weak-crypto-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Updated the _Use of a broken or weak cryptographic algorithm_ (`py/weak-cryptographic-algorithm`) query, so it alerts on any use of a weak cryptographic non-hashing algorithm. Introduced a new query _Use of a broken or weak cryptographic hashing algorithm on sensitive data_ (`py/weak-sensitive-data-hashing`) to handle weak cryptographic hashing algorithms, which only alerts when used on sensitive data.

python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp

@@ -15,22 +15,28 @@
                secure than it appears to be.
           </p>
 
+          <p>
+               This query alerts on any use of a weak cryptographic algorithm, that is
+               not a hashing algorithm. Use of broken or weak cryptographic hash
+               functions are handled by the
+               <code>py/weak-sensitive-data-hashing</code> query.
+          </p>
+
      </overview>
      <recommendation>
 
           <p>
                Ensure that you use a strong, modern cryptographic
-               algorithm. Use at least AES-128 or RSA-2048 for
-               encryption, and SHA-2 or SHA-3 for secure hashing.
+               algorithm, such as AES-128 or RSA-2048.
           </p>
 
      </recommendation>
      <example>
 
           <p>
-               The following code uses the <code>pycrypto</code>
+               The following code uses the <code>pycryptodome</code>
                library to encrypt some secret data. When you create a cipher using
-               <code>pycrypto</code> you must specify the encryption
+               <code>pycryptodome</code> you must specify the encryption
                algorithm to use. The first example uses DES, which is an
                older algorithm that is now considered weak. The second
                example uses AES, which is a stronger modern algorithm.
@@ -39,8 +45,12 @@
           <sample src="examples/broken_crypto.py" />
 
           <p>
-               WARNING: Although the second example above is more robust,
-               pycrypto is no longer actively maintained so we recommend using <code>cryptography</code> instead.
+               NOTICE: the original
+               <code><a href="https://pypi.org/project/pycrypto/">pycrypto</a></code>
+               PyPI package that provided the <code>Crypto</code> module is not longer
+               actively maintained, so you should use the
+               <code><a href="https://pypi.org/project/pycryptodome/">pycryptodome</a></code>
+               PyPI package instead (which has a compatible API).
           </p>
 
      </example>

python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@@ -1,7 +1,7 @@
 /**
  * @name Use of a broken or weak cryptographic algorithm
  * @description Using broken or weak cryptographic algorithms can compromise security.
- * @kind path-problem
+ * @kind problem
  * @problem.severity warning
  * @precision high
  * @id py/weak-cryptographic-algorithm
@@ -10,21 +10,15 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.security.SensitiveData
-import semmle.python.security.Crypto
+import semmle.python.Concepts
 
-class BrokenCryptoConfiguration extends TaintTracking::Configuration {
-  BrokenCryptoConfiguration() { this = "Broken crypto configuration" }
-
-  override predicate isSource(TaintTracking::Source source) {
-    source instanceof SensitiveDataSource
-  }
-
-  override predicate isSink(TaintTracking::Sink sink) { sink instanceof WeakCryptoSink }
-}
-
-from BrokenCryptoConfiguration config, TaintedPathSource src, TaintedPathSink sink
-where config.hasFlowPath(src, sink)
-select sink.getSink(), src, sink, "$@ is used in a broken or weak cryptographic algorithm.",
-  src.getSource(), "Sensitive data"
+from Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm
+where
+  algorithm = operation.getAlgorithm() and
+  algorithm.isWeak() and
+  // `Cryptography::HashingAlgorithm` and `Cryptography::PasswordHashingAlgorithm` are
+  // handled by `py/weak-sensitive-data-hashing`
+  algorithm instanceof Cryptography::EncryptionAlgorithm
+select operation,
+  "The cryptographic algorithm " + algorithm.getName() +
+    " is broken or weak, and should not be used."

python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp

@@ -0,0 +1,104 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               Using a broken or weak cryptographic hash function can leave data
+               vulnerable, and should not be used in security related code.
+          </p>
+
+          <p>
+               A strong cryptographic hash function should be resistant to:
+          </p>
+          <ul>
+               <li>
+                    pre-image attacks: if you know a hash value <code>h(x)</code>,
+                    you should not be able to easily find the input <code>x</code>.
+               </li>
+               <li>
+                    collision attacks: if you know a hash value <code>h(x)</code>,
+                    you should not be able to easily find a different input <code>y</code>
+                    with the same hash value <code>h(x) = h(y)</code>.
+               </li>
+          </ul>
+          <p>
+               In cases with a limited input space, such as for passwords, the hash
+               function also needs to be computationally expensive to be resistant to
+               brute-force attacks. Passwords should also have an unique salt applied
+               before hashing, but that is not considered by this query.
+          </p>
+
+          <p>
+               As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.
+          </p>
+
+          <p>
+               Since it's OK to use a weak cryptographic hash function in a non-security
+               context, this query only alerts when these are used to hash sensitive
+               data (such as passwords, certificates, usernames).
+          </p>
+
+          <p>
+               Use of broken or weak cryptographic algorithms that are not hashing algorithms, is
+               handled by the <code>py/weak-cryptographic-algorithm</code> query.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Ensure that you use a strong, modern cryptographic hash function:
+          </p>
+
+          <ul>
+               <li>
+                    such as Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space.
+               </li>
+               <li>
+                    such as SHA-2, or SHA-3 in other cases.
+               </li>
+          </ul>
+
+     </recommendation>
+     <example>
+
+          <p>
+               The following example shows two functions for checking whether the hash
+               of a certificate matches a known value -- to prevent tampering.
+
+               The first function uses MD5 that is known to be vulnerable to collision attacks.
+
+               The second function uses SHA-256 that is a strong cryptographic hashing function.
+          </p>
+
+          <sample src="examples/weak_certificate_hashing.py" />
+
+     </example>
+     <example>
+          <p>
+               The following example shows two functions for hashing passwords.
+
+               The first function uses SHA-256 to hash passwords. Although SHA-256 is a
+               strong cryptographic hash function, it is not suitable for password
+               hashing since it is not computationally expensive.
+          </p>
+
+          <sample src="examples/weak_password_hashing_bad.py" />
+
+
+          <p>
+               The second function uses Argon2 (through the <code>argon2-cffi</code>
+               PyPI package), which is a strong password hashing algorithm (and
+               includes a per-password salt by default).
+          </p>
+
+          <sample src="examples/weak_password_hashing_good.py" />
+
+     </example>
+
+     <references>
+          <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage Cheat Sheet</a></li>
+     </references>
+
+</qhelp>

python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Use of a broken or weak cryptographic hashing algorithm on sensitive data
+ * @description Using broken or weak cryptographic hashing algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id py/weak-sensitive-data-hashing
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-916
+ */
+
+import python
+import semmle.python.security.dataflow.WeakSensitiveDataHashing
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import DataFlow::PathGraph
+
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
+  string classification
+where
+  exists(NormalHashFunction::Configuration config |
+    config.hasFlowPath(source, sink) and
+    algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
+    classification = source.getNode().(NormalHashFunction::Source).getClassification() and
+    ending = "."
+  )
+  or
+  exists(ComputationallyExpensiveHashFunction::Configuration config |
+    config.hasFlowPath(source, sink) and
+    algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
+    classification =
+      source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
+    (
+      sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+      ending = "."
+      or
+      not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+      ending =
+        " for " + classification +
+          " hashing, since it is not a computationally expensive hash function."
+    )
+  )
+select sink.getNode(), source, sink,
+  "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
+  source.getNode(), "Sensitive data (" + classification + ")"

python/ql/src/Security/CWE-327/examples/weak_certificate_hashing.py

@@ -0,0 +1,9 @@
+import hashlib
+
+def certificate_matches_known_hash_bad(certificate, known_hash):
+    hash = hashlib.md5(certificate).hexdigest() # BAD
+    return hash == known_hash
+
+def certificate_matches_known_hash_good(certificate, known_hash):
+    hash = hashlib.sha256(certificate).hexdigest() # GOOD
+    return hash == known_hash

python/ql/src/Security/CWE-327/examples/weak_password_hashing_bad.py

@@ -0,0 +1,4 @@
+import hashlib
+
+def get_password_hash(password: str, salt: str):
+    return hashlib.sha256(password + salt).hexdigest() # BAD

python/ql/src/Security/CWE-327/examples/weak_password_hashing_good.py

@@ -0,0 +1,9 @@
+from argon2 import PasswordHasher
+
+def get_initial_hash(password: str):
+    ph = PasswordHasher()
+    return ph.hash(password) # GOOD
+
+def check_password(password: str, known_hash):
+    ph = PasswordHasher()
+    return ph.verify(known_hash, password) # GOOD

python/ql/src/experimental/Security-old-dataflow/CWE-327/BrokenCryptoAlgorithm.ql

@@ -0,0 +1,28 @@
+/**
+ * @name OLD QUERY: Use of a broken or weak cryptographic algorithm
+ * @description Using broken or weak cryptographic algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id py/old/weak-cryptographic-algorithm
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.security.SensitiveData
+import semmle.python.security.Crypto
+
+class BrokenCryptoConfiguration extends TaintTracking::Configuration {
+  BrokenCryptoConfiguration() { this = "Broken crypto configuration" }
+
+  override predicate isSource(TaintTracking::Source source) {
+    source instanceof SensitiveDataSource
+  }
+
+  override predicate isSink(TaintTracking::Sink sink) { sink instanceof WeakCryptoSink }
+}
+
+from BrokenCryptoConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ is used in a broken or weak cryptographic algorithm.",
+  src.getSource(), "Sensitive data"