Add more cases

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql

@@ -38,7 +38,12 @@ string getPasswordRegex() { result = "(?i).*pass(wd|word|code|phrase).*" }
 /** Finds variables that hold password information judging by their names. */
 class PasswordVarExpr extends Expr {
   PasswordVarExpr() {
-    exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch(getPasswordRegex()))
+    exists(Variable v | this = v.getAnAccess() |
+      (
+        v.getName().toLowerCase().regexpMatch(getPasswordRegex()) and
+        not v.getName().toLowerCase().matches("%hash%") // Exclude variable names such as `passwordHash` since their values were already hashed
+      )
+    )
   }
 }
 
@@ -77,17 +82,20 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration {
   }
 
   /**
-   * Holds if a password is concatenated with a salt then hashed together through the call `System.arraycopy(password.getBytes(), ...)`. For example,
+   * Holds if a password is concatenated with a salt then hashed together through the call `System.arraycopy(password.getBytes(), ...)`, for example,
    *  `System.arraycopy(password.getBytes(), 0, allBytes, 0, password.getBytes().length);`
    *  `System.arraycopy(salt, 0, allBytes, password.getBytes().length, salt.length);`
    *  `byte[] messageDigest = md.digest(allBytes);`
+   * Or the password is concatenated with a salt as a string.
    */
   override predicate isSanitizer(DataFlow::Node node) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "System") and
       ma.getMethod().hasName("arraycopy") and
       ma.getArgument(0) = node.asExpr()
-    )
+    ) // System.arraycopy(password.getBytes(), ...)
+    or
+    exists(AddExpr e | node.asExpr() = e.getAnOperand()) // password+salt
   }
 }
 

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java

@@ -52,6 +52,23 @@ public String getSHA256Hash3(String password, byte[] salt) throws NoSuchAlgorith
 		return Base64.getEncoder().encodeToString(cipherBytes);
 	}
 
+	// GOOD - Hash with a given salt stored somewhere else.
+	public String getSHA256Hash(String password, String salt) throws NoSuchAlgorithmException {
+		return hash(password+salt);
+	}
+
+	// GOOD - Hash with a salt for a variable named passwordHash, whose value is a hash used as an input for a hashing function.
+	public String getSHA256Hash3(String passwordHash) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		byte[] messageDigest = md.digest(passwordHash.getBytes());
+		return Base64.getEncoder().encodeToString(messageDigest);
+	}
+
+	private String hash(String payload) {
+		MessageDigest alg = MessageDigest.getInstance("SHA-256");
+		return Base64.getEncoder().encodeToString(alg.digest(payload.getBytes(java.nio.charset.StandardCharsets.UTF_8)));
+	}
+
 	public static byte[] getSalt() throws NoSuchAlgorithmException {
 		SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
 		byte[] salt = new byte[16];

java/ql/test/experimental/query-tests/security/CWE-759/SHA256.java

@@ -0,0 +1,20 @@
+import java.security.MessageDigest;
+
+public class SHA256 {
+  MessageDigest md;
+  public int getBlockSize() {return 32;}
+  public void init() throws Exception {
+    try { md = MessageDigest.getInstance("SHA-256"); }
+    catch (Exception e){
+      System.err.println(e);
+    }
+  }
+
+  public void update(byte[] foo, int start, int len) throws Exception {
+    md.update(foo, start, len);
+  }
+
+  public byte[] digest() throws Exception {
+    return md.digest();
+  }
+}