Merge pull request github#13934 from egregius313/egregius313/add-dashes-to-sha-algorithms

egregius313 · web-flow · commit 41a527cf7254 · 2023-08-17T13:03:15.000-04:00
Java: Add dashes to SHA algorithm names in `Encryption.qll`
diff --git a/java/ql/lib/change-notes/2023-08-15-add-dashes-to-sha-algorithms.md b/java/ql/lib/change-notes/2023-08-15-add-dashes-to-sha-algorithms.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modified the `getSecureAlgorithmName` predicate in `Encryption.qll` to also include `SHA-256` and `SHA-512`. Previously only the versions of the names without dashes were considered secure.
diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -270,7 +270,7 @@ string getInsecureAlgorithmRegex() {
 string getASecureAlgorithmName() {
   result =
     [
-      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
+      "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
       "Blowfish", "ECIES"
     ]
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Modified the `getSecureAlgorithmName` predicate in `Encryption.qll` to also include `SHA-256` and `SHA-512`. Previously only the versions of the names without dashes were considered secure.
Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,7 @@ string getInsecureAlgorithmRegex() {`
`270`	`270`	`string getASecureAlgorithmName() {`
`271`	`271`	`result =`
`272`	`272`	`[`
`273`		`- "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB\|CBC/PKCS[57]Padding))",`
	`273`	`+ "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB\|CBC/PKCS[57]Padding))",`
`274`	`274`	`"Blowfish", "ECIES"`
`275`	`275`	`]`
`276`	`276`	`}`