add weak hash mapping and test

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -97,6 +97,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         SonarSQLInjectionCodemod.class,
         SonarSSRFCodemod.class,
         SonarUnsafeReflectionRemediationCodemod.class,
+        SonarWeakHashingAlgorithmCodemod.class,
         SonarWeakRandomCodemod.class,
         SonarXXECodemod.class,
         SQLParameterizerCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/sonar/SonarWeakHashingAlgorithmCodemod.java

@@ -0,0 +1,64 @@
+package io.codemodder.codemods.sonar;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleHotspot;
+import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.weakcrypto.WeakCryptoAlgorithmRemediator;
+import io.codemodder.remediation.weakrandom.WeakRandomRemediator;
+import io.codemodder.sonar.model.Hotspot;
+import io.codemodder.sonar.model.SonarFinding;
+
+import javax.inject.Inject;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+
+@Codemod(
+    id = "sonar:java/weak-hash-2245",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SonarWeakHashingAlgorithmCodemod extends SonarRemediatingJavaParserChanger {
+
+  private final Remediator<Hotspot> remediationStrategy;
+  private final RuleHotspot issues;
+
+  @Inject
+  public SonarWeakHashingAlgorithmCodemod(
+      @ProvidedSonarScan(ruleId = "java:S4790") final RuleHotspot hotspots) {
+    super(GenericRemediationMetadata.WEAK_CRYPTO_ALGORITHM.reporter(), hotspots);
+    this.issues = Objects.requireNonNull(hotspots);
+    this.remediationStrategy = new WeakCryptoAlgorithmRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "java:S4790",
+        "Using weak hashing algorithms is security-sensitive",
+        "https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-4790/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    List<Hotspot> issuesForFile = issues.getResultsByPath(context.path());
+    return remediationStrategy.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        issuesForFile,
+        SonarFinding::getKey,
+        i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
+        i ->
+            i.getTextRange() != null
+                ? Optional.of(i.getTextRange().getEndLine())
+                : Optional.empty(),
+        i -> Optional.empty());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/semgrep/SemgrepMissingSecureFlagCodemodTest.java

@@ -8,5 +8,6 @@
     testResourceDir = "semgrep-missing-secure-flag",
     expectingFixesAtLines = {131},
     renameTestFile = "src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java",
+    doRetransformTest = false,
     dependencies = {})
 final class SemgrepMissingSecureFlagCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/java/io/codemodder/codemods/sonar/SonarWeakHashingAlgorithmCodemodTest.java

@@ -0,0 +1,18 @@
+package io.codemodder.codemods.sonar;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
+
+final class SonarWeakHashingAlgorithmCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = SonarWeakHashingAlgorithmCodemod.class,
+      testResourceDir = "sonar-weak-hash-4790",
+      renameTestFile = "src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java",
+      expectingFixesAtLines = {55},
+      doRetransformTest = false,
+      dependencies = {})
+  final class HashingAssignmentTest implements CodemodTestMixin {}
+}

core-codemods/src/test/resources/sonar-weak-hash-4790/HashingAssignment.java.after

@@ -0,0 +1,105 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
+public class HashingAssignment extends AssignmentEndpoint {
+
+  public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
+
+  @RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String md5Hash = (String) request.getSession().getAttribute("md5Hash");
+    if (md5Hash == null) {
+
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+
+      MessageDigest md = MessageDigest.getInstance("SHA-256");
+      md.update(secret.getBytes());
+      byte[] digest = md.digest();
+      md5Hash = DatatypeConverter.printHexBinary(digest).toUpperCase();
+      request.getSession().setAttribute("md5Hash", md5Hash);
+      request.getSession().setAttribute("md5Secret", secret);
+    }
+    return md5Hash;
+  }
+
+  @RequestMapping(path = "/crypto/hashing/sha256", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String sha256 = (String) request.getSession().getAttribute("sha256");
+    if (sha256 == null) {
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      sha256 = getHash(secret, "SHA-256");
+      request.getSession().setAttribute("sha256Hash", sha256);
+      request.getSession().setAttribute("sha256Secret", secret);
+    }
+    return sha256;
+  }
+
+  @PostMapping("/crypto/hashing")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request,
+      @RequestParam String answer_pwd1,
+      @RequestParam String answer_pwd2) {
+
+    String md5Secret = (String) request.getSession().getAttribute("md5Secret");
+    String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+
+    if (answer_pwd1 != null && answer_pwd2 != null) {
+      if (answer_pwd1.equals(md5Secret) && answer_pwd2.equals(sha256Secret)) {
+        return success(this).feedback("crypto-hashing.success").build();
+      } else if (answer_pwd1.equals(md5Secret) || answer_pwd2.equals(sha256Secret)) {
+        return failed(this).feedback("crypto-hashing.oneok").build();
+      }
+    }
+    return failed(this).feedback("crypto-hashing.empty").build();
+  }
+
+  public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    MessageDigest md = MessageDigest.getInstance(algorithm);
+    md.update(secret.getBytes());
+    byte[] digest = md.digest();
+    return DatatypeConverter.printHexBinary(digest).toUpperCase();
+  }
+}

core-codemods/src/test/resources/sonar-weak-hash-4790/HashingAssignment.java.before

@@ -0,0 +1,105 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
+public class HashingAssignment extends AssignmentEndpoint {
+
+  public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
+
+  @RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String md5Hash = (String) request.getSession().getAttribute("md5Hash");
+    if (md5Hash == null) {
+
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+
+      MessageDigest md = MessageDigest.getInstance("MD5");
+      md.update(secret.getBytes());
+      byte[] digest = md.digest();
+      md5Hash = DatatypeConverter.printHexBinary(digest).toUpperCase();
+      request.getSession().setAttribute("md5Hash", md5Hash);
+      request.getSession().setAttribute("md5Secret", secret);
+    }
+    return md5Hash;
+  }
+
+  @RequestMapping(path = "/crypto/hashing/sha256", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String sha256 = (String) request.getSession().getAttribute("sha256");
+    if (sha256 == null) {
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      sha256 = getHash(secret, "SHA-256");
+      request.getSession().setAttribute("sha256Hash", sha256);
+      request.getSession().setAttribute("sha256Secret", secret);
+    }
+    return sha256;
+  }
+
+  @PostMapping("/crypto/hashing")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request,
+      @RequestParam String answer_pwd1,
+      @RequestParam String answer_pwd2) {
+
+    String md5Secret = (String) request.getSession().getAttribute("md5Secret");
+    String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+
+    if (answer_pwd1 != null && answer_pwd2 != null) {
+      if (answer_pwd1.equals(md5Secret) && answer_pwd2.equals(sha256Secret)) {
+        return success(this).feedback("crypto-hashing.success").build();
+      } else if (answer_pwd1.equals(md5Secret) || answer_pwd2.equals(sha256Secret)) {
+        return failed(this).feedback("crypto-hashing.oneok").build();
+      }
+    }
+    return failed(this).feedback("crypto-hashing.empty").build();
+  }
+
+  public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    MessageDigest md = MessageDigest.getInstance(algorithm);
+    md.update(secret.getBytes());
+    byte[] digest = md.digest();
+    return DatatypeConverter.printHexBinary(digest).toUpperCase();
+  }
+}

core-codemods/src/test/resources/sonar-weak-hash-4790/sonar-hotspots.json

@@ -0,0 +1,48 @@
+{
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 100,
+    "total": 1
+  },
+  "hotspots": [
+    {
+      "key": "AZPB23cAwGhA7VQ2Ui-j",
+      "component": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java",
+      "project": "nahsra_WebGoatSonarDemo",
+      "securityCategory": "others",
+      "vulnerabilityProbability": "LOW",
+      "status": "TO_REVIEW",
+      "line": 55,
+      "message": "Make sure this weak hash algorithm is not used in a sensitive context here.",
+      "assignee": "AYu2RswFLuhbfWU895e4",
+      "author": "[email protected]",
+      "creationDate": "2024-12-13T22:06:37+0100",
+      "updateDate": "2024-12-13T22:09:25+0100",
+      "textRange": {
+        "startLine": 55,
+        "endLine": 55,
+        "startOffset": 39,
+        "endOffset": 50
+      },
+      "flows": [],
+      "ruleKey": "java:S4790"
+    }
+  ],
+  "components": [
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java",
+      "qualifier": "FIL",
+      "name": "HashingAssignment.java",
+      "longName": "src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java",
+      "path": "src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java"
+    },
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo",
+      "qualifier": "TRK",
+      "name": "WebGoatSonarDemo",
+      "longName": "WebGoatSonarDemo"
+    }
+  ]
+}