-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathinsecure-hash-cpp.yml
127 lines (123 loc) · 3.64 KB
/
insecure-hash-cpp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
id: insecure-hash-cpp
language: cpp
severity: warning
message: >-
This hashing algorithm is insecure. If this hash is used in a security
context, such as password hashing, it should be converted to a stronger
hashing algorithm.
note: >-
[CWE-328] Use of Weak Hash.
[REFERENCES]
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
ast-grep-essentials: true
utils:
MATCH_PATTERN_ONE:
kind: expression_statement
has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$
- has:
stopBy: neighbor
kind: argument_list
MATCH_PATTERN_TWO:
kind: expression_statement
has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$"
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: end
kind: string_content
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
MATCH_PATTERN_TWO_with_instance:
kind: expression_statement
all:
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$"
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: neighbor
kind: identifier
pattern: $Q
- follows:
stopBy: end
kind: declaration
has:
stopBy: end
kind: init_declarator
all:
- has:
stopBy: neighbor
any:
- kind: array_declarator
has:
stopBy: neighbor
kind: identifier
pattern: $Q
- kind: pointer_declarator
has:
stopBy: neighbor
kind: identifier
pattern: $Q
- kind: identifier
pattern: $Q
- has:
stopBy: neighbor
kind: string_literal
has:
stopBy: neighbor
kind: string_content
regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$
MATCH_PATTERN_THREE:
kind: expression_statement
has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$"
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: end
kind: identifier
regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$
rule:
any:
- kind: expression_statement
any:
- matches: MATCH_PATTERN_ONE
- matches: MATCH_PATTERN_TWO
- matches: MATCH_PATTERN_TWO_with_instance
- matches: MATCH_PATTERN_THREE
not:
all:
- has:
stopBy: end
kind: ERROR
- inside:
stopBy: end
kind: ERROR