Skip to content

feat: detect weak crypto algorithm #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 2, 2022
Merged

feat: detect weak crypto algorithm #30

merged 11 commits into from
Jun 2, 2022

Conversation

@tony-go
Copy link
Member

@tony-go tony-go commented May 24, 2022
edited
Loading

Context

This PR resolves issue #25

Improvements πŸš€

At the moment we detect:

Algorithm Code import 'crypto'
md5 createHash('md5') βœ…
md5 crypto.createHash('md5') βœ…
sha1 createHash('sha1') βœ…
sha1 crypto.createHash('sha1') βœ…
ripemd160 createHash('ripemd160') βœ…
ripemd160 crypto.createHash('ripemd160') βœ…
md4 createHash('md4') βœ…
md4 crypto.createHash('md4') βœ…
md2 createHash('md2') βœ…
md2 crypto.createHash('md2') βœ…

Questions

  • Should we make import 'crypto' be required to trigger this warning?
  • Should I add other weak crypto algorithms in this PR? (like sha1, but TBH I don't know other ones πŸ™ˆ)?

@tony-go tony-go added the wip label May 24, 2022
@tony-go tony-go requested a review from fraxken May 24, 2022 18:27
@tony-go tony-go self-assigned this May 24, 2022
@tony-go tony-go force-pushed the feat/weak-crypto branch from 267df25 to 44bf387 Compare May 26, 2022 11:40
@tony-go tony-go marked this pull request as ready for review May 26, 2022 13:54
@tony-go tony-go requested review from a team, Kawacrepe and antoine-coulon May 26, 2022 17:13
Kawacrepe
Kawacrepe reviewed May 27, 2022
View reviewed changes
Copy link
Member

@Kawacrepe Kawacrepe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm! My only question is: shouldn't we add a valid test case ? where the cryptoHash algorithm used is something like sha256 etc..?

@tony-go
Copy link
Member Author

tony-go commented May 27, 2022

Lgtm! My only question is: shouldn't we add a valid test case ? where the cryptoHash algorithm used is something like sha256 etc..?

Very good idea ^^ I'll add it.

@tony-go tony-go requested a review from Kawacrepe May 27, 2022 20:07
@tony-go
Copy link
Member Author

tony-go commented May 30, 2022

@fraxken do you prefer to wait for the tracer feature?

@fraxken
Copy link
Member

fraxken commented May 30, 2022

@tony-go No i guess this is ok to merge. For weak hash i have found this list

  • MD2, MD4, MD5, RIPEMD-160, and SHA-1

SHA1 is supported by Node.js (maybe we have to check for the other ones).

fraxken
fraxken requested changes May 30, 2022
View reviewed changes
@tony-go tony-go requested a review from fraxken May 31, 2022 21:25
fraxken
fraxken reviewed Jun 2, 2022
View reviewed changes
src/probes/isWeakCrypto.js Outdated
import { warnings } from "../constants.js";

// Constants
const weakAlgorithms = ["md5", "sha1", "ripemd160", "md4", "md2"];
Copy link
Member

@fraxken fraxken Jun 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new Set(["md5", "sha1", "ripemd160", "md4", "md2"]) no ?

Copy link
Member Author

@tony-go tony-go Jun 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shame on me! this is the vim effect!

src/probes/isWeakCrypto.js Outdated
const isCryptoImported = analysis.dependencies.has("crypto");

if (
weakAlgorithms.includes(arg.value) &&
Copy link
Member

@fraxken fraxken Jun 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

weakAlgorithms.has(arg.value)

With an ES6 Set

Copy link
Member Author

@tony-go tony-go Jun 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ™ˆ

@tony-go tony-go force-pushed the feat/weak-crypto branch from 1e6de33 to 7703a98 Compare June 2, 2022 10:18
@tony-go tony-go requested a review from fraxken June 2, 2022 10:18
@fraxken fraxken merged commit bcabd27 into master Jun 2, 2022
@fraxken
Copy link
Member

fraxken commented Jun 2, 2022

@all-contributors please add @tony-go for code,tests,docs

@allcontributors
Copy link
Contributor

allcontributors bot commented Jun 2, 2022

@fraxken

I couldn't determine any contributions to add, did you specify any contributions?
Please make sure to use valid contribution names.

@fraxken
Copy link
Member

fraxken commented Jun 2, 2022

@all-contributors please add @tony for code, doc, test

@allcontributors allcontributors bot mentioned this pull request Jun 2, 2022
Merged
@allcontributors
Copy link
Contributor

allcontributors bot commented Jun 2, 2022

@fraxken

I've put up a pull request to add @tony! πŸŽ‰

@fraxken fraxken deleted the feat/weak-crypto branch June 2, 2022 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kawacrepe Kawacrepe Kawacrepe approved these changes

@antoine-coulon antoine-coulon Awaiting requested review from antoine-coulon

@fraxken fraxken Awaiting requested review from fraxken

Assignees

@tony-go tony-go

Labels

wip

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tony-go @fraxken @Kawacrepe