advanced-security · GeekMasher · Apr 12, 2022 · Apr 12, 2022 · Apr 12, 2022 · Apr 12, 2022
diff --git a/csharp/CWE-326/EncryptionInsufficientKeySize.ql b/csharp/CWE-326/EncryptionInsufficientKeySize.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Weak encryption: Insufficient key size
+ * @description Finds uses of encryption algorithms with too small a key size
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id cs/insufficient-key-size
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import csharp
+import github.crypto
+
+from Crypto::AsymmetricAlgorithms aglms, int key_size
+where
+  key_size = aglms.getKeySize() and
+  key_size < aglms.minKeySize()
+select aglms, "Key size " + key_size.toString() + " is to small (min: " + aglms.minKeySize() + ")"
diff --git a/csharp/CWE-326/EncryptionKeySizeToLarge.ql b/csharp/CWE-326/EncryptionKeySizeToLarge.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Weak encryption: Key size is too large for algorithm
+ * @description Finds uses of encryption algorithms with too large of a key size
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 1.0
+ * @precision high
+ * @id cs/insufficient-key-size
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import csharp
+import github.crypto
+
+from Crypto::AsymmetricAlgorithms aglms, int key_size
+where
+  key_size = aglms.getKeySize() and
+  key_size > aglms.maxKeySize()
+select aglms,
+  "Key size " + key_size.toString() + " is to large for algorithm (max: " + aglms.maxKeySize() + ")"
diff --git a/csharp/CWE-326/EncryptionKeySizeUseGetter.ql b/csharp/CWE-326/EncryptionKeySizeUseGetter.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Weak encryption: Key size set using a Getter and failing to set key size
+ * @description Finds uses of encryption algorithms using a Getter and not setting the size of the key
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 1.0
+ * @precision high
+ * @id cs/encryption-keysize-use-getter
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import csharp
+import github.crypto
+
+from Crypto::AsymmetricAlgorithms aglms, PropertyAccess props, Expr expr
+where
+  aglms.getType().hasName(["DSACryptoServiceProvider", "RSACryptoServiceProvider"]) and
+  props.getTarget().getDeclaringType() = aglms.getType() and
+  props.getTarget().getName() = "KeySize" and
+  expr = props.getParent().(Assignment).getRValue()
+select expr, "Cannot use Getter to set key size"
diff --git a/csharp/CWE-327/WeakHMac.ql b/csharp/CWE-327/WeakHMac.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Use of Weak Hmac Algorithms
+ * @description Use of Weak Hmac Algorithms
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.0
+ * @precision medium
+ * @id cs/weak-hmac-algorithm
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import csharp
+import github.crypto
+
+from Crypto::HMacSigningAlgorithms algorithms
+where algorithms.algorithm() = ["MD5", "SHA1"]
+select algorithms, "Weak Hmac Algorithms"
diff --git a/csharp/CWE-760/HardcodedSalt.ql b/csharp/CWE-760/HardcodedSalt.ql
@@ -0,0 +1,72 @@
+/**
+ * @name Hardcoded Salt
+ * @description Hardcoded Salt
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision medium
+ * @id cs/hardcoded-salt
+ * @tags security
+ *       external/cwe/cwe-760
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.Moq
+private import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
+// import semmle.code.csharp.frameworks.system.security.Cryptography
+private import github.hardcoded
+private import github.crypto
+
+module HardcodedSalt {
+  abstract class Source extends DataFlow::ExprNode { }
+
+  abstract class Sink extends DataFlow::ExprNode { }
+
+  abstract class Sanitizer extends DataFlow::ExprNode { }
+
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /*
+   * Sources
+   */
+
+  class Hardcoded extends Source {
+    Hardcoded() { this instanceof HardcodedValues }
+  }
+
+  /*
+   * Sinks
+   */
+
+  class HashAlgSalts extends Sink {
+    HashAlgSalts() { exists(Crypto::HashingAlgorithms hash | this = hash.getSalt()) }
+  }
+
+  /*
+   * Config
+   */
+
+  class TaintTrackingConfiguration extends TaintTracking::Configuration {
+    TaintTrackingConfiguration() { this = "HardcodedSalt" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof HardcodedSalt::Source }
+
+    override predicate isSink(DataFlow::Node sink) {
+      sink instanceof HardcodedSalt::Sink and
+      not any(ReturnedByMockObject mock).getAMemberInitializationValue() = sink.asExpr() and
+      not any(ReturnedByMockObject mock).getAnArgument() = sink.asExpr()
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}
+
+from
+  HardcodedSalt::TaintTrackingConfiguration config, DataFlow::PathNode source,
+  DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Use of $@.", source.getNode(), "hardcoded salt"
diff --git a/csharp/CWE-916/WeakIterations.ql b/csharp/CWE-916/WeakIterations.ql
@@ -0,0 +1,83 @@
+/**
+ * @name Use of Password Hash With Insufficient Computational Effort
+ * @description Use of Password Hash With Insufficient Computational Effort
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 4.0
+ * @precision medium
+ * @id cs/weak-hash-algorithms-iterations
+ * @tags security
+ *       external/cwe/cwe-916
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.Moq
+private import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
+// import semmle.code.csharp.frameworks.system.security.Cryptography
+private import github.hardcoded
+private import github.crypto
+
+module WeakIterations {
+  abstract class Source extends DataFlow::ExprNode { }
+
+  abstract class Sink extends DataFlow::ExprNode { }
+
+  abstract class Sanitizer extends DataFlow::ExprNode { }
+
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /*
+   * Sources
+   */
+
+  class Hardcoded extends Source {
+    Hardcoded() { this.getExpr().(IntLiteral).getValue().toInt() < 100000 }
+  }
+
+  class DefaultSettings extends Source {
+    // TODO: This needs to be FAR better
+    DefaultSettings() {
+      exists(Crypto::HashingAlgorithms hash |
+        hash.getExpr().(ObjectCreation).getNumberOfArguments() <= 2 and
+        hash.defaultIterations() < 10000 and
+        this.asExpr() = hash.getExpr()
+      )
+    }
+  }
+
+  /*
+   * Sinks
+   */
+
+  class HashAlgSalts extends Sink {
+    HashAlgSalts() { exists(Crypto::HashingAlgorithms hash | this = hash.getIterations()) }
+  }
+
+  /*
+   * Config
+   */
+
+  class TaintTrackingConfiguration extends TaintTracking::Configuration {
+    TaintTrackingConfiguration() { this = "WeakIteration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof WeakIterations::Source }
+
+    override predicate isSink(DataFlow::Node sink) {
+      sink instanceof WeakIterations::Sink and
+      not any(ReturnedByMockObject mock).getAMemberInitializationValue() = sink.asExpr() and
+      not any(ReturnedByMockObject mock).getAnArgument() = sink.asExpr()
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}
+
+from
+  WeakIterations::TaintTrackingConfiguration config, DataFlow::PathNode source,
+  DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Use of $@.", source.getNode(), "hardcoded weak iterations"