From 9c215ef5e982401c88e13b4ece581b38a6537441 Mon Sep 17 00:00:00 2001 From: Mathew Payne Date: Wed, 13 Apr 2022 12:21:27 +0100 Subject: [PATCH 1/2] Initial tests --- tests/.gitignore | 1 + .../csharp-tests/CWE-760/HardcodedSalt.expected | 0 tests/csharp-tests/CWE-760/HardcodedSalt.qlref | 1 + tests/csharp-tests/CWE-760/Test.cs | 16 ++++++++++++++++ tests/csharp-tests/CWE-760/options | 1 + tests/csharp-tests/qlpack.lock.yml | 4 ++++ tests/csharp-tests/qlpack.yml | 8 ++++++++ 7 files changed, 31 insertions(+) create mode 100644 tests/.gitignore create mode 100644 tests/csharp-tests/CWE-760/HardcodedSalt.expected create mode 100644 tests/csharp-tests/CWE-760/HardcodedSalt.qlref create mode 100644 tests/csharp-tests/CWE-760/Test.cs create mode 100644 tests/csharp-tests/CWE-760/options create mode 100644 tests/csharp-tests/qlpack.lock.yml create mode 100644 tests/csharp-tests/qlpack.yml diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 00000000000..16a637d4a92 --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1 @@ +**/*.testproj \ No newline at end of file diff --git a/tests/csharp-tests/CWE-760/HardcodedSalt.expected b/tests/csharp-tests/CWE-760/HardcodedSalt.expected new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/csharp-tests/CWE-760/HardcodedSalt.qlref b/tests/csharp-tests/CWE-760/HardcodedSalt.qlref new file mode 100644 index 00000000000..f8e5d2cdc85 --- /dev/null +++ b/tests/csharp-tests/CWE-760/HardcodedSalt.qlref @@ -0,0 +1 @@ +CWE-760/HardcodedSalt.ql \ No newline at end of file diff --git a/tests/csharp-tests/CWE-760/Test.cs b/tests/csharp-tests/CWE-760/Test.cs new file mode 100644 index 00000000000..66d99c33782 --- /dev/null +++ b/tests/csharp-tests/CWE-760/Test.cs @@ -0,0 +1,16 @@ +using System; +using System.IO; +using System.Text; +using System.Runtime.Serialization; +using System.Security.Cryptography; +using System.Security.Permissions; + +public class StaticSalt { + public void Test1() { + string password = "TestPassword"; + + // BAD: Static String + var salt = Encoding.UTF8.GetBytes("Hardcoded Salt"); + var hash = new Rfc2898DeriveBytes(password, salt); + } +} \ No newline at end of file diff --git a/tests/csharp-tests/CWE-760/options b/tests/csharp-tests/CWE-760/options new file mode 100644 index 00000000000..f2f776d1181 --- /dev/null +++ b/tests/csharp-tests/CWE-760/options @@ -0,0 +1 @@ +semmle-extractor-options: /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll diff --git a/tests/csharp-tests/qlpack.lock.yml b/tests/csharp-tests/qlpack.lock.yml new file mode 100644 index 00000000000..a046f6d9786 --- /dev/null +++ b/tests/csharp-tests/qlpack.lock.yml @@ -0,0 +1,4 @@ +--- +dependencies: {} +compiled: false +lockVersion: 1.0.0 \ No newline at end of file diff --git a/tests/csharp-tests/qlpack.yml b/tests/csharp-tests/qlpack.yml new file mode 100644 index 00000000000..76b4d626f65 --- /dev/null +++ b/tests/csharp-tests/qlpack.yml @@ -0,0 +1,8 @@ +name: github-queries-csharp-tests +groups: [csharp, test] +dependencies: + codeql/csharp-all: "*" + github-queries-csharp: "*" + +extractor: csharp +tests: . \ No newline at end of file From e0b6a3d7e3f17bb25be5c53db0e7ca6f231f621d Mon Sep 17 00:00:00 2001 From: Mathew Payne Date: Wed, 13 Apr 2022 13:34:19 +0100 Subject: [PATCH 2/2] Additional Tests and updates --- tests/.gitignore | 3 ++- .../CWE-760/HardcodedSalt.expected | 18 +++++++++++++ tests/csharp-tests/CWE-760/Test.cs | 16 ++++++++++++ tests/csharp-tests/CWE-916/Test.cs | 26 +++++++++++++++++++ .../CWE-916/WeakIterations.expected | 6 +++++ .../csharp-tests/CWE-916/WeakIterations.qlref | 1 + tests/csharp-tests/CWE-916/options | 1 + 7 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 tests/csharp-tests/CWE-916/Test.cs create mode 100644 tests/csharp-tests/CWE-916/WeakIterations.expected create mode 100644 tests/csharp-tests/CWE-916/WeakIterations.qlref create mode 100644 tests/csharp-tests/CWE-916/options diff --git a/tests/.gitignore b/tests/.gitignore index 16a637d4a92..42070f13d9f 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -1 +1,2 @@ -**/*.testproj \ No newline at end of file +**/*.testproj +**/*.actual diff --git a/tests/csharp-tests/CWE-760/HardcodedSalt.expected b/tests/csharp-tests/CWE-760/HardcodedSalt.expected index e69de29bb2d..bdd849652ed 100644 --- a/tests/csharp-tests/CWE-760/HardcodedSalt.expected +++ b/tests/csharp-tests/CWE-760/HardcodedSalt.expected @@ -0,0 +1,18 @@ +edges +| Test.cs:13:16:13:55 | call to method GetBytes : Byte[] | Test.cs:14:49:14:52 | access to local variable salt | +| Test.cs:13:39:13:54 | "Hardcoded Salt" : String | Test.cs:13:16:13:55 | call to method GetBytes : Byte[] | +| Test.cs:23:12:23:28 | "Hardcoded Salt2" : String | Test.cs:29:39:29:63 | call to method generateSalt : String | +| Test.cs:29:16:29:64 | call to method GetBytes : Byte[] | Test.cs:30:49:30:52 | access to local variable salt | +| Test.cs:29:39:29:63 | call to method generateSalt : String | Test.cs:29:16:29:64 | call to method GetBytes : Byte[] | +nodes +| Test.cs:13:16:13:55 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] | +| Test.cs:13:39:13:54 | "Hardcoded Salt" : String | semmle.label | "Hardcoded Salt" : String | +| Test.cs:14:49:14:52 | access to local variable salt | semmle.label | access to local variable salt | +| Test.cs:23:12:23:28 | "Hardcoded Salt2" : String | semmle.label | "Hardcoded Salt2" : String | +| Test.cs:29:16:29:64 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] | +| Test.cs:29:39:29:63 | call to method generateSalt : String | semmle.label | call to method generateSalt : String | +| Test.cs:30:49:30:52 | access to local variable salt | semmle.label | access to local variable salt | +subpaths +#select +| Test.cs:14:49:14:52 | access to local variable salt | Test.cs:13:39:13:54 | "Hardcoded Salt" : String | Test.cs:14:49:14:52 | access to local variable salt | Use of $@. | Test.cs:13:39:13:54 | "Hardcoded Salt" | hardcoded salt | +| Test.cs:30:49:30:52 | access to local variable salt | Test.cs:23:12:23:28 | "Hardcoded Salt2" : String | Test.cs:30:49:30:52 | access to local variable salt | Use of $@. | Test.cs:23:12:23:28 | "Hardcoded Salt2" | hardcoded salt | diff --git a/tests/csharp-tests/CWE-760/Test.cs b/tests/csharp-tests/CWE-760/Test.cs index 66d99c33782..a68507404f5 100644 --- a/tests/csharp-tests/CWE-760/Test.cs +++ b/tests/csharp-tests/CWE-760/Test.cs @@ -12,5 +12,21 @@ public void Test1() { // BAD: Static String var salt = Encoding.UTF8.GetBytes("Hardcoded Salt"); var hash = new Rfc2898DeriveBytes(password, salt); + + // Good: Randomly generated byte array + var randonSalt = new byte[16]; + RandomNumberGenerator.Create().GetBytes(randonSalt); + var hash_safe = new Rfc2898DeriveBytes(password, randonSalt); + } + + public static string generateSalt() { + return "Hardcoded Salt2"; + } + public void Test2() { + string password = "TestPassword2"; + + // BAD: Static String + var salt = Encoding.UTF8.GetBytes(StaticSalt.generateSalt()); + var hash = new Rfc2898DeriveBytes(password, salt); } } \ No newline at end of file diff --git a/tests/csharp-tests/CWE-916/Test.cs b/tests/csharp-tests/CWE-916/Test.cs new file mode 100644 index 00000000000..e15c5785b4c --- /dev/null +++ b/tests/csharp-tests/CWE-916/Test.cs @@ -0,0 +1,26 @@ +using System; +using System.IO; +using System.Text; +using System.Runtime.Serialization; +using System.Security.Cryptography; +using System.Security.Permissions; + +public class StaticSalt { + public void Test1() { + string password = "TestPassword"; + var randonSalt = new byte[16]; + RandomNumberGenerator.Create().GetBytes(randonSalt); + + + // BAD: Default (1000) + var hash = new Rfc2898DeriveBytes(password, randonSalt); + + // BAD: Static int + var hash2 = new Rfc2898DeriveBytes(password, randonSalt, 1000); + + + + // Good: High interations + var hash_safe = new Rfc2898DeriveBytes(password, randonSalt, 100000); + } +} \ No newline at end of file diff --git a/tests/csharp-tests/CWE-916/WeakIterations.expected b/tests/csharp-tests/CWE-916/WeakIterations.expected new file mode 100644 index 00000000000..c41066ae3a7 --- /dev/null +++ b/tests/csharp-tests/CWE-916/WeakIterations.expected @@ -0,0 +1,6 @@ +edges +nodes +| Test.cs:19:62:19:65 | 1000 | semmle.label | 1000 | +subpaths +#select +| Test.cs:19:62:19:65 | 1000 | Test.cs:19:62:19:65 | 1000 | Test.cs:19:62:19:65 | 1000 | Use of $@. | Test.cs:19:62:19:65 | 1000 | hardcoded weak iterations | diff --git a/tests/csharp-tests/CWE-916/WeakIterations.qlref b/tests/csharp-tests/CWE-916/WeakIterations.qlref new file mode 100644 index 00000000000..194cb7eaf31 --- /dev/null +++ b/tests/csharp-tests/CWE-916/WeakIterations.qlref @@ -0,0 +1 @@ +CWE-916/WeakIterations.ql \ No newline at end of file diff --git a/tests/csharp-tests/CWE-916/options b/tests/csharp-tests/CWE-916/options new file mode 100644 index 00000000000..f2f776d1181 --- /dev/null +++ b/tests/csharp-tests/CWE-916/options @@ -0,0 +1 @@ +semmle-extractor-options: /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll