From ec97cdc8a0206fc76ef3ca48b92ee8a043880c7a Mon Sep 17 00:00:00 2001 From: smiddy007 <70818821+smiddy007@users.noreply.github.com> Date: Thu, 13 Apr 2023 23:16:20 -0400 Subject: [PATCH 1/3] Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS library. --- .../lib/change-notes/2023-04-13-Forge-truncated-sha512-hash | 5 +++++ .../ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash diff --git a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash new file mode 100644 index 000000000000..391b0bb71091 --- /dev/null +++ b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224, +* SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers. \ No newline at end of file diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll index 2fab10eacac4..00332b6530e8 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll @@ -627,6 +627,10 @@ private module Forge { // require("forge").md.md5.create().update('The quick brown fox jumps over the lazy dog'); this = getAnImportNode().getMember("md").getMember(algorithmName).getMember("create").getACall() + or + // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog'); + this = + getAnImportNode().getMember("md").getMember(algorithmName).getAMember().getMember("create").getACall() ) } From 31b56bf9660d7c7a5738cd9dd806086da1b947ef Mon Sep 17 00:00:00 2001 From: smiddy007 <70818821+smiddy007@users.noreply.github.com> Date: Wed, 19 Apr 2023 13:32:23 -0400 Subject: [PATCH 2/3] Update javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash Co-authored-by: Asger F --- .../ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash index 391b0bb71091..1d2bfc9a8f96 100644 --- a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash +++ b/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash @@ -2,4 +2,4 @@ category: minorAnalysis --- * The Forge module in `CryptoLibraries.qll` now correctly classifies SHA-512/224, -* SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers. \ No newline at end of file + SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers. \ No newline at end of file From 4f7275f064bbdbf6745a507cd9a27ede6d19d912 Mon Sep 17 00:00:00 2001 From: smiddy007 <70818821+smiddy007@users.noreply.github.com> Date: Wed, 19 Apr 2023 13:39:18 -0400 Subject: [PATCH 3/3] Reformat doc and move change note --- .../lib/semmle/javascript/frameworks/CryptoLibraries.qll | 7 ++++++- .../2023-04-13-Forge-truncated-sha512-hash.md} | 0 2 files changed, 6 insertions(+), 1 deletion(-) rename javascript/ql/{lib/change-notes/2023-04-13-Forge-truncated-sha512-hash => src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md} (100%) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll index 00332b6530e8..e5425b2fb880 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll @@ -630,7 +630,12 @@ private module Forge { or // require("forge").sha512.sha256.create().update('The quick brown fox jumps over the lazy dog'); this = - getAnImportNode().getMember("md").getMember(algorithmName).getAMember().getMember("create").getACall() + getAnImportNode() + .getMember("md") + .getMember(algorithmName) + .getAMember() + .getMember("create") + .getACall() ) } diff --git a/javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash b/javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md similarity index 100% rename from javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash rename to javascript/ql/src/change-notes/2023-04-13-Forge-truncated-sha512-hash.md