Weak hash and weak random Java rules need to guard from none (#426)

The algorithm string might have a None value if the parser cannot determine its actual value. For example, in the added testcase, if a value goes through a Properties class, the parser does track this value. Signed-off-by: Eric Brown <eric.brown@securesauce.dev>
securesauce · Apr 14, 2024 · acd2283 · acd2283
1 parent 08973e1
commit acd2283
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 2 deletions.
diff --git a/precli/rules/java/stdlib/java_security_weak_hash.py b/precli/rules/java/stdlib/java_security_weak_hash.py
@@ -95,7 +95,7 @@ def analyze_method_invocation(self, context: dict, call: Call) -> Result:
         argument = call.get_argument(position=0)
         algorithm = argument.value_str
 
-        if algorithm.upper() not in WEAK_HASHES:
+        if algorithm is None or algorithm.upper() not in WEAK_HASHES:
             return
 
         fixes = Rule.get_fixes(

diff --git a/precli/rules/java/stdlib/java_security_weak_random.py b/precli/rules/java/stdlib/java_security_weak_random.py
@@ -92,7 +92,7 @@ def analyze_method_invocation(self, context: dict, call: Call) -> Result:
         argument = call.get_argument(position=0)
         algorithm = argument.value_str
 
-        if algorithm.upper() != "SHA1PRNG":
+        if algorithm is None or algorithm.upper() != "SHA1PRNG":
             return
 
         fixes = Rule.get_fixes(

diff --git a/tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java b/tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java
@@ -0,0 +1,18 @@
+// level: NONE
+// False negative
+import java.security.*;
+import java.util.*;
+
+
+public class MessageDigestMD5 {
+    public static void main(String[] args) {
+        try {
+            Properties hashProps = new Properties();
+            hashProps.setProperty("hashMd5", "MD5")
+            String algorithm = hashProps.getProperty("hashMd5", "SHA256");
+            MessageDigest md = MessageDigest.getInstance(algorithm);
+        } catch (NoSuchAlgorithmException e) {
+            System.err.println("MD5 hashing algorithm not available.");
+        }
+    }
+}
diff --git a/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py b/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py
@@ -40,6 +40,7 @@ def test_rule_meta(self):
         [
             "MessageDigestMD2.java",
             "MessageDigestMD5.java",
+            "MessageDigestMD5Property.java",
             "MessageDigestSHA1.java",
             "MessageDigestSHA256.java",
         ]