From acd228363dffc191a094b906fea999653609fd78 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 14 Apr 2024 14:46:02 -0700 Subject: [PATCH] Weak hash and weak random Java rules need to guard from none (#426) The algorithm string might have a None value if the parser cannot determine its actual value. For example, in the added testcase, if a value goes through a Properties class, the parser does track this value. Signed-off-by: Eric Brown --- .../java/stdlib/java_security_weak_hash.py | 2 +- .../java/stdlib/java_security_weak_random.py | 2 +- .../examples/MessageDigestMD5Property.java | 18 ++++++++++++++++++ .../stdlib/java_security/test_weak_hash.py | 1 + 4 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java diff --git a/precli/rules/java/stdlib/java_security_weak_hash.py b/precli/rules/java/stdlib/java_security_weak_hash.py index 844a0ee4..d93574d0 100644 --- a/precli/rules/java/stdlib/java_security_weak_hash.py +++ b/precli/rules/java/stdlib/java_security_weak_hash.py @@ -95,7 +95,7 @@ def analyze_method_invocation(self, context: dict, call: Call) -> Result: argument = call.get_argument(position=0) algorithm = argument.value_str - if algorithm.upper() not in WEAK_HASHES: + if algorithm is None or algorithm.upper() not in WEAK_HASHES: return fixes = Rule.get_fixes( diff --git a/precli/rules/java/stdlib/java_security_weak_random.py b/precli/rules/java/stdlib/java_security_weak_random.py index adaaa81b..d2814766 100644 --- a/precli/rules/java/stdlib/java_security_weak_random.py +++ b/precli/rules/java/stdlib/java_security_weak_random.py @@ -92,7 +92,7 @@ def analyze_method_invocation(self, context: dict, call: Call) -> Result: argument = call.get_argument(position=0) algorithm = argument.value_str - if algorithm.upper() != "SHA1PRNG": + if algorithm is None or algorithm.upper() != "SHA1PRNG": return fixes = Rule.get_fixes( diff --git a/tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java b/tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java new file mode 100644 index 00000000..b1aa265a --- /dev/null +++ b/tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5Property.java @@ -0,0 +1,18 @@ +// level: NONE +// False negative +import java.security.*; +import java.util.*; + + +public class MessageDigestMD5 { + public static void main(String[] args) { + try { + Properties hashProps = new Properties(); + hashProps.setProperty("hashMd5", "MD5") + String algorithm = hashProps.getProperty("hashMd5", "SHA256"); + MessageDigest md = MessageDigest.getInstance(algorithm); + } catch (NoSuchAlgorithmException e) { + System.err.println("MD5 hashing algorithm not available."); + } + } +} diff --git a/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py b/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py index 5e462c34..6e682dc9 100644 --- a/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py +++ b/tests/unit/rules/java/stdlib/java_security/test_weak_hash.py @@ -40,6 +40,7 @@ def test_rule_meta(self): [ "MessageDigestMD2.java", "MessageDigestMD5.java", + "MessageDigestMD5Property.java", "MessageDigestSHA1.java", "MessageDigestSHA256.java", ]