Skip to content

Commit 4860034

Browse files
bdrodesbdrodes
committed
Crypto: Weak Hash test cases update and expected file.
1 parent 25599e9 commit 4860034

File tree

2 files changed

+24
-10
lines changed

2 files changed

+24
-10
lines changed

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHash.expected

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
#select
2+
| WeakHashing.java:15:55:15:83 | HashAlgorithm | Use of unapproved hash algorithm or API: MD5. |
3+
| WeakHashing.java:18:56:18:95 | HashAlgorithm | Use of unapproved hash algorithm or API: MD5. |
4+
| WeakHashing.java:21:86:21:90 | HashAlgorithm | Use of unapproved hash algorithm or API: MD5. |
5+
| WeakHashing.java:24:56:24:62 | HashAlgorithm | Use of unapproved hash algorithm or API: SHA1. |
6+
| WeakHashing.java:34:56:34:96 | HashAlgorithm | Use of unapproved hash algorithm or API: MD5. |
7+
testFailures
8+
| WeakHashing.java:27:125:27:133 | // $Alert | Missing result: Alert |
9+
| WeakHashing.java:40:111:40:119 | // $Alert | Missing result: Alert |

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,33 +12,38 @@ void hashing() throws NoSuchAlgorithmException, IOException {
1212
props.load(new FileInputStream("example.properties"));
1313

1414
// BAD: Using a weak hashing algorithm even with a secure default
15-
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1"));
15+
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/weak-hash]
1616

1717
// BAD: Using a weak hashing algorithm even with a secure default
18-
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256"));
18+
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/weak-hash]
1919

2020
// BAD: Using a strong hashing algorithm but with a weak default
21-
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));
21+
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/weak-hash]
22+
23+
// BAD: Using a weak hash
24+
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/weak-hash]
2225

2326
// BAD: Property does not exist and default (used value) is unknown
24-
MessageDigest bad4 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default"));
27+
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/unknown-hash]
28+
29+
java.util.Properties props2 = new java.util.Properties();
30+
31+
props2.load(new FileInputStream("unobserved-file.properties"));
32+
33+
// BAD: "hashalg1" is not visible in the file loaded for props2
34+
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/weak-hash]
2535

2636
// GOOD: Using a strong hashing algorithm
2737
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
2838

2939
// BAD?: Property does not exist (considered unknown) and but default is secure
30-
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256"));
40+
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/unknown-hash]
3141

3242
// GOOD: Using a strong hashing algorithm
3343
MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
3444

3545
// GOOD: Using a strong hashing algorithm
3646
MessageDigest ok4 = MessageDigest.getInstance("SHA384");
3747

38-
props.load(new FileInputStream("unobserved-file.properties"));
39-
40-
// BAD: "hashalg1" is not visible since the file isn't known, this is an 'unknown' hash
41-
// False positive/negative
42-
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256"));
4348
}
4449
}

0 commit comments

Comments
 (0)