Skip to content

JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…#12825

Merged
asgerf merged 5 commits intogithub:mainfrom
smiddy007:JS-Allow-Truncated-Hash-Forge-NonKeyCipher
May 2, 2023
Merged

JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…#12825
asgerf merged 5 commits intogithub:mainfrom
smiddy007:JS-Allow-Truncated-Hash-Forge-NonKeyCipher

Conversation

@smiddy007
Copy link
Copy Markdown
Contributor

@smiddy007 smiddy007 commented Apr 14, 2023

The Forge module in CryptoLibraries.qll now correctly classifies SHA-512/224, SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.

Purpose was to match the following code in InsufficientPasswordHash.ql
var hasher = forge.md.sha512.sha256.create();
var hashed = hasher.update(password); // BAD

However, SHA512224, SHA512256, AND SHA512384 are not include in the CryptoAlgorithmNames.qll file. Something else may need to be updated so that the algorithm reflected in message digest is the truncated hash, instead of just SHA512.

@smiddy007 smiddy007 requested a review from a team as a code owner April 14, 2023 03:24
@github-actions github-actions Bot added the JS label Apr 14, 2023
@owen-mc owen-mc changed the title Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… Apr 14, 2023
asgerf
asgerf approved these changes Apr 14, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 👍

asgerf
asgerf requested changes Apr 14, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually there seems to be some issues with the change note. Otherwise looks good

Comment thread javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash Outdated
@erik-krogh
Copy link
Copy Markdown
Contributor

erik-krogh commented Apr 14, 2023

There is also a format issue in CryptoLibraries.qll.

You can run the auto-formatter either in VSCode (ctrl+shift+p: format document),
or with the command-line: codeql query format -i <path-to-CryptoLibraries.qll>.

@smiddy007 smiddy007 requested a review from asgerf April 19, 2023 17:52
@asgerf asgerf merged commit 67afbee into github:main May 2, 2023
@asgerf
Copy link
Copy Markdown
Contributor

asgerf commented May 2, 2023

Thanks for the contribution @smiddy007! Sorry it took this long to get it merged

@smiddy007 smiddy007 deleted the JS-Allow-Truncated-Hash-Forge-NonKeyCipher branch May 2, 2023 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smiddy007 @erik-krogh @asgerf