New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Swift: Query for Use of an inappropriate cryptographic hashing algorithm on passwords #15122
base: main
Are you sure you want to change the base?
Conversation
… (naming consistency, remove unused import).
…ed a password / key rather than a miscellaneous credential.
…g but not for password hashing.
|
QHelp previews: swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.qhelpUse of an inappropriate cryptographic hashing algorithm on passwordsUsing a insufficiently computationally hard hash function can leave data vulnerable, and should not be used for password hashing. A strong cryptographic hash function should be resistant to:
Password hashing algorithms are designed to be slow and/or memory intenstive to compute, which makes brute force attacks more difficult. RecommendationEnsure that for password storage you should use a computationally hard cryptographic hash function, such as:
ExampleThe following examples show a function that hashes a password using a cryptographic hashing algorithm. In the first case the SHA-512 hashing algorithm is used. It is vulnerable to offline brute force attacks: Here is the same function using Argon2, which is suitable for password hashing: References
|
|
DCA shows 4 result changes:
The run also shows some "interesting" rows for stage timings, which look like they might be an unintended result of changes to the DCA rules (i.e. they shouldn't be flagged?). Overall analysis time is fine. I will look into this next year and most likely do another DCA run to confirm. |
New query for Use of an inappropriate cryptographic hashing algorithm on passwords.
This query is designed to be used alongside the existing
swift/weak-sensitive-data-hashingquery, and I've made some adjustments to that query to avoid duplication and to make sure results are reported by the most appropriate query. Previously:Now:
To do this I had to make passwords an explicit kind of sensitive data in Swift (
SensitivePassword), and I added MAD syntax for it (sensitive-password). I also fixed the sensitive data regular expressions for mobile phone numbers, added a couple of missing sinks for sensitive data hashing, and made some class names consistent while I was working in this area.TODO: