-
Notifications
You must be signed in to change notification settings - Fork 231
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S5344: Passwords should not be stored in plain-text or wi…
…th a fast hashing algorithm (Part 1) (#9278)
- Loading branch information
1 parent
89eca87
commit ef727d3
Showing
12 changed files
with
846 additions
and
1 deletion.
There are no files selected for viewing
16 changes: 16 additions & 0 deletions
16
analyzers/its/expected/ManuallyAddedNoncompliantIssues.CS/S5344-NetFramework48.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "Issues": [ | ||
| { | ||
| "Id": "S5344", | ||
| "Message": "Use at least 100,000 iterations and a state-of-the-art digest algorithm here.", | ||
| "Uri": "https://github.com/SonarSource/sonar-dotnet/blob/master/analyzers/its/Projects/ManuallyAddedNoncompliantIssues.CS/NetFramework48/HashesShouldHaveUnpredictableSaltTest.cs#L21", | ||
| "Location": "Line 21 Position 13-64" | ||
| }, | ||
| { | ||
| "Id": "S5344", | ||
| "Message": "Use at least 100,000 iterations and a state-of-the-art digest algorithm here.", | ||
| "Uri": "https://github.com/SonarSource/sonar-dotnet/blob/master/analyzers/its/Projects/ManuallyAddedNoncompliantIssues.CS/NetFramework48/HashesShouldHaveUnpredictableSaltTest.cs#L26", | ||
| "Location": "Line 26 Position 13-63" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| { | ||
| "Issues": [ | ||
| { | ||
| "Id": "S5344", | ||
| "Message": "Use at least 100,000 iterations and a state-of-the-art digest algorithm here.", | ||
| "Uri": "https://github.com/SonarSource/sonar-dotnet/blob/master/analyzers/its/Projects/Nancy/src/Nancy/Cryptography/PassphraseKeyGenerator.cs#L31", | ||
| "Location": "Line 31 Position 29-81" | ||
| } | ||
| ] | ||
| } |
10 changes: 10 additions & 0 deletions
10
analyzers/its/expected/Nancy/S5344-Nancy-netstandard2.0.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| { | ||
| "Issues": [ | ||
| { | ||
| "Id": "S5344", | ||
| "Message": "Use at least 100,000 iterations and a state-of-the-art digest algorithm here.", | ||
| "Uri": "https://github.com/SonarSource/sonar-dotnet/blob/master/analyzers/its/Projects/Nancy/src/Nancy/Cryptography/PassphraseKeyGenerator.cs#L31", | ||
| "Location": "Line 31 Position 29-81" | ||
| } | ||
| ] | ||
| } |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| { | ||
| "title": "Passwords should not be stored in plaintext or with a fast hashing algorithm", | ||
| "type": "VULNERABILITY", | ||
| "code": { | ||
| "impacts": { | ||
| "SECURITY": "HIGH" | ||
| }, | ||
| "attribute": "TRUSTWORTHY" | ||
| }, | ||
| "status": "ready", | ||
| "remediation": { | ||
| "func": "Constant\/Issue", | ||
| "constantCost": "30min" | ||
| }, | ||
| "tags": [ | ||
| "cwe", | ||
| "spring" | ||
| ], | ||
| "defaultSeverity": "Critical", | ||
| "ruleSpecification": "RSPEC-5344", | ||
| "sqKey": "S5344", | ||
| "scope": "Main", | ||
| "securityStandards": { | ||
| "CWE": [ | ||
| 256, | ||
| 916 | ||
| ], | ||
| "OWASP": [ | ||
| "A3" | ||
| ], | ||
| "OWASP Top 10 2021": [ | ||
| "A2", | ||
| "A4" | ||
| ], | ||
| "PCI DSS 3.2": [ | ||
| "6.5.3" | ||
| ], | ||
| "PCI DSS 4.0": [ | ||
| "6.2.4" | ||
| ], | ||
| "ASVS 4.0": [ | ||
| "2.10.3", | ||
| "2.4.1", | ||
| "2.4.2", | ||
| "2.4.3", | ||
| "2.4.4", | ||
| "2.4.5" | ||
| ], | ||
| "STIG ASD 2023-06-08": [ | ||
| "V-222542" | ||
| ] | ||
| }, | ||
| "quickfix": "unknown" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -267,6 +267,7 @@ | |
| "S5042", | ||
| "S5122", | ||
| "S5332", | ||
| "S5344", | ||
| "S5443", | ||
| "S5445", | ||
| "S5542", | ||
|
|
||
137 changes: 137 additions & 0 deletions
137
analyzers/src/SonarAnalyzer.CSharp/Rules/PasswordsShouldBeStoredCorrectly.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| /* | ||
| * SonarAnalyzer for .NET | ||
| * Copyright (C) 2015-2024 SonarSource SA | ||
| * mailto: contact AT sonarsource DOT com | ||
| * | ||
| * This program is free software; you can redistribute it and/or | ||
| * modify it under the terms of the GNU Lesser General Public | ||
| * License as published by the Free Software Foundation; either | ||
| * version 3 of the License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| * Lesser General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Lesser General Public License | ||
| * along with this program; if not, write to the Free Software Foundation, | ||
| * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | ||
| */ | ||
|
|
||
| using SonarAnalyzer.Helpers.Trackers; | ||
|
|
||
| namespace SonarAnalyzer.Rules.CSharp; | ||
|
|
||
| [DiagnosticAnalyzer(LanguageNames.CSharp)] | ||
| public sealed class PasswordsShouldBeStoredCorrectly : SonarDiagnosticAnalyzer | ||
| { | ||
| private const string DiagnosticId = "S5344"; | ||
| private const string MessageFormat = "{0}"; | ||
| private const string UseMoreIterationsMessageFormat = "Use at least 100,000 iterations here."; | ||
| private const int IterationCountThreshold = 100_000; | ||
|
|
||
| private static readonly DiagnosticDescriptor Rule = DescriptorFactory.Create(DiagnosticId, MessageFormat); | ||
|
|
||
| public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics => ImmutableArray.Create(Rule); | ||
|
|
||
| protected override void Initialize(SonarAnalysisContext context) | ||
| { | ||
| NetCore(context); | ||
| Rfc2898DeriveBytes(context); | ||
| BouncyCastle(context); | ||
| } | ||
|
|
||
| private static void NetCore(SonarAnalysisContext context) | ||
| { | ||
| var propertyTracker = CSharpFacade.Instance.Tracker.PropertyAccess; | ||
| Track( | ||
| propertyTracker, | ||
| context, | ||
| UseMoreIterationsMessageFormat, | ||
| propertyTracker.MatchSetter(), | ||
| propertyTracker.MatchProperty(new MemberDescriptor(KnownType.Microsoft_AspNetCore_Identity_PasswordsHasherOptions, "IterationCount")), | ||
| x => HasFewIterations(x, propertyTracker)); | ||
| Track( | ||
| propertyTracker, | ||
| context, | ||
| "Identity v2 uses only 1000 iterations. Consider changing to identity V3.", | ||
| propertyTracker.MatchSetter(), | ||
| propertyTracker.MatchProperty(new MemberDescriptor(KnownType.Microsoft_AspNetCore_Identity_PasswordsHasherOptions, "CompatibilityMode")), | ||
| x => propertyTracker.AssignedValue(x) is int mode && mode == 0); // PasswordHasherCompatibilityMode.IdentityV2 results to 0 | ||
|
|
||
| var argumentTracker = CSharpFacade.Instance.Tracker.Argument; | ||
| Track( | ||
| argumentTracker, | ||
| context, | ||
| UseMoreIterationsMessageFormat, | ||
| argumentTracker.MatchArgument(ArgumentDescriptor.MethodInvocation(KnownType.Microsoft_AspNetCore_Cryptography_KeyDerivation_KeyDerivation, "Pbkdf2", "iterationCount", 3)), | ||
| x => ArgumentLessThan(x, IterationCountThreshold)); | ||
| } | ||
|
|
||
| private static void Rfc2898DeriveBytes(SonarAnalysisContext context) | ||
| { | ||
| // Raise when hashAlgorithm is present | ||
| var argumentTracker = CSharpFacade.Instance.Tracker.Argument; | ||
| // Exclude the constructors that have a hashAlgorithm parameter | ||
| var constructorArgument = ArgumentDescriptor.ConstructorInvocation( | ||
| ctor => ctor.ContainingType.Is(KnownType.System_Security_Cryptography_Rfc2898DeriveBytes) && ctor.Parameters.Any(x => x.Name == "hashAlgorithm"), | ||
| (methodName, comparison) => string.Compare(methodName, "Rfc2898DeriveBytes", comparison) == 0, | ||
| null, | ||
| x => x.Name == "iterations", | ||
| null, | ||
| null); | ||
| var invocationArgument = ArgumentDescriptor.MethodInvocation(KnownType.System_Security_Cryptography_Rfc2898DeriveBytes, "Pbkdf2", "iterations", x => x is 2 or 3); | ||
| Track( | ||
| argumentTracker, | ||
| context, | ||
| UseMoreIterationsMessageFormat, | ||
| argumentTracker.Or( | ||
| argumentTracker.MatchArgument(constructorArgument), | ||
| argumentTracker.MatchArgument(invocationArgument)), | ||
| x => ArgumentLessThan(x, IterationCountThreshold)); | ||
|
|
||
| // Raise when hashAlgorithm is NOT present | ||
| var objectCreationTracker = CSharpFacade.Instance.Tracker.ObjectCreation; | ||
| Track( | ||
| objectCreationTracker, | ||
| context, | ||
| "Use at least 100,000 iterations and a state-of-the-art digest algorithm here.", | ||
| objectCreationTracker.MatchConstructor(KnownType.System_Security_Cryptography_Rfc2898DeriveBytes), | ||
| x => x.InvokedConstructorSymbol.Value.Parameters.All(x => x.Name != "hashAlgorithm")); | ||
| } | ||
|
|
||
| private static void BouncyCastle(SonarAnalysisContext context) | ||
| { | ||
| var tracker = CSharpFacade.Instance.Tracker.Argument; | ||
|
|
||
| Track( | ||
| tracker, | ||
| context, | ||
| "Use a cost factor of at least 12 here.", | ||
| tracker.Or( | ||
| tracker.MatchArgument(ArgumentDescriptor.MethodInvocation(KnownType.Org_BouncyCastle_Crypto_Generators_OpenBsdBCrypt, "Generate", "cost", x => x is 2 or 3)), | ||
| tracker.MatchArgument(ArgumentDescriptor.MethodInvocation(KnownType.Org_BouncyCastle_Crypto_Generators_BCrypt, "Generate", "cost", 2))), | ||
| x => ArgumentLessThan(x, 12)); | ||
|
|
||
| Track( | ||
| tracker, | ||
| context, | ||
| UseMoreIterationsMessageFormat, | ||
| tracker.MatchArgument(ArgumentDescriptor.MethodInvocation(KnownType.Org_BouncyCastle_Crypto_PbeParametersGenerator, "Init", "iterationCount", 2)), | ||
| x => ArgumentLessThan(x, IterationCountThreshold)); | ||
| } | ||
|
|
||
| private static bool HasFewIterations(PropertyAccessContext context, PropertyAccessTracker<SyntaxKind> tracker) => | ||
| tracker.AssignedValue(context) is int iterationCount | ||
| && iterationCount < IterationCountThreshold; | ||
|
|
||
| private static bool ArgumentLessThan(ArgumentContext context, int threshold) => | ||
| context.SemanticModel.GetConstantValue(((ArgumentSyntax)context.Node).Expression) is { HasValue: true, Value: int value } | ||
| && value < threshold; | ||
|
|
||
| private static void Track<TContext>(SyntaxTrackerBase<SyntaxKind, TContext> tracker, | ||
| SonarAnalysisContext context, | ||
| string message, | ||
| params SyntaxTrackerBase<SyntaxKind, TContext>.Condition[] conditions) where TContext : SyntaxBaseContext => | ||
| tracker.Track(new(context, AnalyzerConfiguration.AlwaysEnabled, Rule), [message], conditions); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.