additional weak hash cases, initial queries for cipher mode and KDF alg

chanel-y · chanel-y · commit 0469eac7a18c · 2026-01-21T11:09:37.000-08:00
diff --git a/powershell/ql/src/queries/security/cwe-327/ApprovedCipherMode.ql b/powershell/ql/src/queries/security/cwe-327/ApprovedCipherMode.ql
@@ -0,0 +1,57 @@
+/**
+ * @name Use of a weak cipher mode
+ * @description Using weak cipher modes such as ECB or OFB can compromise the security of encrypted data.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/weak-cipher-mode
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.TaintTracking
+import semmle.code.powershell.dataflow.DataFlow
+
+class WeakCipherMode extends API::Node {
+    WeakCipherMode() {
+            this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("ciphermode").getMember("cbc")
+    }
+}
+
+module WeakCipherModeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { 
+    exists(WeakCipherMode wcm | source = wcm.asSource())
+}
+
+  predicate isSink(DataFlow::Node sink) { any() }
+
+}
+
+module CommandInjectionFlow = TaintTracking::Global<WeakCipherModeConfig>;
+
+
+
+//dataflow from WeakCipherMode to Mode property of System.Security.Cryptography.Aes object!  
+
+from DataFlow::Node mode 
+where mode = API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember("aes")
+            .getMember("mode")
+            .asSink()
+// select mode, "mode member of aes"
+
+from API::Node item 
+select item, "node"
+
+
+// from API::Node sink
+// where sink = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("ciphermode").getMember("cbc")
+// select sink, sink.asSource()
+
+// from InvokeEncryptModeArgument a 
+// select a, "Use of weak cipher mode in encryption."
diff --git a/powershell/ql/src/queries/security/cwe-327/ObsoleteKDFAlgorithm.ql b/powershell/ql/src/queries/security/cwe-327/ObsoleteKDFAlgorithm.ql
@@ -0,0 +1,58 @@
+/**
+ * @name Use of obsolete Key Derivation Function (KDF) algorithm
+ * @description Using obsolete or weak KDF algorithms like PasswordDeriveBytes (PBKDF1) 
+ *              instead of secure alternatives like Rfc2898DeriveBytes (PBKDF2) can 
+ *              compromise password security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/obsolete-kdf-algorithm
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ *       cryptography
+ */
+
+import powershell
+
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+
+class CryptDeriveKeyCall extends DataFlow::CallNode {
+    CryptDeriveKeyCall() {
+        this = API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember("passwordderivebytes")
+            .getMember("cryptderivekey")
+            .asCall()
+            or 
+        this = API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember("rfc2898derivebytes")
+            .getMember("cryptderivekey")
+            .asCall()
+    }
+}
+
+// from DataFlow::CallNode cn 
+// where
+//     cn instanceof CryptDeriveKeyCall
+// select cn, "Use of obsolete Crypto API. Consider using Rfc2898DeriveBytes (PBKDF2) or a more modern alternative like Argon2."
+
+// from DataFlow::CallNode cn 
+// select cn, "cn"
+// from CryptDeriveKeyCall cn
+// select cn, "Use of obsolete KDF algorithm PasswordDeriveBytes (PBKDF1). Consider using Rfc2898DeriveBytes (PBKDF2) or a more modern alternative like Argon2."
+
+from DataFlow::CallNode apiNode
+where 
+apiNode = API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember("passwordderivebytes")
+            .getMember("cryptderivekey").asCall()
+select apiNode, "node"
diff --git a/powershell/ql/src/queries/security/cwe-327/WeakHashes.ql b/powershell/ql/src/queries/security/cwe-327/WeakHashes.ql
@@ -27,14 +27,9 @@ class WeakHashAlgorithmObjectCreation extends DataFlow::ObjectCreationNode {
 
 class WeakHashAlgorithmObjectCreate extends DataFlow::CallNode {
     WeakHashAlgorithmObjectCreate() {
-        // System.Security.Cryptography.MD5
-        this = API::getTopLevelMember("system")
-        .getMember("security")
-        .getMember("cryptography")
-        .getMember("md5")
-        .getMember("create")
-        .asCall() 
-    }
+        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("md5").getMember("create").asCall() or
+        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("sha1").getMember("create").asCall() 
+  }
 }
 
 class ComputeHashSink extends DataFlow::Node {
@@ -47,12 +42,22 @@ class ComputeHashSink extends DataFlow::Node {
         cn.getQualifier().getALocalSource() = ocn and 
         cn.getLowerCaseName() = "computehash" and
         cn.getAnArgument() = this
-    )
+      )
     }
 }
 
+class CreateFromNameSink extends DataFlow::CallNode {
+  CreateFromNameSink(){
+      this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("cryptoconfig").getMember("createfromname").asCall() and 
+      this.getAnArgument().asExpr().getValue().asString() = "System.Security.Cryptography.MD5" or
+      this.getAnArgument().asExpr().getValue().asString() = "MD5" 
+        
+  }
+}
+
 from DataFlow::Node sink 
 where sink instanceof ComputeHashSink or 
 sink instanceof WeakHashAlgorithmObjectCreation or 
-sink instanceof WeakHashAlgorithmObjectCreate
+sink instanceof WeakHashAlgorithmObjectCreate or 
+sink instanceof CreateFromNameSink
 select sink, "Use of weak cryptographic hash algorithm."
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1 b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1
@@ -20,6 +20,16 @@ $sha1ProviderHash = $sha1Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBy
 $sha1Managed = New-Object System.Security.Cryptography.SHA1Managed
 $sha1ManagedHash = $sha1Managed.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("data"))
 
+# BAD: HMACMD5 uses weak MD5
+$md5hmac = New-Object System.Security.Cryptography.HMACMD5
+
+# BAD: Creating weak hash algorithms from name
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("MD5")
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.MD5")
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("SHA1")
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.SHA1")
+
+
 # ---------------------------------------------------------
 # GOOD: Safe usage of cryptographically secure algorithms
 # ---------------------------------------------------------
