added unit tests for cipher mode, obsolete kdf alg, weak symmetric alg

Author: chanel-y

powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/ApprovedCipherMode.expected

@@ -0,0 +1 @@
+TODO

powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/ApprovedCipherMode.qlref

@@ -0,0 +1 @@
+queries/security/cwe-327/ApprovedCipherMode.ql

powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/Test.ps1

@@ -0,0 +1,16 @@
+
+$aes = [System.Security.Cryptography.Aes]::Create()
+
+$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
+
+#Setting weak modes via CipherMode enum
+$badMode = [System.Security.Cryptography.CipherMode]::OBC
+$aes.Mode = $badMode
+$aesManaged.Mode = $badMode
+
+$aes.Mode = [System.Security.Cryptography.CipherMode]::OBC
+$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::OBC
+
+# Setting weak modes directly
+$aes.Mode = "obc"
+$aesManaged.Mode = "obc"

powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.expected

@@ -0,0 +1,2 @@
+| ObsoleteKDFAlgorithm.ps1:27:16:27:65 | Call to cryptderivekey | Use of obsolete Crypto API. Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing |
+| ObsoleteKDFAlgorithm.ps1:56:16:56:65 | Call to cryptderivekey | Use of obsolete Crypto API. Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing |

powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.ps1

@@ -0,0 +1,68 @@
+# ObsoleteKDFAlgorithm.Tests.ps1
+# PowerShell version of ObsoleteKDFAlgorithm security tests
+# Tests for detection of obsolete key derivation algorithms
+
+using namespace System.Security.Cryptography
+
+<#
+.SYNOPSIS
+    Test PasswordDeriveBytes CryptDeriveKey - BAD: Uses obsolete algorithm PBKDF1
+#>
+function Test-PasswordDeriveBytesCryptDeriveKey {
+    [CmdletBinding()]
+    param()
+    
+    $password = "TestPassword123"
+    $salt = New-Object byte[] 8
+    $iv = New-Object byte[] 8
+    $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
+    $rng.GetBytes($salt)
+    $rng.GetBytes($iv)
+    $rng.Dispose()
+    
+    # BAD: Using PasswordDeriveBytes.CryptDeriveKey
+    $pdb = New-Object System.Security.Cryptography.PasswordDeriveBytes($password, $salt)
+
+    try {
+        $key = $pdb.CryptDeriveKey("TripleDES", "SHA1", 192, $iv)
+        return $key
+    }
+    catch {
+        Write-Warning "CryptDeriveKey not available: $_"
+        return $null
+    }
+    finally {
+        $pdb.Dispose()
+    }
+}
+
+<#
+.SYNOPSIS
+    Test Rfc2898DeriveBytes usage - BAD: Uses obsolete algorithm PBKDF1
+#>
+function Test-Rfc2898DeriveBytes {
+    [CmdletBinding()]
+    param()
+    
+    $password = "TestPassword123"
+    $salt = New-Object byte[] 8
+    $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
+    $rng.GetBytes($salt)
+    $rng.Dispose()
+    
+    $kdf = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt)
+    
+    try {
+        $key = $kdf.CryptDeriveKey("TripleDES", "SHA1", 192, $iv)
+        return $key
+    }
+    catch {
+        Write-Warning "CryptDeriveKey not available: $_"
+        return $null
+    }
+    finally {
+        $kdf.Dispose()
+    }
+    
+    return $key
+}

powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.qlref

@@ -0,0 +1 @@
+queries/security/cwe-327/ObsoleteKDFAlgorithm.ql

powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.expected

@@ -0,0 +1,7 @@
+| WeakSymmetricAlgorithm.ps1:16:11:16:54 | Call to create | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:19:11:19:74 | Call to create | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:22:11:22:59 | Call to create | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:25:11:25:103 | Call to create | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:28:11:28:74 | Call to new-object | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:31:11:31:76 | Call to createfromname | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |
+| WeakSymmetricAlgorithm.ps1:67:12:67:75 | Call to new-object | Use of weak symmetric cryptographic algorithm. Consider using AES instead. |

powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.ps1

@@ -0,0 +1,120 @@
+# WeakSymmetricAlgorithm.Tests.ps1
+# PowerShell version of WeakSymmetricAlgorithm security tests
+# Tests for detection of weak symmetric encryption algorithm usage
+
+using namespace System.Security.Cryptography
+
+<#
+.SYNOPSIS
+    Test RC2 creation - BAD: RC2 is a weak symmetric algorithm
+#>
+function Test-CreateRC2 {
+    [CmdletBinding()]
+    param()
+    
+    # BAD: RC2 created
+    $r1 = [System.Security.Cryptography.RC2]::Create()
+    
+    # BAD: RC2 created via SymmetricAlgorithm
+    $r2 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("RC2")
+    
+    # BAD: RC2 created with explicit name
+    $r3 = [System.Security.Cryptography.RC2]::Create("RC2")
+    
+    # BAD: RC2 created with full type name
+    $r4 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("System.Security.Cryptography.RC2")
+    
+    # BAD: RC2CryptoServiceProvider created
+    $r5 = New-Object System.Security.Cryptography.RC2CryptoServiceProvider
+    
+    # BAD: RC2 created using CryptoConfig.CreateFromName
+    $r6 = [System.Security.Cryptography.CryptoConfig]::CreateFromName("RC2")
+    
+    return $r5
+}
+
+<#
+.SYNOPSIS
+    Test AES creation - GOOD: AES is an approved symmetric algorithm
+#>
+function Test-CreateAES {
+    [CmdletBinding()]
+    param()
+    
+    # GOOD: AES created
+    $a1 = [System.Security.Cryptography.Aes]::Create()
+    
+    # GOOD: AES created via SymmetricAlgorithm
+    $a2 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("AES")
+    
+    # GOOD: AES created with full type name
+    $a3 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("System.Security.Cryptography.Aes")
+    
+    return $a1
+}
+
+<#
+.SYNOPSIS
+    Test weak algorithm with encryption - BAD: Using DES for actual encryption
+#>
+function Test-EncryptWithDES {
+    [CmdletBinding()]
+    param(
+        [string]$PlainText = "Test data to encrypt"
+    )
+    
+    # BAD: Using DES for encryption
+    $des = New-Object System.Security.Cryptography.DESCryptoServiceProvider
+    $des.GenerateKey()
+    $des.GenerateIV()
+    
+    $encryptor = $des.CreateEncryptor()
+    $plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText)
+    
+    $ms = New-Object System.IO.MemoryStream
+    $cs = New-Object System.Security.Cryptography.CryptoStream($ms, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
+    $cs.Write($plainBytes, 0, $plainBytes.Length)
+    $cs.FlushFinalBlock()
+    
+    $encrypted = $ms.ToArray()
+    
+    $cs.Dispose()
+    $ms.Dispose()
+    $encryptor.Dispose()
+    $des.Dispose()
+    
+    return $encrypted
+}
+
+<#
+.SYNOPSIS
+    Test approved algorithm with encryption - GOOD: Using AES for encryption
+#>
+function Test-EncryptWithAES {
+    [CmdletBinding()]
+    param(
+        [string]$PlainText = "Test data to encrypt"
+    )
+    
+    # GOOD: Using AES for encryption
+    $aes = [System.Security.Cryptography.Aes]::Create()
+    $aes.GenerateKey()
+    $aes.GenerateIV()
+    
+    $encryptor = $aes.CreateEncryptor()
+    $plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText)
+    
+    $ms = New-Object System.IO.MemoryStream
+    $cs = New-Object System.Security.Cryptography.CryptoStream($ms, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
+    $cs.Write($plainBytes, 0, $plainBytes.Length)
+    $cs.FlushFinalBlock()
+    
+    $encrypted = $ms.ToArray()
+    
+    $cs.Dispose()
+    $ms.Dispose()
+    $encryptor.Dispose()
+    $aes.Dispose()
+    
+    return $encrypted
+}

powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.qlref

@@ -0,0 +1 @@
+queries/security/cwe-327/WeakSymmetricAlgorithm.ql