unit tests for weak hash

chanel-y · chanel-y · commit 4bdb2e2691af · 2026-01-15T11:19:27.000-08:00
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.expected b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.expected
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.qlref b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.qlref
@@ -0,0 +1 @@
+queries/security/cwe-327/WeakHashes.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1 b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1
@@ -0,0 +1,45 @@
+# Unsafe usage of weak hash algorithms (CWE-327)
+
+# BAD: Using MD5 - cryptographically broken
+$md5 = [System.Security.Cryptography.MD5]::Create()
+$md5Hash = $md5.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
+
+# BAD: Using MD5CryptoServiceProvider
+$md5Provider = New-Object System.Security.Cryptography.MD5CryptoServiceProvider
+$md5ProviderHash = $md5Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("secret"))
+
+# BAD: Using SHA1 - cryptographically weak
+$sha1 = [System.Security.Cryptography.SHA1]::Create()
+$sha1Hash = $sha1.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
+
+# BAD: Using SHA1CryptoServiceProvider
+$sha1Provider = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
+$sha1ProviderHash = $sha1Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("secret"))
+
+# BAD: Using SHA1Managed
+$sha1Managed = New-Object System.Security.Cryptography.SHA1Managed
+$sha1ManagedHash = $sha1Managed.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("data"))
+
+# ---------------------------------------------------------
+# GOOD: Safe usage of cryptographically secure algorithms
+# ---------------------------------------------------------
+
+# GOOD: Using SHA256
+$sha256 = [System.Security.Cryptography.SHA256]::Create()
+$sha256Hash = $sha256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
+
+# GOOD: Using SHA256CryptoServiceProvider
+$sha256Provider = New-Object System.Security.Cryptography.SHA256CryptoServiceProvider
+$sha256ProviderHash = $sha256Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("secret"))
+
+# GOOD: Using SHA256Managed
+$sha256Managed = New-Object System.Security.Cryptography.SHA256Managed
+$sha256ManagedHash = $sha256Managed.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("data"))
+
+# GOOD: Using SHA384
+$sha384 = [System.Security.Cryptography.SHA384]::Create()
+$sha384Hash = $sha384.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
+
+# GOOD: Using SHA512
+$sha512 = [System.Security.Cryptography.SHA512]::Create()
+$sha512Hash = $sha512.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
