Add sha1 to weak crypto primitives

marshallm · Aug 8, 2018 · fb0dc73 · fb0dc73
1 parent 90a1c1d
commit fb0dc73
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 0 deletions.
diff --git a/rules/blacklist.go b/rules/blacklist.go
@@ -85,3 +85,10 @@ func NewBlacklistedImportCGI(id string, conf gosec.Config) (gosec.Rule, []ast.No
 		"net/http/cgi": "Blacklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386)",
 	})
 }
+
+// NewBlacklistedImportSHA1 fails if SHA1 is imported
+func NewBlacklistedImportSHA1(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
+	return NewBlacklistedImports(id, conf, map[string]string{
+		"crypto/sha1": "Blacklisted import crypto/sha1: weak cryptographic primitive",
+	})
+}
diff --git a/rules/rulelist.go b/rules/rulelist.go
@@ -90,6 +90,7 @@ func Generate(filters ...RuleFilter) RuleList {
 		{"G502", "Import blacklist: crypto/des", NewBlacklistedImportDES},
 		{"G503", "Import blacklist: crypto/rc4", NewBlacklistedImportRC4},
 		{"G504", "Import blacklist: net/http/cgi", NewBlacklistedImportCGI},
+		{"G505", "Import blacklist: crypto/sha1", NewBlacklistedImportSHA1},
 	}
 
 	ruleMap := make(map[string]RuleDefinition)

diff --git a/rules/rules_test.go b/rules/rules_test.go
@@ -6,6 +6,7 @@ import (
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+
 	"github.com/securego/gosec"
 	"github.com/securego/gosec/rules"
 	"github.com/securego/gosec/testutils"
@@ -110,6 +111,10 @@ var _ = Describe("gosec rules", func() {
 			runner("G401", testutils.SampleCodeG401)
 		})
 
+		It("should detect weak crypto algorithms", func() {
+			runner("G401", testutils.SampleCodeG401b)
+		})
+
 		It("should find insecure tls settings", func() {
 			runner("G402", testutils.SampleCodeG402)
 		})
@@ -137,6 +142,9 @@ var _ = Describe("gosec rules", func() {
 		It("should detect blacklisted imports - CGI (httpoxy)", func() {
 			runner("G504", testutils.SampleCodeG504)
 		})
+		It("should detect blacklisted imports - SHA1", func() {
+			runner("G505", testutils.SampleCodeG505)
+		})
 
 	})
 

diff --git a/rules/weakcrypto.go b/rules/weakcrypto.go
@@ -43,6 +43,7 @@ func NewUsesWeakCryptography(id string, conf gosec.Config) (gosec.Rule, []ast.No
 	calls := make(map[string][]string)
 	calls["crypto/des"] = []string{"NewCipher", "NewTripleDESCipher"}
 	calls["crypto/md5"] = []string{"New", "Sum"}
+	calls["crypto/sha1"] = []string{"New", "Sum"}
 	calls["crypto/rc4"] = []string{"NewCipher"}
 	rule := &usesWeakCryptography{
 		blacklist: calls,

diff --git a/testutils/source.go b/testutils/source.go
@@ -633,6 +633,31 @@ func main() {
 	fmt.Printf("%x", h.Sum(nil))
 }`, 1}}
 
+	// SampleCodeG401b - Use of weak crypto SHA1
+	SampleCodeG401b = []CodeSample{
+		{`
+package main
+import (
+	"crypto/sha1"
+	"fmt"
+	"io"
+	"log"
+	"os"
+)
+func main() {
+	f, err := os.Open("file.txt")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer f.Close()
+
+	h := sha1.New()
+	if _, err := io.Copy(h, f); err != nil {
+		log.Fatal(err)
+	}
+	fmt.Printf("%x", h.Sum(nil))
+}`, 1}}
+
 	// SampleCodeG402 - TLS settings
 	SampleCodeG402 = []CodeSample{{`
 // InsecureSkipVerify
@@ -827,6 +852,20 @@ import (
  )
 func main() {
 	cgi.Serve(http.FileServer(http.Dir("/usr/share/doc")))
+}`, 1}}
+	// SampleCodeG505 - Blacklisted import SHA1
+	SampleCodeG505 = []CodeSample{
+		{`
+package main
+import (
+	"crypto/sha1"
+	"fmt"
+	"os"
+)
+func main() {
+	for _, arg := range os.Args {
+		fmt.Printf("%x - %s\n", sha1.Sum([]byte(arg)), arg)
+	}
 }`, 1}}
 	// SampleCode601 - Go build tags
 	SampleCode601 = []CodeSample{{`