class Railroader::CheckWeakHash
Constants
- DIGEST_CALLS
Public Instance Methods
hashing_password?(call)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 109 def hashing_password? call call.each_arg do |arg| @has_password = false process arg if @has_password return @has_password end end nil end
process_call(exp)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 123 def process_call exp if exp.method == :password @has_password = exp else process_default exp end exp end
process_hash_result(result)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 24 def process_hash_result result return unless original? result input = nil call = result[:call] if DIGEST_CALLS.include? call.method if input = user_input_as_arg?(call) confidence = :high elsif input = hashing_password?(call) confidence = :high else confidence = :medium end else confidence = :medium end alg = case call.target.last when :MD5 " (MD5)" when :SHA1 " (SHA1)" else "" end warn :result => result, :warning_type => "Weak Hash", :warning_code => :weak_hash_digest, :message => "Weak hashing algorithm#{alg} used", :confidence => confidence, :user_input => input end
process_hmac_result(result)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 60 def process_hmac_result result return unless original? result call = result[:call] alg = case call.third_arg.last when :MD5 'MD5' when :SHA1 'SHA1' else return end warn :result => result, :warning_type => "Weak Hash", :warning_code => :weak_hash_hmac, :message => "Weak hashing algorithm (#{alg}) used in HMAC", :confidence => :medium end
process_ivar(exp)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 133 def process_ivar exp if exp.value == :@password @has_password = exp end exp end
process_lvar(exp)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 141 def process_lvar exp if exp.value == :password @has_password = exp end exp end
process_openssl_result(result)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 81 def process_openssl_result result return unless original? result arg = result[:call].first_arg if string? arg alg = arg.value.upcase if alg == 'MD5' or alg == 'SHA1' warn :result => result, :warning_type => "Weak Hash", :warning_code => :weak_hash_digest, :message => "Weak hashing algorithm (#{alg}) used", :confidence => :medium end end end
run_check()
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 10 def run_check tracker.find_call(:targets => [:'Digest::MD5', :'Digest::SHA1', :'OpenSSL::Digest::MD5', :'OpenSSL::Digest::SHA1'], :nested => true).each do |result| process_hash_result result end tracker.find_call(:target => :'Digest::HMAC', :methods => [:new, :hexdigest], :nested => true).each do |result| process_hmac_result result end tracker.find_call(:targets => [:'OpenSSL::Digest::Digest', :'OpenSSL::Digest'], :method => :new).each do |result| process_openssl_result result end end
user_input_as_arg?(call)
click to toggle source
# File lib/railroader/checks/check_weak_hash.rb, line 99 def user_input_as_arg? call call.each_arg do |arg| if input = include_user_input?(arg) return input end end nil end