Also find weak crypto in PHP when hash(...) is called (#3541)

MD5 and SHA1 are insecure hash functions. These have their own function names (`md5(...)`, `sha1(...)`) but can also be calculated using `hash('md5', ...)` and `hash('sha1', ...)`. Also find these instances and report them as weak crypto. Also, write out all function names as function calls instead of matching them with a regular expression, for readability and performance reasons.
semgrep · Dec 20, 2024 · a9aea6c · a9aea6c
1 parent 1a75469
commit a9aea6c
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/php/lang/security/weak-crypto.php b/php/lang/security/weak-crypto.php
@@ -20,3 +20,12 @@
 
 // ok: weak-crypto
 $hashed_password = sodium_crypto_generichash('mypassword');
+
+// ruleid: weak-crypto
+var_dump(hash("sha1", "hello"));
+
+// ruleid: weak-crypto
+var_dump(hash("md5", "hello"));
+
+// ok: weak-crypto
+var_dump(hash("sha384", "hello"));
diff --git a/php/lang/security/weak-crypto.yaml b/php/lang/security/weak-crypto.yaml
@@ -1,10 +1,15 @@
 rules:
 - id: weak-crypto
   patterns:
-  - pattern: $FUNC(...);
-  - metavariable-regex:
-      metavariable: $FUNC
-      regex: crypt|md5|md5_file|sha1|sha1_file|str_rot13
+  - pattern-either:
+    - pattern: crypt(...)
+    - pattern: hash('md5', ...)
+    - pattern: hash('sha1', ...)
+    - pattern: md5_file(...)
+    - pattern: md5(...)
+    - pattern: sha1_file(...)
+    - pattern: sha1(...)
+    - pattern: str_rot13(...)
   message: >-
     Detected usage of weak crypto function. Consider using stronger alternatives.
   metadata: