Merge branch 'develop' into sha224

semgrep · Dec 20, 2024 · d5b85b8 · d5b85b8
2 parents bd8ba14 + a9aea6c
commit d5b85b8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/php/lang/security/weak-crypto.php b/php/lang/security/weak-crypto.php
@@ -20,3 +20,12 @@
 
 // ok: weak-crypto
 $hashed_password = sodium_crypto_generichash('mypassword');
+
+// ruleid: weak-crypto
+var_dump(hash("sha1", "hello"));
+
+// ruleid: weak-crypto
+var_dump(hash("md5", "hello"));
+
+// ok: weak-crypto
+var_dump(hash("sha384", "hello"));
diff --git a/php/lang/security/weak-crypto.yaml b/php/lang/security/weak-crypto.yaml
@@ -1,10 +1,15 @@
 rules:
 - id: weak-crypto
   patterns:
-  - pattern: $FUNC(...);
-  - metavariable-regex:
-      metavariable: $FUNC
-      regex: crypt|md5|md5_file|sha1|sha1_file|str_rot13
+  - pattern-either:
+    - pattern: crypt(...)
+    - pattern: hash('md5', ...)
+    - pattern: hash('sha1', ...)
+    - pattern: md5_file(...)
+    - pattern: md5(...)
+    - pattern: sha1_file(...)
+    - pattern: sha1(...)
+    - pattern: str_rot13(...)
   message: >-
     Detected usage of weak crypto function. Consider using stronger alternatives.
   metadata: