- Notifications
You must be signed in to change notification settings - Fork407
Add AvoidUsingBrokenHashAlgorithms#1787
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
ghost commentedApr 9, 2022 • edited by ghost
Loading Uh oh!
There was an error while loading.Please reload this page.
edited by ghost
Uh oh!
There was an error while loading.Please reload this page.
|
bergmeister left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks for the contribution and very good idea. I'll be giving it a test run but from a high level looks good otherwise. I might suggest something minor around the parameter parsin
MJVL commentedMay 23, 2022
Cool, thanks! I'll fix anything as needed when you get a chance to review. |
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| Context"When there are violations" { | ||
| It"detects broken hash algorithms violations" { | ||
| (Invoke-ScriptAnalyzer-ScriptDefinition'Get-FileHash foo -Algorithm MD5'-Settings$settings).Count| Should-Be1 | ||
| (Invoke-ScriptAnalyzer-ScriptDefinition'Get-FileHash foo -Algorithm SHA1'-Settings$settings).Count| Should-Be1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
An optional improvement would be to make it also work when no named parameters are used:Invoke-ScriptAnalyzer -ScriptDefinition 'Get-FileHash foo SHA1'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Good idea. Can you see of any cases where this might false flag? Ie, someone opening a file that's named the same as a flagged hashing algorithm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
No, because what you would do is check whether the first and second item in the array are not named parameters, i.e. do not start with dash and therefore you know for sure that the first one has to be the file name and the second one the algorithm
bergmeister left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good, I would just change severity from Warning. An optional suggestion on improving parsing but this could also just be a follow up PR as I'd rather want to wrap this up and ship it quickly in the next version of PSSA.
Docs question to@sdwheeler What do we do with thedocs/Rules folder in this repo now? Do we have to replicate the same change here:https://github.com/MicrosoftDocs/PowerShell-Docs-Modules/tree/main/reference/docs-conceptual/PSScriptAnalyzer/Rules
Co-authored-by: Christoph Bergmeister [MVP] <c.bergmeister@gmail.com>
MJVL commentedMay 30, 2022
Thanks for the input! Fixed severities and unit tests based on your review comments. I lack the bandwidth at the moment to improve the parsing, but it's something I could look into in the future. I think we should leave that as a follow-up PR like you said to get this to ship faster. |
sdwheeler commentedMay 31, 2022
Yes. I just need to know when you are going to release and then I will copy the updated docs from the source repository to the docs repository. Eventually we want a CI job to do that automatically at release time. But for now, I can do it manually. |
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
PR Summary
This adds a new rule:
AvoidUsingBrokenHashAlgorithms.This rule searches for use of
SHA-1orMD5within-Algorithmparameters. This mainly serves to flag use withGet-FileHash, but also works for other cmdlets which may use the same parameter scheme. Should other algorithms in the future be deemed insecure, it would be trivial to add them.At this point both of these algorithms are broken (Microsoft SDL has labeled them as such since 2009), so I think it would be worthwhile to flag these, such that new code doesn't use these algorithms except when needed for backwards compatability.
PR Checklist
.cs,.ps1and.psm1files have the correct copyright headerWIP:to the beginning of the title and remove the prefix when the PR is ready.