import InsecureHashAlgorithm cop

spraints · spraints · commit d0b04619f824 · 2020-12-10T14:50:19.000-05:00
diff --git a/lib/rubocop/cop/github/insecure_hash_algorithm.rb b/lib/rubocop/cop/github/insecure_hash_algorithm.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "rubocop"
+
+module RuboCop
+  module Cop
+    module GitHub
+      class InsecureHashAlgorithm < Cop
+        MESSAGE = "This hash algorithm is old and insecure and should not be used. Please use SHA256 instead."
+
+        def_node_matcher :insecure_const?, "(const (const _ :Digest) #insecure_algorithm?)"
+        def_node_matcher :insecure_call?, "(send (const _ {:Digest :HMAC}) _ (str #insecure_algorithm?) ...)"
+
+        def insecure_algorithm?(val)
+          case val.to_s.downcase
+          when "md5", "sha1"
+            true
+          else
+            false
+          end
+        end
+
+        def on_const(const_node)
+          if insecure_const?(const_node)
+            add_offense(const_node, message: MESSAGE)
+          end
+        end
+
+        def on_send(send_node)
+          if insecure_call?(send_node)
+            add_offense(send_node, message: MESSAGE)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/test/test_insecure_hash_algorithm.rb b/test/test_insecure_hash_algorithm.rb
@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "./cop_test"
+require "minitest/autorun"
+require "rubocop/cop/github/insecure_hash_algorithm"
+
+class TestInsecureHashAlgorithm < CopTest
+  def cop_class
+    RuboCop::Cop::GitHub::InsecureHashAlgorithm
+  end
+
+  def test_kitchen_sink
+    investigate(cop, <<-RUBY)
+      class Something
+        BAD_ALGO = Digest::MD5
+                   #^^^^^^^^^^^ #{message}
+        GOOD_ALGO = Digest::SHA256
+        OBAD_ALGO = OpenSSL::Digest::MD5
+                    #^^^^^^^^^^^^^^^^^^^^ #{message}
+        BAD_SHA1_ALGO = Digest::SHA1
+                        #^^^^^^^^^^^^ #{message}
+        OBAD_SHA1_ALGO = OpenSSL::Digest::SHA1
+                         #^^^^^^^^^^^^^^^^^^^^^ #{message}
+
+        def kitchen_sink_hash(str)
+          BAD_ALGO.hexdigest(str) +
+            GOOD_ALGO.hexdigest(str) +
+            Digest::MD5.hexdigest(str) +
+            #^^^^^^^^^^^ #{message}
+            Digest::SHA1.hexdigest(str) +
+            #^^^^^^^^^^^^ #{message}
+            OpenSSL::Digest::MD5.hexdigest(str) +
+            #^^^^^^^^^^^^^^^^^^^^ #{message}
+            OpenSSL::Digest::SHA1.hexdigest(str)
+            #^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest.digest("MD5", str)
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest.digest("SHA1", str)
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest.hexdigest("Sha1", str)
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest.digest("SHA256", str)
+          OpenSSL::HMAC.hexdigest('md5', str)
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::HMAC.hexdigest('sha1', str)
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::HMAC.hexdigest('sha256', str)
+          OpenSSL::Digest::Digest.new('md5')
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest::Digest.new('sha1')
+          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #{message}
+          OpenSSL::Digest::Digest.new('sha256')
+        end
+      end
+    RUBY
+
+    assert_equal 15, cop.offenses.count
+    assert_equal([cop_class::MESSAGE], cop.offenses.map(&:message).uniq)
+  end
+end
