Detect and throw warning for weak crypto hash algorithm - Githubissues

NodeSecure / js-x-ray

JavaScript & Node.js open-source SAST scanner. A static analyser for detecting most common malicious patterns 🔬.

MIT License

229 stars 26 forks source link

Detect and throw warning for weak crypto hash algorithm #25

Closed fraxken closed 2 years ago

fraxken commented 2 years ago

The goal of this task (issue) is to develop a new feature capable of detecting any usage of weak hash algorithm like md5.

For the sake of simplicity it is sufficient to look for the createHash method.

Example of code that should throw a new warning:

import crypto from "crypto";

crypto.createHash("md5");

We may have to answer few questions for this issue:

Do we have to handle other API (like the WebCrypto API)? Maybe we can also in some ways deal with popular crypto library ?
Is there is another algorithms that we are considering "weak" other than md5 ? (i guess sha1 has to be considered weak too).

tony-go commented 2 years ago

I know that I'm a bit too busy atm, but I'd like to work on this one (maybe a live 👀) as I didn't touch to js-x-ray too much since the beginning ^^

fraxken commented 2 years ago

@Mathieuka was also interested by this one (so maybe check with him if he still want to do it).

Mathieuka commented 2 years ago

@fraxken Finally I don't feel strong enough to take this ticket at the moment, I'm going to keep learning about the AST part :muscle:

@tony-go If you do a live on this ticket that would be great !!

fraxken commented 2 years ago

@all-contributors please add @tony-go for code, doc, test

allcontributors[bot] commented 2 years ago

@fraxken

I've put up a pull request to add @tony-go! :tada: