CodeQL alert SM01511: Use of password hash with insufficient computational effort in microsoft/microsoft/botbuilder-js/botbuilder-js

Original Work Item Details

| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path| |---|---|---|---|---|---|---|---|---| | 2022-09-26T20:05:07.59Z | Bruce Haley | 2022-09-26T20:05:07.59Z | Bruce Haley | | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |

Original Work Item JSON

```json { "commentVersionRef": { "commentId": 5149895, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77415/comments/5149895/versions/1", "version": 1 }, "fields": { "BotFramework.IsException": false, "Custom.SecuritySeverity": "Important", "Microsoft.VSTS.Common.Priority": 2, "Microsoft.VSTS.Common.Severity": "2 - High", "Microsoft.VSTS.Common.StateChangeDate": "2022-09-26T20:05:07.59Z", "Microsoft.VSTS.Common.ValueArea": "Business", "Microsoft.VSTS.TCM.ReproSteps": "Summary:
CodeQL detected the following issue: Use of password hash with insufficient computational effort (Help link)
Repository: https://github.com/microsoft/botbuilder-js/tree/main?path=/libraries/botbuilder-azure/src/cosmosDbKeyEscape.ts&line=77&lineStartColumn=29&lineEndColumn=32
File: /libraries/botbuilder-azure/src/cosmosDbKeyEscape.ts
Location: Line 77, Column 29 - 32
Link: (Link to LGTM)

Recommendations:
Password from an access to noAuthKey is hashed insecurely.\n
Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.
Microsoft requirement(s): Microsoft.Security.Cryptography.10013;Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM01511 (Link to Liquid Requirement)
Confidence: high", "Microsoft.VSTS.TCM.SystemInfo": "This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)", "System.AreaId": 140243, "System.AreaLevel1": "SDK_v4", "System.AreaLevel2": "Code Analysis", "System.AreaPath": "SDK_v4\\Code Analysis", "System.AuthorizedAs": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.AuthorizedDate": "2022-09-26T20:05:07.59Z", "System.ChangedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.ChangedDate": "2022-09-26T20:05:07.59Z", "System.CommentCount": 1, "System.CreatedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.CreatedDate": "2022-09-26T20:05:07.59Z", "System.Description": "Summary:
CodeQL detected the following issue: Use of password hash with insufficient computational effort (Help link)
Repository: https://github.com/microsoft/botbuilder-js/tree/main?path=/libraries/botbuilder-azure/src/cosmosDbKeyEscape.ts&line=77&lineStartColumn=29&lineEndColumn=32
File: /libraries/botbuilder-azure/src/cosmosDbKeyEscape.ts
Location: Line 77, Column 29 - 32
Link: (Link to LGTM)

Recommendations:
Password from an access to noAuthKey is hashed insecurely.\n
Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.
Microsoft requirement(s): Microsoft.Security.Cryptography.10013;Microsoft.Security.SystemsADM.10201
Requirement: CodeQL.SM01511 (Link to Liquid Requirement)
Confidence: high", "System.History": "Security Rating: Important
", "System.Id": 77415, "System.IterationId": 139042, "System.IterationLevel1": "SDK_v4", "System.IterationLevel2": "Sprint 1", "System.IterationPath": "SDK_v4\\Sprint 1", "System.NodeName": "Code Analysis", "System.PersonId": 48095448, "System.Reason": "New defect reported", "System.Rev": 1, "System.RevisedDate": "9999-01-01T00:00:00Z", "System.State": "New", "System.Tags": "CodeQL; external/cwe/cwe-916; sdl-recommended; sdl-required; security", "System.TeamProject": "SDK_v4", "System.Title": "CodeQL alert SM01511: Use of password hash with insufficient computational effort in microsoft/microsoft/botbuilder-js/botbuilder-js", "System.Watermark": 324545, "System.WorkItemType": "Bug", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false, "WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": true }, "id": 77415, "relations": [ { "attributes": { "authorizedDate": "2022-09-26T20:05:07.59Z", "comment": "Issue in LGTM", "id": 6925867, "resourceCreatedDate": "2022-09-26T20:05:07.59Z", "resourceModifiedDate": "2022-09-26T20:05:07.59Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://onees.lgtm.microsoft.com/issues/1011926/javascript/6z4zVjMOdsRTyhZN9l3PcrKOeCk=" }, { "attributes": { "authorizedDate": "2022-09-26T20:05:07.59Z", "comment": "Liquid requirement link", "id": 6925868, "resourceCreatedDate": "2022-09-26T20:05:07.59Z", "resourceModifiedDate": "2022-09-26T20:05:07.59Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01511" } ], "rev": 1, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77415" } ```

Work Item Comments (1)

| Created date | Created by | JSON URL | |---|---|---| | 2022-09-26T20:05:07.59Z | Bruce Haley | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77415/comments/5149895) | **Comment text**: Security Rating: Important
-----------

microsoft / botbuilder-js

CodeQL alert SM01511: Use of password hash with insufficient computational effort in microsoft/microsoft/botbuilder-js/botbuilder-js #4335

Repro Steps

System Info