NET-1257 Fix S4790 FN: New HashData overloads not recognized

Author: mary-georgiou-sonarsource

analyzers/src/SonarAnalyzer.CSharp/Rules/Hotspots/CreatingHashAlgorithms.cs

@@ -14,15 +14,20 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 
-namespace SonarAnalyzer.CSharp.Rules
+namespace SonarAnalyzer.CSharp.Rules;
+
+[DiagnosticAnalyzer(LanguageNames.CSharp)]
+public sealed class CreatingHashAlgorithms : CreatingHashAlgorithmsBase<SyntaxKind>
 {
-    [DiagnosticAnalyzer(LanguageNames.CSharp)]
-    public sealed class CreatingHashAlgorithms : CreatingHashAlgorithmsBase<SyntaxKind>
-    {
-        protected override ILanguageFacade<SyntaxKind> Language => CSharpFacade.Instance;
+    protected override ILanguageFacade<SyntaxKind> Language => CSharpFacade.Instance;
+
+    public CreatingHashAlgorithms() : this(AnalyzerConfiguration.Hotspot) { }
 
-        public CreatingHashAlgorithms() : this(AnalyzerConfiguration.Hotspot) { }
+    internal /*for testing*/ CreatingHashAlgorithms(IAnalyzerConfiguration configuration) : base(configuration) { }
 
-        internal /*for testing*/ CreatingHashAlgorithms(IAnalyzerConfiguration configuration) : base(configuration) { }
-    }
+    protected override bool IsUnsafeAlgorithm(SyntaxNode argumentNode, SemanticModel model) =>
+        argumentNode as ArgumentSyntax is { } argument
+        && argument.Expression as MemberAccessExpressionSyntax is { } memberAccess
+        && memberAccess.Name.ToString() is "SHA1" or "MD5"
+        && model.GetSymbolInfo(memberAccess.Expression).Symbol.GetSymbolType().Is(KnownType.System_Security_Cryptography_HashAlgorithmName);
 }

analyzers/src/SonarAnalyzer.Core/Rules/Hotspots/CreatingHashAlgorithmsBase.cs

@@ -16,75 +16,103 @@
 
 using SonarAnalyzer.Core.Trackers;
 
-namespace SonarAnalyzer.Core.Rules
+namespace SonarAnalyzer.Core.Rules;
+
+public abstract class CreatingHashAlgorithmsBase<TSyntaxKind> : TrackerHotspotDiagnosticAnalyzer<TSyntaxKind>
+    where TSyntaxKind : struct
 {
-    public abstract class CreatingHashAlgorithmsBase<TSyntaxKind> : TrackerHotspotDiagnosticAnalyzer<TSyntaxKind>
-        where TSyntaxKind : struct
-    {
-        protected const string DiagnosticId = "S4790";
-        protected const string MessageFormat = "Make sure this weak hash algorithm is not used in a sensitive context here.";
+    protected const string DiagnosticId = "S4790";
+    protected const string MessageFormat = "Make sure this weak hash algorithm is not used in a sensitive context here.";
+
+    private const string CreateMethodName = "Create";
+    private const string HashDataName = "HashData";
+    private const string HashDataAsyncName = "HashDataAsync";
+    private const string TryHashDataName = "TryHashData";
+
+    private readonly KnownType[] algorithmTypes =
+    [
+        KnownType.System_Security_Cryptography_DSA,
+        KnownType.System_Security_Cryptography_HMACMD5,
+        KnownType.System_Security_Cryptography_HMACRIPEMD160,
+        KnownType.System_Security_Cryptography_HMACSHA1,
+        KnownType.System_Security_Cryptography_MD5,
+        KnownType.System_Security_Cryptography_RIPEMD160,
+        KnownType.System_Security_Cryptography_SHA1
+    ];
 
-        private const string CreateMethodName = "Create";
+    private readonly string[] unsafeAlgorithms =
+    [
+        "DSA",
+        "System.Security.Cryptography.DSA",
+        "HMACMD5",
+        "System.Security.Cryptography.HMACMD5",
+        "HMACRIPEMD160",
+        "System.Security.Cryptography.HMACRIPEMD160",
+        "HMACSHA1",
+        "System.Security.Cryptography.HMACSHA1",
+        "MD5",
+        "System.Security.Cryptography.MD5",
+        "RIPEMD160",
+        "System.Security.Cryptography.RIPEMD160",
+        "SHA1",
+        "System.Security.Cryptography.SHA1",
+    ];
+
+    protected abstract bool IsUnsafeAlgorithm(SyntaxNode argumentNode, SemanticModel model);
+
+    protected CreatingHashAlgorithmsBase(IAnalyzerConfiguration configuration)
+        : base(configuration, DiagnosticId, MessageFormat) { }
+
+    protected override void Initialize(TrackerInput input)
+    {
+        var oc = Language.Tracker.ObjectCreation;
+        oc.Track(input, oc.WhenDerivesOrImplementsAny(algorithmTypes));
 
-        private readonly KnownType[] algorithmTypes =
-        {
-            KnownType.System_Security_Cryptography_DSA,
-            KnownType.System_Security_Cryptography_HMACMD5,
-            KnownType.System_Security_Cryptography_HMACRIPEMD160,
-            KnownType.System_Security_Cryptography_HMACSHA1,
-            KnownType.System_Security_Cryptography_MD5,
-            KnownType.System_Security_Cryptography_RIPEMD160,
-            KnownType.System_Security_Cryptography_SHA1
-        };
+        var tracker = Language.Tracker.Invocation;
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_DSA,       CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC,      CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_MD5,       CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160, CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1,      CreateMethodName)),
+            tracker.MethodHasParameters(0));
 
-        private readonly string[] unsafeAlgorithms =
-        {
-            "DSA",
-            "System.Security.Cryptography.DSA",
-            "HMACMD5",
-            "System.Security.Cryptography.HMACMD5",
-            "HMACRIPEMD160",
-            "System.Security.Cryptography.HMACRIPEMD160",
-            "HMACSHA1",
-            "System.Security.Cryptography.HMACSHA1",
-            "MD5",
-            "System.Security.Cryptography.MD5",
-            "RIPEMD160",
-            "System.Security.Cryptography.RIPEMD160",
-            "SHA1",
-            "System.Security.Cryptography.SHA1"
-        };
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_AsymmetricAlgorithm, CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_CryptoConfig,        "CreateFromName"),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_DSA,                 CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_HashAlgorithm,       CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC,                CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_KeyedHashAlgorithm,  CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_MD5,                 CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160,           CreateMethodName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1,                CreateMethodName)),
+            tracker.ArgumentAtIndexIsAny(0, unsafeAlgorithms));
 
-        protected CreatingHashAlgorithmsBase(IAnalyzerConfiguration configuration)
-            : base(configuration, DiagnosticId, MessageFormat) { }
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_MD5,  HashDataName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_MD5,  TryHashDataName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_MD5,  HashDataAsyncName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, HashDataName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, TryHashDataName),
+                new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, HashDataAsyncName)));
 
-        protected override void Initialize(TrackerInput input)
-        {
-            var oc = Language.Tracker.ObjectCreation;
-            oc.Track(input, oc.WhenDerivesOrImplementsAny(algorithmTypes));
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, HashDataName)),
+            tracker.ArgumentAtIndexIs(3, IsUnsafeAlgorithm));
 
-            var t = Language.Tracker.Invocation;
-            t.Track(input,
-                t.MatchMethod(
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_MD5, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, CreateMethodName)),
-                t.MethodHasParameters(0));
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, HashDataName)),
+            tracker.ArgumentAtIndexIs(1, IsUnsafeAlgorithm));
 
-            t.Track(input,
-                t.MatchMethod(
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_AsymmetricAlgorithm, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_CryptoConfig, "CreateFromName"),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_HashAlgorithm, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_KeyedHashAlgorithm, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_MD5, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160, CreateMethodName),
-                    new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, CreateMethodName)),
-                t.ArgumentAtIndexIsAny(0, unsafeAlgorithms));
-        }
+        tracker.Track(input,
+            tracker.MatchMethod(
+                new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, TryHashDataName)),
+            tracker.ArgumentAtIndexIs(2, IsUnsafeAlgorithm));
     }
 }

analyzers/src/SonarAnalyzer.Core/Semantics/KnownType.cs

@@ -544,6 +544,7 @@ public sealed partial class KnownType
     public static readonly KnownType System_Security_Cryptography_ECDsa = new("System.Security.Cryptography.ECDsa");
     public static readonly KnownType System_Security_Cryptography_ECAlgorythm = new("System.Security.Cryptography.ECAlgorithm");
     public static readonly KnownType System_Security_Cryptography_HashAlgorithm = new("System.Security.Cryptography.HashAlgorithm");
+    public static readonly KnownType System_Security_Cryptography_HashAlgorithmName = new("System.Security.Cryptography.HashAlgorithmName");
     public static readonly KnownType System_Security_Cryptography_HMAC = new("System.Security.Cryptography.HMAC");
     public static readonly KnownType System_Security_Cryptography_HMACMD5 = new("System.Security.Cryptography.HMACMD5");
     public static readonly KnownType System_Security_Cryptography_HMACRIPEMD160 = new("System.Security.Cryptography.HMACRIPEMD160");

analyzers/src/SonarAnalyzer.VisualBasic/Rules/Hotspots/CreatingHashAlgorithms.cs

@@ -14,15 +14,20 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 
-namespace SonarAnalyzer.VisualBasic.Rules
+namespace SonarAnalyzer.VisualBasic.Rules;
+
+[DiagnosticAnalyzer(LanguageNames.VisualBasic)]
+public sealed class CreatingHashAlgorithms : CreatingHashAlgorithmsBase<SyntaxKind>
 {
-    [DiagnosticAnalyzer(LanguageNames.VisualBasic)]
-    public sealed class CreatingHashAlgorithms : CreatingHashAlgorithmsBase<SyntaxKind>
-    {
-        protected override ILanguageFacade<SyntaxKind> Language => VisualBasicFacade.Instance;
+    protected override ILanguageFacade<SyntaxKind> Language => VisualBasicFacade.Instance;
+
+    public CreatingHashAlgorithms() : this(AnalyzerConfiguration.Hotspot) { }
 
-        public CreatingHashAlgorithms() : this(AnalyzerConfiguration.Hotspot) { }
+    internal /*for testing*/ CreatingHashAlgorithms(IAnalyzerConfiguration configuration) : base(configuration) { }
 
-        internal /*for testing*/ CreatingHashAlgorithms(IAnalyzerConfiguration configuration) : base(configuration) { }
-    }
+    protected override bool IsUnsafeAlgorithm(SyntaxNode argumentNode, SemanticModel model) =>
+        argumentNode as SimpleArgumentSyntax is { } argument
+        && argument.Expression as MemberAccessExpressionSyntax is { } memberAccess
+        && memberAccess.Name.ToString() is "SHA1" or "MD5"
+        && model.GetSymbolInfo(memberAccess.Expression).Symbol.GetSymbolType().Is(KnownType.System_Security_Cryptography_HashAlgorithmName);
 }

analyzers/tests/SonarAnalyzer.Test/Rules/Hotspots/CreatingHashAlgorithmsTest.cs

@@ -60,6 +60,10 @@ public void CreatingHashAlgorithms_VB_NetFx() =>
     public void CreatingHashAlgorithms_CS_Latest() =>
         builderCS.AddPaths("CreatingHashAlgorithms.Latest.cs").WithOptions(LanguageOptions.CSharpLatest).Verify();
 
+    [TestMethod]
+    public void CreatingHashAlgorithms_VB_NET() =>
+    builderVB.AddPaths("CreatingHashAlgorithms.NET.vb").Verify();
+
 #endif
 
 }

analyzers/tests/SonarAnalyzer.Test/TestCases/Hotspots/CreatingHashAlgorithms.Latest.cs

@@ -3,6 +3,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
+using System.Threading.Tasks;
 
 public class InsecureHashAlgorithm
 {
@@ -30,12 +31,75 @@ void NewlinesInStringInterpolation()
 // https://github.com/SonarSource/sonar-dotnet/issues/8758
 public class Repro_FN_8758
 {
-    void Method()
+    public void Method()
     {
         var data = new byte[42];
+        var hashBuffer = new byte[SHA1.HashSizeInBytes];
         using var stream = new System.IO.MemoryStream(data);
-        SHA1.HashData(stream);          // FN
-        SHA1.HashData(data);            // FN
+        SHA1.HashData(stream);                                                 // Noncompliant
+        SHA1.HashData(data);                                                   // Noncompliant
+        if (SHA1.TryHashData(data, hashBuffer, out int bytesWrittenSHA1))      // Noncompliant
+        { }
+
+        MD5.HashData(data);                                                    // Noncompliant
+        if (MD5.TryHashData(data, hashBuffer, out int bytesWrittenMD5))        // Noncompliant
+        { }
+    }
+
+    public async Task Method2()
+    {
+        using var stream = new System.IO.MemoryStream(new byte[42]);
+        await SHA1.HashDataAsync(stream);          // Noncompliant
+        await MD5.HashDataAsync(stream);           // Noncompliant
+    }
+
+    private sealed class MyDSA : DSA
+    {
+        public override byte[] CreateSignature(byte[] rgbHash) => [];
+
+        public override DSAParameters ExportParameters(bool includePrivateParameters) => new DSAParameters();
+
+        public override void ImportParameters(DSAParameters parameters)
+        { }
+
+        public override bool VerifySignature(byte[] rgbHash, byte[] rgbSignature) => true;
+
+        protected override byte[] HashData(byte[] data, int offset, int count, HashAlgorithmName hashAlgorithm) => [];
+
+        protected override byte[] HashData(Stream data, HashAlgorithmName hashAlgorithm) => [];
+
+        protected override bool TryHashData(ReadOnlySpan<byte> data, Span<byte> destination, HashAlgorithmName hashAlgorithm, out int bytesWritten)
+        {
+            bytesWritten = 0;
+            return false;
+        }
+
+        public void UseHashData()
+        {
+            var data = new byte[42];
+            var hashBuffer = new byte[SHA1.HashSizeInBytes];
+            using var stream = new System.IO.MemoryStream(data);
+
+            _ = HashData(data, 0, data.Length, HashAlgorithmName.SHA1);                          // Noncompliant
+            _ = HashData(stream, HashAlgorithmName.SHA1);                                        // Noncompliant
+            if (TryHashData(data, hashBuffer, HashAlgorithmName.SHA1, out int bytesWrittenSHA1)) // Noncompliant
+            { }
+
+            _ = HashData(data, 0, data.Length, HashAlgorithmName.SHA3_256);
+            _ = HashData(stream, HashAlgorithmName.SHA3_384);
+            if (TryHashData(data, hashBuffer, HashAlgorithmName.SHA3_384, out int bytesWrittenSHA3))
+            { }
+
+            _ = base.HashData(data, 0, data.Length, HashAlgorithmName.SHA1);                              // Noncompliant
+            _ = base.HashData(stream, HashAlgorithmName.SHA1);                                            // Noncompliant
+            if (base.TryHashData(data, hashBuffer, HashAlgorithmName.SHA1, out int bytesWrittenSHA1Base)) // Noncompliant
+            { }
+
+            _ = base.HashData(data, 0, data.Length, HashAlgorithmName.SHA3_256);
+            _ = base.HashData(stream, HashAlgorithmName.SHA3_384);
+            if (base.TryHashData(data, hashBuffer, HashAlgorithmName.SHA3_384, out int bytesWrittenSHA3Base))
+            { }
+        }
     }
 }
 

analyzers/tests/SonarAnalyzer.Test/TestCases/Hotspots/CreatingHashAlgorithms.NET.vb

@@ -0,0 +1,35 @@
+Imports System
+Imports System.IO
+Imports System.Security.Cryptography
+Imports System.Threading.Tasks
+
+Namespace Tests.Diagnostics
+
+    Public Class Repro_FN_8758
+        Public Sub Method()
+            Dim data As Byte() = New Byte(41) {}
+            Dim hashBuffer As Byte() = New Byte(SHA1.HashSizeInBytes - 1) {}
+            Using stream As New MemoryStream(data)
+                SHA1.HashData(stream)                                              ' Noncompliant
+                SHA1.HashData(data)                                                ' Noncompliant
+                Dim bytesWrittenSHA1 As Integer
+                If SHA1.TryHashData(data, hashBuffer, bytesWrittenSHA1) Then       ' Noncompliant
+                End If
+                MD5.HashData(data)                                                 ' Noncompliant
+                Dim bytesWrittenMD5 As Integer
+                If MD5.TryHashData(data, hashBuffer, bytesWrittenMD5) Then         ' Noncompliant
+                End If
+            End Using
+        End Sub
+
+        Public Async Function Method2() As Task
+            Using stream As New MemoryStream(New Byte(41) {})
+                Await SHA1.HashDataAsync(stream)       ' Noncompliant
+                Await MD5.HashDataAsync(stream)        ' Noncompliant
+            End Using
+        End Function
+
+    End Class
+
+
+End Namespace