Add special checks for rails's Digest::UUID

spraints · spraints · commit e51e5c2587a9 · 2020-12-11T14:51:10.000-05:00
https://api.rubyonrails.org/classes/Digest/UUID.html uuid_v3 uses MD5, so it's only allowed when MD5 is in the "Allowed" list. uuid_v5 uses SHA1, so it's only allowed when SHA1 is in the "Allowed" list.
diff --git a/lib/rubocop/cop/github/insecure_hash_algorithm.rb b/lib/rubocop/cop/github/insecure_hash_algorithm.rb
@@ -7,6 +7,8 @@ module Cop
     module GitHub
       class InsecureHashAlgorithm < Cop
         MSG = "This hash function is not allowed"
+        UUID_V3_MSG = "uuid_v3 uses MD5, which is not allowed"
+        UUID_V5_MSG = "uuid_v5 uses SHA1, which is not allowed"
 
         # Matches constants like these:
         #   Digest::MD5
@@ -47,6 +49,19 @@ class InsecureHashAlgorithm < Cop
           (send (const (const _ :OpenSSL) :HMAC) :new _ #insecure_algorithm?)
         PATTERN
 
+        # Matches Rails's Digest::UUID.
+        def_node_matcher :digest_uuid?, <<-PATTERN
+          (const (const _ :Digest) :UUID)
+        PATTERN
+
+        def_node_matcher :uuid_v3?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v3 ...)
+        PATTERN
+
+        def_node_matcher :uuid_v5?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v5 ...)
+        PATTERN
+
         def insecure_algorithm?(val)
           return false if val == :Digest # Don't match "Digest::Digest".
           case alg_name(val)
@@ -93,13 +108,21 @@ def alg_name(val)
         end
 
         def on_const(const_node)
-          if insecure_const?(const_node)
+          if insecure_const?(const_node) && !digest_uuid?(const_node)
             add_offense(const_node, message: MSG)
           end
         end
 
         def on_send(send_node)
           case
+          when uuid_v3?(send_node)
+            unless allowed_hash_functions.include?("md5")
+              add_offense(send_node, message: UUID_V3_MSG)
+            end
+          when uuid_v5?(send_node)
+            unless allowed_hash_functions.include?("sha1")
+              add_offense(send_node, message: UUID_V5_MSG)
+            end
           when openssl_hmac_new?(send_node)
             if openssl_hmac_new_insecure?(send_node)
               add_offense(send_node, message: MSG)
diff --git a/test/test_insecure_hash_algorithm.rb b/test/test_insecure_hash_algorithm.rb
@@ -9,8 +9,8 @@ def cop_class
     RuboCop::Cop::GitHub::InsecureHashAlgorithm
   end
 
-  def make_cop(config_hash)
-    config = RuboCop::Config.new({"GitHub/InsecureHashAlgorithm" => config_hash})
+  def make_cop(allowed:)
+    config = RuboCop::Config.new({"GitHub/InsecureHashAlgorithm" => {"Allowed" => allowed}})
     cop_class.new(config)
   end
 
@@ -343,35 +343,101 @@ def something(str)
     assert_equal 0, cop.offenses.count
   end
 
-  def test_allow_sha512_only
-    cop = make_cop "Allowed" => %w[SHA512]
+  def test_uuid_from_hash
     investigate(cop, <<-RUBY)
       class Something
-        HASH = Digest::SHA256
+        def uuid
+          # I want to demonstrate that uuid_from_hash isn't a trigger,
+          # even though I don't know if it's even valid to use SHA256.
+          Digest::UUID.uuid_from_hash(Digest::SHA256, 'abc', 'def')
+        end
       end
     RUBY
+
+    assert_equal 0, cop.offenses.count
+  end
+
+  def test_uuid_v3
+    investigate(cop, <<-RUBY)
+      class Something
+        def uuid
+          Digest::UUID.uuid_v3('anything', 'anything')
+        end
+      end
+    RUBY
+
     assert_equal 1, cop.offenses.count
+    assert_equal cop_class::UUID_V3_MSG, cop.offenses.first.message
   end
 
-  def test_allow_lots_of_hashes
-    cop = make_cop "Allowed" => %w[SHA1 SHA256 SHA384 SHA512]
+  def test_uuid_v3_with_md5_allowed
+    cop = make_cop(allowed: %w[MD5])
     investigate(cop, <<-RUBY)
       class Something
-        HASH = Digest::SHA1
+        def uuid
+          Digest::UUID.uuid_v3('anything', 'anything')
+        end
       end
     RUBY
+
+    assert_equal 0, cop.offenses.count
+  end
+
+  def test_uuid_v4
+    investigate(cop, <<-RUBY)
+      class Something
+        def uuid
+          Digest::UUID.uuid_v4
+        end
+      end
+    RUBY
+
     assert_equal 0, cop.offenses.count
   end
 
-  def test_allow_other_digest_types
-    cop = make_cop "Allowed" => %w[UUID]
+  def test_uuid_v5
     investigate(cop, <<-RUBY)
       class Something
         def uuid
-          Digest::UUID.create
+          Digest::UUID.uuid_v5('anything', 'anything')
         end
       end
     RUBY
+
+    assert_equal 1, cop.offenses.count
+    assert_equal cop_class::UUID_V5_MSG, cop.offenses.first.message
+  end
+
+  def test_uuid_v5_with_sha1_allowed
+    cop = make_cop(allowed: %w[SHA1])
+    investigate(cop, <<-RUBY)
+      class Something
+        def uuid
+          Digest::UUID.uuid_v5('anything', 'anything')
+        end
+      end
+    RUBY
+
+    assert_equal 0, cop.offenses.count
+  end
+
+  def test_allow_sha512_only
+    cop = make_cop(allowed: %w[SHA512])
+    investigate(cop, <<-RUBY)
+      class Something
+        HASH = Digest::SHA256
+      end
+    RUBY
+    assert_equal 1, cop.offenses.count
+  end
+
+  def test_allow_lots_of_hashes
+    cop = make_cop(allowed: %w[SHA1 SHA256 SHA384 SHA512])
+    investigate(cop, <<-RUBY)
+      class Something
+        HASH = Digest::SHA1
+      end
+    RUBY
     assert_equal 0, cop.offenses.count
   end
 end
