Add query help examples

owen-mc · owen-mc · commit 8d7b2757bfec · 2025-11-19T14:36:26.000Z
diff --git a/go/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/go/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -28,10 +28,10 @@
      <example>
 
           <p>
-               The following code uses the different packages to encrypt/hash 
-               some secret data. The first few examples uses DES, MD5, RC4, and SHA1, 
-               which are older algorithms that are now considered weak. The following
-               examples use AES and SHA256, which are stronger, more modern algorithms.
+               The following code uses the different packages to encrypt
+               some secret data. The first example uses DES,
+               which is an older algorithm that is now considered weak. The following
+               example uses AES, which is a stronger, more modern algorithm.
           </p>
 
           <sample src="examples/Crypto.go" />
diff --git a/go/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp b/go/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
@@ -65,35 +65,28 @@
 
           <p>
                The following example shows two functions for checking whether the hash
-               of a certificate matches a known value -- to prevent tampering.
+               of a secret matches a known value.
 
-               The first function uses MD5 that is known to be vulnerable to collision attacks.
+               The first function uses SHA-1 that is known to be vulnerable to collision attacks.
 
                The second function uses SHA-256 that is a strong cryptographic hashing function.
           </p>
 
-          <sample src="examples/weak_certificate_hashing.rb" />
+          <sample src="examples/WeakSecretHashing.go" />
 
      </example>
      <example>
           <p>
                The following example shows two functions for hashing passwords.
 
-               The first function uses SHA-256 to hash passwords. Although SHA-256 is a
-               strong cryptographic hash function, it is not suitable for password
+               The first example uses SHA-256 to hash passwords. Although
+               SHA-256 is a strong cryptographic hash function, it is not suitable for password
                hashing since it is not computationally expensive.
-          </p>
-
-          <sample src="examples/weak_password_hashing_bad.rb" />
 
-
-          <p>
-               The second function uses Argon2 (through the <code>argon2</code>
-               gem), which is a strong password hashing algorithm (and
-               includes a per-password salt by default).
+               The second function uses PBKDF2, which is a strong password hashing algorithm.
           </p>
 
-          <sample src="examples/weak_password_hashing_good.rb" />
+          <sample src="examples/WeakPasswordHashing.go" />
 
      </example>
 
diff --git a/go/ql/src/Security/CWE-327/examples/Crypto.go b/go/ql/src/Security/CWE-327/examples/Crypto.go
@@ -3,51 +3,18 @@ package main
 import (
 	"crypto/aes"
 	"crypto/des"
-	"crypto/md5"
-	"crypto/rc4"
-	"crypto/sha1"
-	"crypto/sha256"
 )
 
-func main() {
-	public := []byte("hello")
-
-	password := []byte("123456")
-	buf := password // testing dataflow by passing into different variable
-
-	// BAD, des is a weak crypto algorithm and password is sensitive data
-	des.NewTripleDESCipher(buf)
-
-	// BAD, md5 is a weak crypto algorithm and password is sensitive data
-	md5.Sum(buf)
-
-	// BAD, rc4 is a weak crypto algorithm and password is sensitive data
-	rc4.NewCipher(buf)
-
-	// BAD, sha1 is a weak crypto algorithm and password is sensitive data
-	sha1.Sum(buf)
-
-	// GOOD, password is sensitive data but aes is a strong crypto algorithm
-	aes.NewCipher(buf)
-
-	// GOOD, password is sensitive data but sha256 is a strong crypto algorithm
-	sha256.Sum256(buf)
-
-	// GOOD, des is a weak crypto algorithm but public is not sensitive data
-	des.NewTripleDESCipher(public)
-
-	// GOOD, md5 is a weak crypto algorithm but public is not sensitive data
-	md5.Sum(public)
-
-	// GOOD, rc4 is a weak crypto algorithm but public is not sensitive data
-	rc4.NewCipher(public)
-
-	// GOOD, sha1 is a weak crypto algorithm but public is not sensitive data
-	sha1.Sum(public)
-
-	// GOOD, aes is a strong crypto algorithm and public is not sensitive data
-	aes.NewCipher(public)
+func EncryptMessageWeak(key []byte, message []byte) (dst []byte) {
+	// BAD, DES is a weak crypto algorithm
+	block, _ := des.NewCipher(key)
+	block.Encrypt(dst, message)
+	return
+}
 
-	// GOOD, sha256 is a strong crypto algorithm and public is not sensitive data
-	sha256.Sum256(public)
+func EncryptMessageStrong(key []byte, message []byte) (dst []byte) {
+	// GOOD, AES is a weak crypto algorithm
+	block, _ := aes.NewCipher(key)
+	block.Encrypt(dst, message)
+	return
 }
diff --git a/go/ql/src/Security/CWE-327/examples/WeakPasswordHashing.go b/go/ql/src/Security/CWE-327/examples/WeakPasswordHashing.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"crypto/pbkdf2"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+)
+
+func GetPasswordHashBad(password string) [32]byte {
+	// BAD, SHA256 is a strong hashing algorithm but it is not computationally expensive
+	return sha256.Sum256([]byte(password))
+}
+
+func GetPasswordHashGood(password string) []byte {
+	// GOOD, PBKDF2 is a strong hashing algorithm and it is computationally expensive
+	salt := make([]byte, 16)
+	rand.Read(salt)
+	key, _ := pbkdf2.Key(sha512.New, password, salt, 4096, 32)
+	return key
+}
diff --git a/go/ql/src/Security/CWE-327/examples/WeakSecretHashing.go b/go/ql/src/Security/CWE-327/examples/WeakSecretHashing.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"slices"
+)
+
+func SecretMatchesKnownHashBad(secret []byte, known_hash []byte) bool {
+	// BAD, SHA1 is a weak crypto algorithm and secret is sensitive data
+	h := sha1.New()
+	return slices.Equal(h.Sum(secret), known_hash)
+}
+
+func SecretMatchesKnownHashGood(secret []byte, known_hash []byte) bool {
+	// GOOD, SHA256 is a strong hashing algorithm
+	h := sha256.New()
+	return slices.Equal(h.Sum(secret), known_hash)
+}
