Merge pull request #338 from microsoft/copilot/update-powershell-weak-hashes

Add Get-FileHash weak hash algorithm detection to powershell/weak-hashes query

Author: chanel-y

powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptographyModule.qll

@@ -100,6 +100,18 @@ class HashAlgorithmCreateFromNameCall extends HashAlgorithm, CryptoAlgorithmCrea
   override string getName() { result = algName }
 }
 
+class GetFileHashWeakAlgorithm extends HashAlgorithm, DataFlow::CallNode {
+  string algName;
+
+  GetFileHashWeakAlgorithm() {
+    this.matchesName("Get-FileHash") and
+    algName = this.getNamedArgument("algorithm").asExpr().getValue().asString().toLowerCase() and
+    isHashingAlgorithm(algName)
+  }
+
+  override string getName() { result = algName }
+}
+
 class SymmetricAlgorithmObjectCreation extends SymmetricAlgorithm, CryptoAlgorithmObjectCreation {
   string algName;
 

powershell/ql/src/queries/security/cwe-327/WeakHashes.qhelp

@@ -17,6 +17,11 @@
       or SHA-512. For password hashing, consider using a specialized password hashing function
       like PBKDF2, bcrypt, or Argon2.
     </p>
+    <p>
+      When using the <code>Get-FileHash</code> cmdlet, avoid specifying <code>-Algorithm MD5</code>
+      or <code>-Algorithm SHA1</code>. Instead, use <code>-Algorithm SHA256</code> (the default),
+      <code>-Algorithm SHA384</code>, or <code>-Algorithm SHA512</code>.
+    </p>
   </recommendation>
 
   <references>

powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.expected

@@ -6,3 +6,5 @@
 | test.ps1:19:6:19:100 | Call to createfromname | Use of weak cryptographic hash algorithm: md5. |
 | test.ps1:20:6:20:72 | Call to createfromname | Use of weak cryptographic hash algorithm: sha1. |
 | test.ps1:21:6:21:101 | Call to createfromname | Use of weak cryptographic hash algorithm: sha1. |
+| test.ps1:25:1:25:47 | Call to get-filehash | Use of weak cryptographic hash algorithm: md5. |
+| test.ps1:28:1:28:48 | Call to get-filehash | Use of weak cryptographic hash algorithm: sha1. |

powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1

@@ -21,6 +21,12 @@ $o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("SHA1")
 $o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.SHA1")
 
 
+# BAD: Using Get-FileHash with MD5
+Get-FileHash -Path "C:\file.txt" -Algorithm MD5
+
+# BAD: Using Get-FileHash with SHA1
+Get-FileHash -Path "C:\file.txt" -Algorithm SHA1
+
 # ---------------------------------------------------------
 # GOOD: Safe usage of cryptographically secure algorithms
 # ---------------------------------------------------------
@@ -44,3 +50,15 @@ $sha384Hash = $sha384.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("passwor
 # GOOD: Using SHA512
 $sha512 = [System.Security.Cryptography.SHA512]::Create()
 $sha512Hash = $sha512.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
+
+# GOOD: Using Get-FileHash with SHA256
+Get-FileHash -Path "C:\file.txt" -Algorithm SHA256
+
+# GOOD: Using Get-FileHash with SHA384
+Get-FileHash -Path "C:\file.txt" -Algorithm SHA384
+
+# GOOD: Using Get-FileHash with SHA512
+Get-FileHash -Path "C:\file.txt" -Algorithm SHA512
+
+# GOOD: Using Get-FileHash without specifying algorithm (defaults to SHA256)
+Get-FileHash -Path "C:\file.txt"