Ruby: qhelp for rb/weak-cryptographic-algorithm

2026-04-29 18:55:14 +02:00 · 2022-03-13 17:36:57 +00:00
parent 4234cfeeec
commit 446141ada3
2 changed files with 62 additions and 0 deletions
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Using broken or weak cryptographic algorithms can leave data
+      vulnerable to being decrypted or forged by an attacker.
+    </p>
+    <p>
+      Many cryptographic algorithms provided by cryptography
+      libraries are known to be weak, or flawed. Using such an
+      algorithm means that encrypted or hashed data is less
+      secure than it appears to be.
+    </p>
+  </overview>
+  <recommendation>
+    <p>
+      Ensure that you use a strong, modern cryptographic
+      algorithm, such as AES-128 or RSA-2048.
+    </p>
+  </recommendation>
+  <example>
+
+    <p>
+      The following code uses the <code>OpenSSL</code> library to encrypt some
+      secret data. When you create a cipher using <code>OpenSSL</code> you must
+      specify the encryption algorithm to use. The first example uses DES, which
+      is an older algorithm that is now considered weak. The second example uses
+      AES, which is a stronger modern algorithm.
+    </p>
+
+    <sample src="examples/broken_crypto.rb" />
+  </example>
+  <references>
+    <li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
+    <li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
+    <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption">Rule - Use strong approved cryptographic algorithms</a>.
+    </li>
+  </references>
+</qhelp>
--- a/ruby/ql/src/queries/security/cwe-327/examples/broken_crypto.rb
+++ b/ruby/ql/src/queries/security/cwe-327/examples/broken_crypto.rb
@@ -0,0 +1,21 @@
+require 'openssl'
+
+class Encryptor
+  attr_accessor :secret_key
+
+  def encrypt_message_weak(message)
+    cipher = OpenSSL::Cipher.new('des') # BAD: weak encryption
+    cipher.encrypt
+    cipher.key = secret_key
+    cipher.update(message)
+    cipher.final
+  end
+
+  def encrypt_message_strong(message)
+    cipher = OpenSSL::Cipher::AES128.new # GOOD: strong encryption
+    cipher.encrypt
+    cipher.key = secret_key
+    cipher.update(message)
+    cipher.final
+  end
+end