mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Make non-path query for encryption only
This commit is contained in:
Owen Mansel-Chan
committed by
Owen Mansel-Chan
Owen Mansel-Chan
parent
f34a625ac2
commit
713e19f6f1
@@ -1,58 +0,0 @@
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for reasoning about
|
||||
* sensitive information in weak cryptographic algorithms,
|
||||
* as well as extension points for adding your own.
|
||||
*/
|
||||
|
||||
import go
|
||||
private import semmle.go.security.SensitiveActions
|
||||
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for reasoning about
|
||||
* sensitive information in weak cryptographic algorithms,
|
||||
* as well as extension points for adding your own.
|
||||
*/
|
||||
module BrokenCryptoAlgorithm {
|
||||
/**
|
||||
* A data flow source for sensitive information in broken or weak cryptographic algorithms.
|
||||
*/
|
||||
abstract class Source extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A data flow sink for sensitive information in broken or weak cryptographic algorithms.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::Node {
|
||||
/** Gets the data-flow node where the cryptographic algorithm used in this operation is configured. */
|
||||
abstract DataFlow::Node getInitialization();
|
||||
}
|
||||
|
||||
/**
|
||||
* A sanitizer for sensitive information in broken or weak cryptographic algorithms.
|
||||
*/
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A sensitive source.
|
||||
*/
|
||||
class SensitiveSource extends Source {
|
||||
SensitiveSource() { this.asExpr() instanceof SensitiveExpr }
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression used by a broken or weak cryptographic algorithm.
|
||||
*/
|
||||
class WeakCryptographicOperationSink extends Sink {
|
||||
CryptographicOperation application;
|
||||
|
||||
WeakCryptographicOperationSink() {
|
||||
(
|
||||
application.getAlgorithm().isWeak()
|
||||
or
|
||||
application.getBlockMode().isWeak()
|
||||
) and
|
||||
this = application.getAnInput()
|
||||
}
|
||||
|
||||
override DataFlow::Node getInitialization() { result = application.getInitialization() }
|
||||
}
|
||||
}
|
||||
@@ -1,43 +0,0 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `BrokenCryptoAlgorithm::Configuration` is needed, otherwise
|
||||
* `BrokenCryptoAlgorithmCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import go
|
||||
import BrokenCryptoAlgorithmCustomizations::BrokenCryptoAlgorithm
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may used in broken or weak cryptographic algorithms. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
private module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
|
||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
||||
result = sink.(Sink).getLocation()
|
||||
or
|
||||
result = sink.(Sink).getInitialization().getLocation()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking flow for sensitive information in broken or weak cryptographic algorithms.
|
||||
*/
|
||||
module BrokenCryptoAlgorithmFlow = TaintTracking::Global<BrokenCryptoAlgorithmConfig>;
|
||||
@@ -1,21 +1,33 @@
|
||||
/**
|
||||
* @name Use of a broken or weak cryptographic algorithm
|
||||
* @description Using broken or weak cryptographic algorithms can compromise security.
|
||||
* @kind path-problem
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id go/weak-crypto-algorithm
|
||||
* @id go/weak-cryptographic-algorithm
|
||||
* @tags security
|
||||
* external/cwe/cwe-327
|
||||
* external/cwe/cwe-328
|
||||
*/
|
||||
|
||||
import go
|
||||
import semmle.go.security.BrokenCryptoAlgorithmQuery
|
||||
import BrokenCryptoAlgorithmFlow::PathGraph
|
||||
|
||||
from BrokenCryptoAlgorithmFlow::PathNode source, BrokenCryptoAlgorithmFlow::PathNode sink
|
||||
where BrokenCryptoAlgorithmFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ is used in a weak cryptographic algorithm.",
|
||||
source.getNode(), "Sensitive data"
|
||||
from Cryptography::CryptographicOperation operation, string msgPrefix, DataFlow::Node init
|
||||
where
|
||||
init = operation.getInitialization() and
|
||||
// `init` may be a `BlockModeInit`, a `EncryptionAlgorithmInit`, or `operation` itself.
|
||||
(
|
||||
not init instanceof BlockModeInit and
|
||||
exists(Cryptography::CryptographicAlgorithm algorithm |
|
||||
algorithm = operation.getAlgorithm() and
|
||||
algorithm.isWeak() and
|
||||
msgPrefix = "The cryptographic algorithm " + algorithm.getName() and
|
||||
not algorithm instanceof Cryptography::HashingAlgorithm
|
||||
)
|
||||
or
|
||||
not init instanceof EncryptionAlgorithmInit and
|
||||
operation.getBlockMode().isWeak() and
|
||||
msgPrefix = "The block mode " + operation.getBlockMode()
|
||||
)
|
||||
select operation, "$@ is broken or weak, and should not be used.", init, msgPrefix
|
||||
|
||||
@@ -1,83 +1,29 @@
|
||||
#select
|
||||
| Crypto.go:36:21:36:28 | password | Crypto.go:36:21:36:28 | password | Crypto.go:36:21:36:28 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:36:21:36:28 | password | Sensitive data |
|
||||
| Crypto.go:41:22:41:29 | password | Crypto.go:41:22:41:29 | password | Crypto.go:41:22:41:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:41:22:41:29 | password | Sensitive data |
|
||||
| Crypto.go:46:22:46:29 | password | Crypto.go:46:22:46:29 | password | Crypto.go:46:22:46:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:46:22:46:29 | password | Sensitive data |
|
||||
| Crypto.go:51:22:51:29 | password | Crypto.go:51:22:51:29 | password | Crypto.go:51:22:51:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:51:22:51:29 | password | Sensitive data |
|
||||
| Crypto.go:56:22:56:29 | password | Crypto.go:56:22:56:29 | password | Crypto.go:56:22:56:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:56:22:56:29 | password | Sensitive data |
|
||||
| Crypto.go:61:32:61:39 | password | Crypto.go:61:32:61:39 | password | Crypto.go:61:32:61:39 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:61:32:61:39 | password | Sensitive data |
|
||||
| Crypto.go:66:30:66:37 | password | Crypto.go:66:30:66:37 | password | Crypto.go:66:30:66:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:66:30:66:37 | password | Sensitive data |
|
||||
| Crypto.go:68:59:68:83 | call to NewReader | Crypto.go:68:75:68:82 | password | Crypto.go:68:59:68:83 | call to NewReader | $@ is used in a weak cryptographic algorithm. | Crypto.go:68:75:68:82 | password | Sensitive data |
|
||||
| Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | Crypto.go:72:43:72:50 | password | Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | $@ is used in a weak cryptographic algorithm. | Crypto.go:72:43:72:50 | password | Sensitive data |
|
||||
| Crypto.go:78:30:78:37 | password | Crypto.go:78:30:78:37 | password | Crypto.go:78:30:78:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:78:30:78:37 | password | Sensitive data |
|
||||
| Crypto.go:83:30:83:37 | password | Crypto.go:83:30:83:37 | password | Crypto.go:83:30:83:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:83:30:83:37 | password | Sensitive data |
|
||||
| Crypto.go:91:21:91:33 | call to getPassword | Crypto.go:91:21:91:33 | call to getPassword | Crypto.go:91:21:91:33 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:91:21:91:33 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:96:22:96:34 | call to getPassword | Crypto.go:96:22:96:34 | call to getPassword | Crypto.go:96:22:96:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:96:22:96:34 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:101:22:101:34 | call to getPassword | Crypto.go:101:22:101:34 | call to getPassword | Crypto.go:101:22:101:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:101:22:101:34 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:106:22:106:29 | password | Crypto.go:106:22:106:29 | password | Crypto.go:106:22:106:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:106:22:106:29 | password | Sensitive data |
|
||||
| Crypto.go:111:22:111:29 | password | Crypto.go:111:22:111:29 | password | Crypto.go:111:22:111:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:111:22:111:29 | password | Sensitive data |
|
||||
| Crypto.go:116:32:116:44 | call to getPassword | Crypto.go:116:32:116:44 | call to getPassword | Crypto.go:116:32:116:44 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:116:32:116:44 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:121:30:121:42 | call to getPassword | Crypto.go:121:30:121:42 | call to getPassword | Crypto.go:121:30:121:42 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:121:30:121:42 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:123:59:123:88 | call to NewReader | Crypto.go:123:75:123:87 | call to getPassword | Crypto.go:123:59:123:88 | call to NewReader | $@ is used in a weak cryptographic algorithm. | Crypto.go:123:75:123:87 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | Crypto.go:127:43:127:55 | call to getPassword | Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | $@ is used in a weak cryptographic algorithm. | Crypto.go:127:43:127:55 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:133:30:133:37 | password | Crypto.go:133:30:133:37 | password | Crypto.go:133:30:133:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:133:30:133:37 | password | Sensitive data |
|
||||
| Crypto.go:138:30:138:37 | password | Crypto.go:138:30:138:37 | password | Crypto.go:138:30:138:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:138:30:138:37 | password | Sensitive data |
|
||||
| Crypto.go:198:22:198:34 | call to getPassword | Crypto.go:198:22:198:34 | call to getPassword | Crypto.go:198:22:198:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:198:22:198:34 | call to getPassword | Sensitive data |
|
||||
| Crypto.go:205:8:205:10 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:205:8:205:10 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
|
||||
| Crypto.go:206:10:206:12 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:206:10:206:12 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
|
||||
| Crypto.go:207:20:207:33 | passwordString | Crypto.go:207:20:207:33 | passwordString | Crypto.go:207:20:207:33 | passwordString | $@ is used in a weak cryptographic algorithm. | Crypto.go:207:20:207:33 | passwordString | Sensitive data |
|
||||
| Crypto.go:208:10:208:12 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:208:10:208:12 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
|
||||
| Crypto.go:210:17:210:19 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:210:17:210:19 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
|
||||
| Crypto.go:211:11:211:13 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:211:11:211:13 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
|
||||
edges
|
||||
| Crypto.go:68:75:68:82 | password | Crypto.go:68:59:68:83 | call to NewReader | provenance | MaD:1 |
|
||||
| Crypto.go:72:27:72:51 | call to NewReader | Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | provenance | MaD:2 |
|
||||
| Crypto.go:72:43:72:50 | password | Crypto.go:72:27:72:51 | call to NewReader | provenance | MaD:1 |
|
||||
| Crypto.go:123:75:123:87 | call to getPassword | Crypto.go:123:59:123:88 | call to NewReader | provenance | MaD:1 |
|
||||
| Crypto.go:127:27:127:56 | call to NewReader | Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | provenance | MaD:2 |
|
||||
| Crypto.go:127:43:127:55 | call to getPassword | Crypto.go:127:27:127:56 | call to NewReader | provenance | MaD:1 |
|
||||
| Crypto.go:202:9:202:16 | password | Crypto.go:205:8:205:10 | buf | provenance | |
|
||||
| Crypto.go:202:9:202:16 | password | Crypto.go:206:10:206:12 | buf | provenance | |
|
||||
| Crypto.go:202:9:202:16 | password | Crypto.go:208:10:208:12 | buf | provenance | |
|
||||
| Crypto.go:202:9:202:16 | password | Crypto.go:210:17:210:19 | buf | provenance | |
|
||||
| Crypto.go:202:9:202:16 | password | Crypto.go:211:11:211:13 | buf | provenance | |
|
||||
models
|
||||
| 1 | Summary: bytes; ; false; NewReader; ; ; Argument[0]; ReturnValue; taint; manual |
|
||||
| 2 | Summary: io; ; false; Copy; ; ; Argument[1]; Argument[0]; taint; manual |
|
||||
nodes
|
||||
| Crypto.go:36:21:36:28 | password | semmle.label | password |
|
||||
| Crypto.go:41:22:41:29 | password | semmle.label | password |
|
||||
| Crypto.go:46:22:46:29 | password | semmle.label | password |
|
||||
| Crypto.go:51:22:51:29 | password | semmle.label | password |
|
||||
| Crypto.go:56:22:56:29 | password | semmle.label | password |
|
||||
| Crypto.go:61:32:61:39 | password | semmle.label | password |
|
||||
| Crypto.go:66:30:66:37 | password | semmle.label | password |
|
||||
| Crypto.go:68:59:68:83 | call to NewReader | semmle.label | call to NewReader |
|
||||
| Crypto.go:68:75:68:82 | password | semmle.label | password |
|
||||
| Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | semmle.label | ctrStreamWriter [postupdate] |
|
||||
| Crypto.go:72:27:72:51 | call to NewReader | semmle.label | call to NewReader |
|
||||
| Crypto.go:72:43:72:50 | password | semmle.label | password |
|
||||
| Crypto.go:78:30:78:37 | password | semmle.label | password |
|
||||
| Crypto.go:83:30:83:37 | password | semmle.label | password |
|
||||
| Crypto.go:91:21:91:33 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:96:22:96:34 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:101:22:101:34 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:106:22:106:29 | password | semmle.label | password |
|
||||
| Crypto.go:111:22:111:29 | password | semmle.label | password |
|
||||
| Crypto.go:116:32:116:44 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:121:30:121:42 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:123:59:123:88 | call to NewReader | semmle.label | call to NewReader |
|
||||
| Crypto.go:123:75:123:87 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | semmle.label | ctrStreamWriter [postupdate] |
|
||||
| Crypto.go:127:27:127:56 | call to NewReader | semmle.label | call to NewReader |
|
||||
| Crypto.go:127:43:127:55 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:133:30:133:37 | password | semmle.label | password |
|
||||
| Crypto.go:138:30:138:37 | password | semmle.label | password |
|
||||
| Crypto.go:198:22:198:34 | call to getPassword | semmle.label | call to getPassword |
|
||||
| Crypto.go:202:9:202:16 | password | semmle.label | password |
|
||||
| Crypto.go:205:8:205:10 | buf | semmle.label | buf |
|
||||
| Crypto.go:206:10:206:12 | buf | semmle.label | buf |
|
||||
| Crypto.go:207:20:207:33 | passwordString | semmle.label | passwordString |
|
||||
| Crypto.go:208:10:208:12 | buf | semmle.label | buf |
|
||||
| Crypto.go:210:17:210:19 | buf | semmle.label | buf |
|
||||
| Crypto.go:211:11:211:13 | buf | semmle.label | buf |
|
||||
subpaths
|
||||
| encryption.go:30:2:30:36 | call to Encrypt | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:34:2:34:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:38:2:38:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:42:2:42:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:46:2:46:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:50:2:50:47 | call to CryptBlocks | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:54:2:54:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:56:22:56:91 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:59:21:59:68 | &... [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:59:22:59:68 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:59:22:59:68 | struct literal [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:60:10:60:24 | ctrStreamWriter [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:65:2:65:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:69:2:69:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
|
||||
| encryption.go:76:2:76:32 | call to Encrypt | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:80:2:80:38 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:84:2:84:38 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:88:2:88:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:92:2:92:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:96:2:96:43 | call to CryptBlocks | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:100:2:100:41 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:102:22:102:87 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:105:21:105:68 | &... [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:105:22:105:68 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:105:22:105:68 | struct literal [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:106:10:106:24 | ctrStreamWriter [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:111:2:111:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:115:2:115:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
|
||||
| encryption.go:166:2:166:33 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:166:2:166:33 | call to XORKeyStream | The cryptographic algorithm RC4 |
|
||||
|
||||
@@ -1,254 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/des"
|
||||
"crypto/md5"
|
||||
"crypto/rc4"
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
"crypto/sha3"
|
||||
"crypto/sha512"
|
||||
"io"
|
||||
"os"
|
||||
)
|
||||
|
||||
var dst []byte = make([]byte, 16)
|
||||
var password []byte = []byte("123456")
|
||||
|
||||
const passwordString string = "correct horse battery staple"
|
||||
|
||||
var public []byte = []byte("hello")
|
||||
|
||||
func getPassword() []byte {
|
||||
return []byte("123456")
|
||||
}
|
||||
|
||||
// Note that we do not alert on decryption as we may need to decrypt legacy formats
|
||||
|
||||
func BlockCipherDes() {
|
||||
// BAD, des is a weak crypto algorithm
|
||||
block, _ := des.NewCipher(nil)
|
||||
|
||||
block.Encrypt(dst, public) // $ CryptographicOperation="DES. init from line 33."
|
||||
block.Encrypt(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. init from line 33."
|
||||
block.Decrypt(dst, password)
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, public, nil) // $ CryptographicOperation="DES. init from line 33."
|
||||
gcm1.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. init from line 33."
|
||||
gcm1.Open(nil, nil, password, nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, public, nil) // $ CryptographicOperation="DES. init from line 33."
|
||||
gcm2.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. init from line 33."
|
||||
gcm2.Open(nil, nil, password, nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, public, nil) // $ CryptographicOperation="DES. init from line 33."
|
||||
gcm3.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. init from line 33."
|
||||
gcm3.Open(nil, nil, password, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, public, nil) // $ CryptographicOperation="DES. init from line 33."
|
||||
gcm4.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. init from line 33."
|
||||
gcm4.Open(nil, nil, password, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, public) // $ CryptographicOperation="DES. blockMode: CBC. init from lines 33,59."
|
||||
cbcEncrypter.CryptBlocks(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: CBC. init from lines 33,59."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, password)
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, public) // $ CryptographicOperation="DES. blockMode: CTR. init from lines 33,64."
|
||||
ctrStream.XORKeyStream(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 33,64."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(password)} // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 33,64."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ CryptographicOperation="DES. blockMode: CTR. init from lines 33,64."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(password)) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 33,64."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, public) // $ CryptographicOperation="DES. blockMode: CFB. init from lines 33,76."
|
||||
cfbStream.XORKeyStream(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: CFB. init from lines 33,76."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, password)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, public) // $ CryptographicOperation="DES. blockMode: OFB. init from lines 33,81."
|
||||
ofbStream.XORKeyStream(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="DES. blockMode: OFB. init from lines 33,81."
|
||||
}
|
||||
|
||||
func BlockCipherTripleDes() {
|
||||
// BAD, triple des is a weak crypto algorithm and password is sensitive data
|
||||
block, _ := des.NewTripleDESCipher(nil)
|
||||
|
||||
block.Encrypt(dst, public) // $ CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
block.Encrypt(dst, getPassword()) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
block.Decrypt(dst, getPassword())
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, public, nil) // $ CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm1.Seal(nil, nil, getPassword(), nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm1.Open(nil, nil, getPassword(), nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, public, nil) // $ CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm2.Seal(nil, nil, getPassword(), nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm2.Open(nil, nil, getPassword(), nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, public, nil) // $ CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm3.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm3.Open(nil, nil, password, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, public, nil) // $ CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm4.Seal(nil, nil, password, nil) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. init from line 88."
|
||||
gcm4.Open(nil, nil, password, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, public) // $ CryptographicOperation="TRIPLEDES. blockMode: CBC. init from lines 114,88."
|
||||
cbcEncrypter.CryptBlocks(dst, getPassword()) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CBC. init from lines 114,88."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, getPassword())
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, public) // $ CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 119,88."
|
||||
ctrStream.XORKeyStream(dst, getPassword()) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 119,88."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(getPassword())} // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 119,88."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 119,88."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(getPassword())) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 119,88."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, public) // $ CryptographicOperation="TRIPLEDES. blockMode: CFB. init from lines 131,88."
|
||||
cfbStream.XORKeyStream(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CFB. init from lines 131,88."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, password)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, public) // $ CryptographicOperation="TRIPLEDES. blockMode: OFB. init from lines 136,88."
|
||||
ofbStream.XORKeyStream(dst, password) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="TRIPLEDES. blockMode: OFB. init from lines 136,88."
|
||||
}
|
||||
|
||||
func BlockCipherAes() {
|
||||
// GOOD, aes is a strong crypto algorithm
|
||||
block, _ := aes.NewCipher(nil)
|
||||
|
||||
block.Encrypt(dst, public) // $ CryptographicOperation="AES. init from line 143."
|
||||
block.Encrypt(dst, password) // $ CryptographicOperation="AES. init from line 143."
|
||||
block.Decrypt(dst, password)
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, public, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm1.Seal(nil, nil, password, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm1.Open(nil, nil, password, nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, public, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm2.Seal(nil, nil, password, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm2.Open(nil, nil, password, nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, public, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm3.Seal(nil, nil, password, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm3.Open(nil, nil, password, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, public, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm4.Seal(nil, nil, password, nil) // $ CryptographicOperation="AES. init from line 143."
|
||||
gcm4.Open(nil, nil, password, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, public) // $ CryptographicOperation="AES. blockMode: CBC. init from lines 143,169."
|
||||
cbcEncrypter.CryptBlocks(dst, password) // $ CryptographicOperation="AES. blockMode: CBC. init from lines 143,169."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, password)
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, public) // $ CryptographicOperation="AES. blockMode: CTR. init from lines 143,174."
|
||||
ctrStream.XORKeyStream(dst, password) // $ CryptographicOperation="AES. blockMode: CTR. init from lines 143,174."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(password)} // $ CryptographicOperation="AES. blockMode: CTR. init from lines 143,174."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ CryptographicOperation="AES. blockMode: CTR. init from lines 143,174."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(password)) // $ CryptographicOperation="AES. blockMode: CTR. init from lines 143,174."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, public) // $ CryptographicOperation="AES. blockMode: CFB. init from lines 143,186."
|
||||
cfbStream.XORKeyStream(dst, password) // $ CryptographicOperation="AES. blockMode: CFB. init from lines 143,186."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, password)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, public) // $ CryptographicOperation="AES. blockMode: OFB. init from lines 143,191."
|
||||
ofbStream.XORKeyStream(dst, password) // $ CryptographicOperation="AES. blockMode: OFB. init from lines 143,191."
|
||||
}
|
||||
|
||||
func CipherRc4() {
|
||||
c, _ := rc4.NewCipher(nil)
|
||||
c.XORKeyStream(dst, getPassword()) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="RC4. init from line 198."
|
||||
}
|
||||
|
||||
func WeakHashes() {
|
||||
buf := password // $ Source
|
||||
|
||||
h := md5.New()
|
||||
h.Sum(buf) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="MD5. init from line 204."
|
||||
h.Write(buf) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="MD5. init from line 204."
|
||||
io.WriteString(h, passwordString) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="MD5. init from line 204."
|
||||
md5.Sum(buf) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="MD5. init from line 208."
|
||||
|
||||
sha1.New().Sum(buf) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="SHA1. init from line 210."
|
||||
sha1.Sum(buf) // $ Alert[go/weak-crypto-algorithm] CryptographicOperation="SHA1. init from line 211."
|
||||
}
|
||||
|
||||
func StrongHashes() {
|
||||
buf := password
|
||||
|
||||
sha256.New224().Sum(buf) // $ CryptographicOperation="SHA224. init from line 217."
|
||||
sha256.Sum224(buf) // $ CryptographicOperation="SHA224. init from line 218."
|
||||
|
||||
sha256.New().Sum(buf) // $ CryptographicOperation="SHA256. init from line 220."
|
||||
sha256.Sum256(buf) // $ CryptographicOperation="SHA256. init from line 221."
|
||||
|
||||
sha512.New().Sum(buf) // $ CryptographicOperation="SHA512. init from line 223."
|
||||
sha512.Sum512(buf) // $ CryptographicOperation="SHA512. init from line 224."
|
||||
|
||||
sha512.New384().Sum(buf) // $ CryptographicOperation="SHA384. init from line 226."
|
||||
sha512.Sum384(buf) // $ CryptographicOperation="SHA384. init from line 227."
|
||||
|
||||
sha512.New512_224().Sum(buf) // $ CryptographicOperation="SHA512224. init from line 229."
|
||||
sha512.Sum512_224(buf) // $ CryptographicOperation="SHA512224. init from line 230."
|
||||
|
||||
sha512.New512_256().Sum(buf) // $ CryptographicOperation="SHA512256. init from line 232."
|
||||
sha512.Sum512_256(buf) // $ CryptographicOperation="SHA512256. init from line 233."
|
||||
|
||||
sha3.New224().Sum(buf) // $ CryptographicOperation="SHA3224. init from line 235."
|
||||
sha3.Sum224(buf) // $ CryptographicOperation="SHA3224. init from line 236."
|
||||
|
||||
sha3.New256().Sum(buf) // $ CryptographicOperation="SHA3256. init from line 238."
|
||||
sha3.Sum256(buf) // $ CryptographicOperation="SHA3256. init from line 239."
|
||||
|
||||
sha3.New384().Sum(buf) // $ CryptographicOperation="SHA3384. init from line 241."
|
||||
sha3.Sum384(buf) // $ CryptographicOperation="SHA3384. init from line 242."
|
||||
|
||||
sha3.New512().Sum(buf) // $ CryptographicOperation="SHA3512. init from line 244."
|
||||
sha3.Sum512(buf) // $ CryptographicOperation="SHA3512. init from line 245."
|
||||
|
||||
sha3.NewSHAKE128().Write(buf) // $ CryptographicOperation="SHAKE128. init from line 247."
|
||||
sha3.NewCSHAKE128(nil, nil).Write(buf) // $ CryptographicOperation="SHAKE128. init from line 248."
|
||||
sha3.SumSHAKE128(buf, 100) // $ CryptographicOperation="SHAKE128. init from line 249."
|
||||
|
||||
sha3.NewSHAKE256().Write(buf) // $ CryptographicOperation="SHAKE256. init from line 251."
|
||||
sha3.NewCSHAKE256(nil, nil).Write(buf) // $ CryptographicOperation="SHAKE256. init from line 252."
|
||||
sha3.SumSHAKE256(buf, 100) // $ CryptographicOperation="SHAKE256. init from line 253."
|
||||
}
|
||||
167
go/ql/test/query-tests/Security/CWE-327/encryption.go
Normal file
167
go/ql/test/query-tests/Security/CWE-327/encryption.go
Normal file
@@ -0,0 +1,167 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/des"
|
||||
"crypto/rc4"
|
||||
"io"
|
||||
"os"
|
||||
)
|
||||
|
||||
var dst []byte = make([]byte, 16)
|
||||
var secretByteSlice []byte = []byte("")
|
||||
|
||||
const secretString string = ""
|
||||
|
||||
var public []byte = []byte("")
|
||||
|
||||
func getUserID() []byte {
|
||||
return []byte("")
|
||||
}
|
||||
|
||||
// Note that we do not alert on decryption as we may need to decrypt legacy formats
|
||||
|
||||
func BlockCipherDes() {
|
||||
// BAD, des is a weak crypto algorithm
|
||||
block, _ := des.NewCipher(nil)
|
||||
|
||||
block.Encrypt(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. init from line 28."
|
||||
block.Decrypt(dst, secretByteSlice)
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. init from line 28."
|
||||
gcm1.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. init from line 28."
|
||||
gcm2.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. init from line 28."
|
||||
gcm3.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. init from line 28."
|
||||
gcm4.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CBC. init from lines 28,49."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, secretByteSlice)
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 28,53."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(secretByteSlice)} // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 28,53."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 28,53."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(secretByteSlice)) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CTR. init from lines 28,53."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: CFB. init from lines 28,64."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, secretByteSlice)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="DES. blockMode: OFB. init from lines 28,68."
|
||||
}
|
||||
|
||||
func BlockCipherTripleDes() {
|
||||
// BAD, triple des is a weak crypto algorithm and secretByteSlice is sensitive data
|
||||
block, _ := des.NewTripleDESCipher(nil)
|
||||
|
||||
block.Encrypt(dst, getUserID()) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. init from line 74."
|
||||
block.Decrypt(dst, getUserID())
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, getUserID(), nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. init from line 74."
|
||||
gcm1.Open(nil, nil, getUserID(), nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, getUserID(), nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. init from line 74."
|
||||
gcm2.Open(nil, nil, getUserID(), nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. init from line 74."
|
||||
gcm3.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, secretByteSlice, nil) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. init from line 74."
|
||||
gcm4.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, getUserID()) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CBC. init from lines 74,95."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, getUserID())
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, getUserID()) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 74,99."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(getUserID())} // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 74,99."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 74,99."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(getUserID())) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CTR. init from lines 74,99."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: CFB. init from lines 110,74."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, secretByteSlice)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, secretByteSlice) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="TRIPLEDES. blockMode: OFB. init from lines 114,74."
|
||||
}
|
||||
|
||||
func BlockCipherAes() {
|
||||
// GOOD, aes is a strong crypto algorithm
|
||||
block, _ := aes.NewCipher(nil)
|
||||
|
||||
block.Encrypt(dst, secretByteSlice) // $ CryptographicOperation="AES. init from line 120."
|
||||
block.Decrypt(dst, secretByteSlice)
|
||||
|
||||
gcm1, _ := cipher.NewGCM(block)
|
||||
gcm1.Seal(nil, nil, secretByteSlice, nil) // $ CryptographicOperation="AES. init from line 120."
|
||||
gcm1.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm2, _ := cipher.NewGCMWithNonceSize(block, 12)
|
||||
gcm2.Seal(nil, nil, secretByteSlice, nil) // $ CryptographicOperation="AES. init from line 120."
|
||||
gcm2.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm3, _ := cipher.NewGCMWithRandomNonce(block)
|
||||
gcm3.Seal(nil, nil, secretByteSlice, nil) // $ CryptographicOperation="AES. init from line 120."
|
||||
gcm3.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
gcm4, _ := cipher.NewGCMWithTagSize(block, 12)
|
||||
gcm4.Seal(nil, nil, secretByteSlice, nil) // $ CryptographicOperation="AES. init from line 120."
|
||||
gcm4.Open(nil, nil, secretByteSlice, nil)
|
||||
|
||||
cbcEncrypter := cipher.NewCBCEncrypter(block, nil)
|
||||
cbcEncrypter.CryptBlocks(dst, secretByteSlice) // $ CryptographicOperation="AES. blockMode: CBC. init from lines 120,141."
|
||||
cipher.NewCBCDecrypter(block, nil).CryptBlocks(dst, secretByteSlice)
|
||||
|
||||
ctrStream := cipher.NewCTR(block, nil)
|
||||
ctrStream.XORKeyStream(dst, secretByteSlice) // $ CryptographicOperation="AES. blockMode: CTR. init from lines 120,145."
|
||||
|
||||
ctrStreamReader := &cipher.StreamReader{S: ctrStream, R: bytes.NewReader(secretByteSlice)} // $ CryptographicOperation="AES. blockMode: CTR. init from lines 120,145."
|
||||
io.Copy(os.Stdout, ctrStreamReader)
|
||||
|
||||
ctrStreamWriter := &cipher.StreamWriter{S: ctrStream, W: os.Stdout} // $ CryptographicOperation="AES. blockMode: CTR. init from lines 120,145."
|
||||
io.Copy(ctrStreamWriter, bytes.NewReader(secretByteSlice)) // $ CryptographicOperation="AES. blockMode: CTR. init from lines 120,145."
|
||||
|
||||
// deprecated
|
||||
|
||||
cfbStream := cipher.NewCFBEncrypter(block, nil)
|
||||
cfbStream.XORKeyStream(dst, secretByteSlice) // $ CryptographicOperation="AES. blockMode: CFB. init from lines 120,156."
|
||||
cipher.NewCFBDecrypter(block, nil).XORKeyStream(dst, secretByteSlice)
|
||||
|
||||
ofbStream := cipher.NewOFB(block, nil)
|
||||
ofbStream.XORKeyStream(dst, secretByteSlice) // $ CryptographicOperation="AES. blockMode: OFB. init from lines 120,160."
|
||||
}
|
||||
|
||||
func CipherRc4() {
|
||||
c, _ := rc4.NewCipher(nil)
|
||||
c.XORKeyStream(dst, getUserID()) // $ Alert[go/weak-cryptographic-algorithm] CryptographicOperation="RC4. init from line 166."
|
||||
}
|
||||
Reference in New Issue
Block a user