mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Crypto: altering all query IDs in examples to have "examples" in the ID, to make clear the query is not intended for production.
This commit is contained in:
REDMOND\brodes
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @name Weak AES Block mode
|
||||
* @id java/quantum/weak-block-modes
|
||||
* @id java/quantum/examples/weak-block-modes
|
||||
* @description An AES cipher is in use with an insecure block mode
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Weak hashes
|
||||
* @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
|
||||
* @id java/quantum/weak-hash
|
||||
* @id java/quantum/examples/weak-hash
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @tags external/cwe/cwe-327
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Weak known key derivation function iteration count
|
||||
* @description Detects key derivation operations with a known weak iteration count.
|
||||
* @id java/quantum/weak-kdf-iteration-count
|
||||
* @id java/quantum/examples/weak-kdf-iteration-count
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @tags quantum
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Weak known key derivation function output length
|
||||
* @description Detects key derivation operations with a known weak output length
|
||||
* @id java/quantum/weak-kdf-key-size
|
||||
* @id java/quantum/examples/weak-kdf-key-size
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @tags quantum
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Weak symmetric ciphers
|
||||
* @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak.
|
||||
* @id java/quantum/weak-ciphers
|
||||
* @id java/quantum/examples/weak-ciphers
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @tags external/cwe/cwe-327
|
||||
@@ -16,6 +16,9 @@ import Crypto::KeyOpAlg as KeyOpAlg
|
||||
from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType
|
||||
where
|
||||
algType = alg.getAlgorithmType() and
|
||||
// NOTE: an org may disallow all but AES we could similarly look for
|
||||
// algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
|
||||
// This is a more comprehensive check than looking for all weak ciphers
|
||||
(
|
||||
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or
|
||||
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/**
|
||||
* @name Operations with unknown algorithm
|
||||
* @description Outputs operations where the algorithm applied is unknown
|
||||
* @id java/quantum/slices/operation-with-unknown-algorithm
|
||||
* @id java/quantum/examples/slices/operation-with-unknown-algorithm
|
||||
* @kind problem
|
||||
* @severity info
|
||||
* @tags quantum
|
||||
|
||||
@@ -57,7 +57,7 @@ class BadMacUse {
|
||||
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
|
||||
Mac mac = Mac.getInstance("HmacSHA256");
|
||||
mac.init(macKey);
|
||||
byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/bad-mac-order-decrypt-to-mac]
|
||||
byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
|
||||
|
||||
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
|
||||
throw new SecurityException("MAC verification failed");
|
||||
@@ -77,7 +77,7 @@ class BadMacUse {
|
||||
// Encrypt the plaintext
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new SecureRandom());
|
||||
byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/bad-mac-order-encrypt-plaintext-also-in-mac]
|
||||
byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
|
||||
|
||||
// Concatenate ciphertext and MAC
|
||||
byte[] output = new byte[ciphertext.length + computedMac.length];
|
||||
|
||||
@@ -17,7 +17,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -30,7 +30,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -46,7 +46,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -62,7 +62,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -78,7 +78,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -94,7 +94,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
@@ -203,7 +203,7 @@ public class InsecureIVorNonceSource {
|
||||
SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
|
||||
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]]
|
||||
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]]
|
||||
cipher.update(plaintext);
|
||||
return cipher.doFinal();
|
||||
}
|
||||
|
||||
@@ -2,15 +2,15 @@ import java.security.*;
|
||||
public class InsufficientAsymmetricKeySize{
|
||||
public static void test() throws Exception{
|
||||
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
|
||||
keyPairGen1.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
|
||||
keyPairGen1.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
|
||||
keyPairGen1.generateKeyPair();
|
||||
|
||||
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
|
||||
keyPairGen2.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
|
||||
keyPairGen2.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
|
||||
keyPairGen2.generateKeyPair();
|
||||
|
||||
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
|
||||
keyPairGen3.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
|
||||
keyPairGen3.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
|
||||
keyPairGen3.generateKeyPair();
|
||||
|
||||
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
|
||||
|
||||
@@ -12,19 +12,19 @@ public class WeakHashing {
|
||||
props.load(new FileInputStream("example.properties"));
|
||||
|
||||
// BAD: Using a weak hashing algorithm even with a secure default
|
||||
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/weak-hash]
|
||||
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/examples/weak-hash]
|
||||
|
||||
// BAD: Using a weak hashing algorithm even with a secure default
|
||||
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/weak-hash]
|
||||
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/examples/weak-hash]
|
||||
|
||||
// BAD: Using a strong hashing algorithm but with a weak default
|
||||
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/weak-hash]
|
||||
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/examples/weak-hash]
|
||||
|
||||
// BAD: Using a weak hash
|
||||
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/weak-hash]
|
||||
MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/examples/weak-hash]
|
||||
|
||||
// BAD: Property does not exist and default (used value) is unknown
|
||||
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/unknown-hash]
|
||||
MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/examples/unknown-hash]
|
||||
|
||||
java.util.Properties props2 = new java.util.Properties();
|
||||
|
||||
@@ -32,13 +32,13 @@ public class WeakHashing {
|
||||
|
||||
// BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
|
||||
// FALSE NEGATIVE for unknown hash
|
||||
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/unknown-hash]
|
||||
MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
|
||||
|
||||
// GOOD: Using a strong hashing algorithm
|
||||
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
|
||||
|
||||
// BAD?: Property does not exist (considered unknown) and but default is secure
|
||||
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/unknown-hash]
|
||||
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
|
||||
|
||||
// GOOD: Using a strong hashing algorithm
|
||||
MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
|
||||
|
||||
@@ -29,7 +29,7 @@ public class Test {
|
||||
public void pbkdf2LowIteration(String password) throws Exception {
|
||||
byte[] salt = generateSalt(16);
|
||||
int iterationCount = 10; // $Source
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/weak-kdf-iteration-count]
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/weak-kdf-iteration-count]
|
||||
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
|
||||
byte[] key = factory.generateSecret(spec).getEncoded();
|
||||
}
|
||||
@@ -42,7 +42,7 @@ public class Test {
|
||||
*/
|
||||
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $Source
|
||||
byte[] salt = generateSalt(16);
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/unknown-kdf-iteration-count]
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/unknown-kdf-iteration-count]
|
||||
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
|
||||
byte[] key = factory.generateSecret(spec).getEncoded();
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#select
|
||||
| Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount |
|
||||
testFailures
|
||||
| Test.java:45:94:45:145 | // $Alert[java/quantum/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/unknown-kdf-iteration-count] |
|
||||
| Test.java:45:94:45:145 | // $Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
|
||||
| Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert |
|
||||
|
||||
@@ -21,7 +21,7 @@ public class Test {
|
||||
byte[] salt = generateSalt(16);
|
||||
int iterationCount = 100_000;
|
||||
int keySize = 64; // $Source
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/weak-kdf-key-size]
|
||||
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/examples/weak-kdf-key-size]
|
||||
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
|
||||
byte[] key = factory.generateSecret(spec).getEncoded();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user