Rust: Add qhelp.

2025-12-17 01:03:14 +01:00 · 2024-12-05 17:28:45 +00:00
parent 6eb850c8cb
commit dd0fa791aa
3 changed files with 66 additions and 0 deletions
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -0,0 +1,62 @@
 <!DOCTYPE qhelp PUBLIC
 "-//Semmle//qhelp//EN"
 "qhelp.dtd">
 <qhelp>
     <overview>
          <p>
               Using broken or weak cryptographic algorithms can leave data
               vulnerable to being decrypted or forged by an attacker.
          </p>
          <p>
               Many cryptographic algorithms provided by cryptography
               libraries are known to be weak, or flawed. Using such an
               algorithm means that encrypted or hashed data is less
               secure than it appears to be.
          </p>
          <p>
               This query alerts on any use of a weak cryptographic algorithm, that is
               not a hashing algorithm. Use of broken or weak cryptographic hash
               functions are handled by the
               <code>rust/weak-sensitive-data-hashing</code> query.
          </p>
     </overview>
     <recommendation>
          <p>
               Ensure that you use a strong, modern cryptographic
               algorithm, such as AES-128 or RSA-2048.
          </p>
     </recommendation>
     <example>
          <p>
               The following code uses the <code>des</code> crate from the
               <code>RustCrypto</code> family to encrypt some secret data. The
               DES algorithm is old and considered very weak.
          </p>
          <sample src="BrokenCryptoAlgorithmBad.rs" />
          <p>
               Instead we should use a strong modern algorithm. In this
               case we have selected the 256-bit version of the AES
               algorithm.
          </p>
          <sample src="BrokenCryptoAlgorithmGood.rs" />
     </example>
     <references>
          <li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
          <li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
          <li>OWASP: <a
          href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms"> Cryptographic Storage Cheat Sheet - Algorithms</a>.
          </li>
     </references>
 </qhelp>
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs
@@ -0,0 +1,2 @@
 let des_cipher = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // BAD: weak encryption
 let encryption_result = des_cipher.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len);
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs
@@ -0,0 +1,2 @@
 let aes_cipher = cbc::Encryptor::<aes::Aes256>::new(key.into(), iv.into()); // GOOD: strong encryption
 let encryption_result = aes_cipher.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len);
		`@@ -0,0 +1,2 @@`
							`let des_cipher = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // BAD: weak encryption`
							`let encryption_result = des_cipher.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len);`
		`@@ -0,0 +1,2 @@`
							`let aes_cipher = cbc::Encryptor::<aes::Aes256>::new(key.into(), iv.into()); // GOOD: strong encryption`
							`let encryption_result = aes_cipher.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len);`