Skip to content

Commit 2024633

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Java security rules to detect ECB mode and MD5 hashing (#160)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * use-of-md5-java * ecb-cipher-java --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent dcafc76 commit 2024633

File tree

6 files changed

+275
-0
lines changed

6 files changed

+275
-0
lines changed

rules/java/security/ecb-cipher-java.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
id: ecb-cipher-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Cipher in ECB mode is detected. ECB mode produces the same output for
6+
the same input each time which allows an attacker to intercept and replay
7+
the data. Further, ECB mode does not provide any integrity checking. See
8+
https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
9+
note: >-
10+
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
13+
14+
ast-grep-essentials: true
15+
16+
rule:
17+
kind: local_variable_declaration
18+
all:
19+
- has:
20+
kind: type_identifier
21+
regex: ^Cipher$
22+
- has:
23+
kind: variable_declarator
24+
all:
25+
- has:
26+
kind: identifier
27+
- has:
28+
kind: method_invocation
29+
all:
30+
- has:
31+
kind: identifier
32+
regex: ^getInstance$
33+
- has:
34+
kind: argument_list
35+
has:
36+
pattern: $MODE
37+
nthChild:
38+
position: 1
39+
ofRule:
40+
not:
41+
kind: line_comment
42+
not:
43+
has:
44+
nthChild:
45+
position: 2
46+
ofRule:
47+
not:
48+
kind: line_comment
49+
50+
constraints:
51+
MODE:
52+
regex: .*ECB.*

rules/java/security/use-of-md5-java.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
id: use-of-md5-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Detected MD5 hash algorithm which is considered insecure. MD5 is not
6+
collision resistant and is therefore not suitable as a cryptographic
7+
signature. Use HMAC instead.
8+
note: >-
9+
[CWE-328] Use of Weak Hash.
10+
[REFERENCES]
11+
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
12+
13+
ast-grep-essentials: true
14+
15+
rule:
16+
any:
17+
- kind: string_literal
18+
- kind: character_literal
19+
pattern: $ALGO
20+
nthChild:
21+
position: 1
22+
ofRule:
23+
not:
24+
kind: line_comment
25+
inside:
26+
stopBy: end
27+
any:
28+
- kind: method_invocation
29+
all:
30+
- has:
31+
kind: identifier
32+
regex: ^MessageDigest$
33+
nthChild: 1
34+
- has:
35+
kind: identifier
36+
regex: ^getInstance$
37+
nthChild: 2
38+
- has:
39+
kind: argument_list
40+
nthChild: 3
41+
all:
42+
- has:
43+
pattern: $ALGO
44+
not:
45+
precedes:
46+
stopBy: end
47+
pattern: $ALGO
48+
nthChild:
49+
position: 1
50+
ofRule:
51+
not:
52+
kind: line_comment
53+
- inside:
54+
stopBy: end
55+
follows:
56+
stopBy: end
57+
kind: import_declaration
58+
pattern: import java.security.MessageDigest;
59+
- inside:
60+
stopBy: end
61+
any:
62+
- kind: expression_statement
63+
- kind: variable_declarator
64+
- kind: method_invocation
65+
all:
66+
- has:
67+
kind: field_access
68+
regex: ^java.security.MessageDigest$
69+
nthChild: 1
70+
- has:
71+
kind: identifier
72+
regex: ^getInstance$
73+
nthChild: 2
74+
- has:
75+
kind: argument_list
76+
nthChild: 3
77+
all:
78+
- has:
79+
pattern: $ALGO
80+
nthChild:
81+
position: 1
82+
ofRule:
83+
not:
84+
kind: line_comment
85+
- inside:
86+
stopBy: end
87+
follows:
88+
stopBy: end
89+
kind: import_declaration
90+
pattern: import java.security.MessageDigest;
91+
- inside:
92+
stopBy: end
93+
any:
94+
- kind: expression_statement
95+
- kind: variable_declarator
96+
not:
97+
has:
98+
stopBy: end
99+
kind: ERROR
100+
constraints:
101+
ALGO:
102+
any:
103+
- kind: character_literal
104+
regex: ^'MD5
105+
- kind: string_literal
106+
has:
107+
kind: string_fragment
108+
regex: ^MD5
109+

tests/__snapshots__/ecb-cipher-java-snapshot.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
id: ecb-cipher-java
2+
snapshots:
3+
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");:
4+
labels:
5+
- source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
6+
style: primary
7+
start: 0
8+
end: 51
9+
- source: Cipher
10+
style: secondary
11+
start: 0
12+
end: 6
13+
- source: c
14+
style: secondary
15+
start: 7
16+
end: 8
17+
- source: getInstance
18+
style: secondary
19+
start: 18
20+
end: 29
21+
- source: '"AES/ECB/NoPadding"'
22+
style: secondary
23+
start: 30
24+
end: 49
25+
- source: ("AES/ECB/NoPadding")
26+
style: secondary
27+
start: 29
28+
end: 50
29+
- source: Cipher.getInstance("AES/ECB/NoPadding")
30+
style: secondary
31+
start: 11
32+
end: 50
33+
- source: c = Cipher.getInstance("AES/ECB/NoPadding")
34+
style: secondary
35+
start: 7
36+
end: 50

tests/__snapshots__/use-of-md5-java-snapshot.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
id: use-of-md5-java
2+
snapshots:
3+
? |
4+
import java.security.MessageDigest;
5+
6+
public class Bad{
7+
public byte[] bad1(String password) {
8+
MessageDigest md5Digest = MessageDigest.getInstance("MD5");
9+
}
10+
}
11+
: labels:
12+
- source: '"MD5"'
13+
style: primary
14+
start: 151
15+
end: 156
16+
- source: MessageDigest
17+
style: secondary
18+
start: 125
19+
end: 138
20+
- source: getInstance
21+
style: secondary
22+
start: 139
23+
end: 150
24+
- source: '"MD5"'
25+
style: secondary
26+
start: 151
27+
end: 156
28+
- source: ("MD5")
29+
style: secondary
30+
start: 150
31+
end: 157
32+
- source: import java.security.MessageDigest;
33+
style: secondary
34+
start: 0
35+
end: 35
36+
- source: import java.security.MessageDigest;
37+
style: secondary
38+
start: 0
39+
end: 35
40+
- source: md5Digest = MessageDigest.getInstance("MD5")
41+
style: secondary
42+
start: 113
43+
end: 157
44+
- source: MessageDigest.getInstance("MD5")
45+
style: secondary
46+
start: 125
47+
end: 157
48+
- source: MD5
49+
style: secondary
50+
start: 152
51+
end: 155

tests/java/ecb-cipher-java-test.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
id: ecb-cipher-java
2+
valid:
3+
- |
4+
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
5+
invalid:
6+
- |
7+
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");

tests/java/use-of-md5-java-test.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
id: use-of-md5-java
2+
valid:
3+
- |
4+
import java.security.MessageDigest;
5+
6+
public class Bad{
7+
public byte[] bad1(String password) {
8+
MessageDigest md5Digest = MessageDigest.getInstance("SHA1");
9+
}
10+
}
11+
12+
invalid:
13+
- |
14+
import java.security.MessageDigest;
15+
16+
public class Bad{
17+
public byte[] bad1(String password) {
18+
MessageDigest md5Digest = MessageDigest.getInstance("MD5");
19+
}
20+
}

0 commit comments

Comments
 (0)