insecure-cipher-algorithm-rc4-python

ESS-ENN · ESS-ENN · commit 7c10c881c22f · 2024-12-04T20:29:59.000+05:30
diff --git a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml
@@ -0,0 +1,85 @@
+id: insecure-cipher-algorithm-rc4-python
+severity: warning
+language: python
+message: >-
+      Detected ARC4 cipher algorithm which is considered insecure. This
+      algorithm is not cryptographically secure and can be reversed easily. Use
+      secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block
+      cipher such as AES with a block size of 128 bits. When using a block
+      cipher, use a modern mode of operation that also provides authentication,
+      such as GCM.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://cwe.mitre.org/data/definitions/326.html
+      - https://www.pycryptodome.org/src/cipher/cipher
+utils:
+  MATCH_PATTERN_arc4.new:
+    kind: call
+    all:
+      - has:
+          stopBy: end
+          kind: attribute
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $X
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: '^new$'
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: identifier
+      - inside:
+          stopBy: end
+          kind: expression_statement
+          follows:
+            stopBy: end
+            kind: import_from_statement
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: dotted_name
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        regex: '^Crypto$|^Cryptodome$'
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        regex: '^Cipher$'
+              - has:
+                  stopBy: neighbor
+                  kind: aliased_import
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: dotted_name
+                        has:
+                          stopBy: neighbor
+                          kind: identifier
+                          regex: '^ARC4$'
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        pattern: $X
+
+rule:
+  kind: call
+  any:
+    - matches: MATCH_PATTERN_arc4.new
+    - pattern: Cryptodome.Cipher.ARC4.new($$$)
+    - pattern: Crypto.Cipher.ARC4.new($$$)
+
+
+
+
+
+
+    
diff --git a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml
@@ -0,0 +1,157 @@
+id: insecure-cipher-algorithm-rc4-python
+snapshots:
+  ? |
+    Crypto.Cipher.ARC4.new()
+  : labels:
+    - source: Crypto.Cipher.ARC4.new()
+      style: primary
+      start: 0
+      end: 24
+  ? |
+    Crypto.Cipher.ARC4.new(adasfdasfs)
+  : labels:
+    - source: Crypto.Cipher.ARC4.new(adasfdasfs)
+      style: primary
+      start: 0
+      end: 34
+  ? |
+    Cryptodome.Cipher.ARC4.new()
+  : labels:
+    - source: Cryptodome.Cipher.ARC4.new()
+      style: primary
+      start: 0
+      end: 28
+  Cryptodome.Cipher.ARC4.new(asdsd):
+    labels:
+    - source: Cryptodome.Cipher.ARC4.new(asdsd)
+      style: primary
+      start: 0
+      end: 33
+  ? |
+    from Crypto.Cipher import ARC4 as pycrypto_arc4
+    cipher = pycrypto_arc4.new(tempkey)
+  : labels:
+    - source: pycrypto_arc4.new(tempkey)
+      style: primary
+      start: 57
+      end: 83
+    - source: pycrypto_arc4
+      style: secondary
+      start: 57
+      end: 70
+    - source: new
+      style: secondary
+      start: 71
+      end: 74
+    - source: pycrypto_arc4.new
+      style: secondary
+      start: 57
+      end: 74
+    - source: tempkey
+      style: secondary
+      start: 75
+      end: 82
+    - source: (tempkey)
+      style: secondary
+      start: 74
+      end: 83
+    - source: Crypto
+      style: secondary
+      start: 5
+      end: 11
+    - source: Cipher
+      style: secondary
+      start: 12
+      end: 18
+    - source: Crypto.Cipher
+      style: secondary
+      start: 5
+      end: 18
+    - source: ARC4
+      style: secondary
+      start: 26
+      end: 30
+    - source: ARC4
+      style: secondary
+      start: 26
+      end: 30
+    - source: pycrypto_arc4
+      style: secondary
+      start: 34
+      end: 47
+    - source: ARC4 as pycrypto_arc4
+      style: secondary
+      start: 26
+      end: 47
+    - source: from Crypto.Cipher import ARC4 as pycrypto_arc4
+      style: secondary
+      start: 0
+      end: 47
+    - source: cipher = pycrypto_arc4.new(tempkey)
+      style: secondary
+      start: 48
+      end: 83
+  ? |
+    from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
+    cipher = pycryptodomex_arc4.new(tempkey)
+  : labels:
+    - source: pycryptodomex_arc4.new(tempkey)
+      style: primary
+      start: 66
+      end: 97
+    - source: pycryptodomex_arc4
+      style: secondary
+      start: 66
+      end: 84
+    - source: new
+      style: secondary
+      start: 85
+      end: 88
+    - source: pycryptodomex_arc4.new
+      style: secondary
+      start: 66
+      end: 88
+    - source: tempkey
+      style: secondary
+      start: 89
+      end: 96
+    - source: (tempkey)
+      style: secondary
+      start: 88
+      end: 97
+    - source: Cryptodome
+      style: secondary
+      start: 5
+      end: 15
+    - source: Cipher
+      style: secondary
+      start: 16
+      end: 22
+    - source: Cryptodome.Cipher
+      style: secondary
+      start: 5
+      end: 22
+    - source: ARC4
+      style: secondary
+      start: 30
+      end: 34
+    - source: ARC4
+      style: secondary
+      start: 30
+      end: 34
+    - source: pycryptodomex_arc4
+      style: secondary
+      start: 38
+      end: 56
+    - source: ARC4 as pycryptodomex_arc4
+      style: secondary
+      start: 30
+      end: 56
+    - source: from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
+      style: secondary
+      start: 0
+      end: 56
+    - source: cipher = pycryptodomex_arc4.new(tempkey)
+      style: secondary
+      start: 57
+      end: 97
diff --git a/tests/python/insecure-cipher-algorithm-rc4-python-test.yml b/tests/python/insecure-cipher-algorithm-rc4-python-test.yml
@@ -0,0 +1,26 @@
+id: insecure-cipher-algorithm-rc4-python
+valid:
+  - |
+    cipher = AES.new(key, AES.MODE_EAX, nonce=nonce)
+    plaintext = cipher.decrypt(ciphertext)
+    try:
+    cipher.verify(tag)
+    print("The message is authentic:", plaintext)
+    except ValueError:
+    print("Key incorrect or message corrupted")
+    
+invalid:
+  - |
+    from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
+    cipher = pycryptodomex_arc4.new(tempkey)
+  - |
+    from Crypto.Cipher import ARC4 as pycrypto_arc4
+    cipher = pycrypto_arc4.new(tempkey)
+  - |
+     Crypto.Cipher.ARC4.new()
+  - |
+     Crypto.Cipher.ARC4.new(adasfdasfs)
+  - |
+     Cryptodome.Cipher.ARC4.new()
+  - |
+     Cryptodome.Cipher.ARC4.new(asdsd)
