no-null-cipher-java

ESS-ENN · ESS-ENN · commit 9911c160ee7d · 2025-02-06T11:11:56.000+05:30
diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml
@@ -0,0 +1,45 @@
+id: no-null-cipher-java
+severity: warning
+language: java
+message: >-
+      NullCipher was detected. This will not encrypt anything; the cipher
+      text will be the same as the plain text. Use a valid, secure cipher:
+      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+      for more information.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+
+ast-grep-essentials: true
+
+rule:
+ any:
+  - kind: local_variable_declaration
+    not:
+      any:
+       - has:
+           stopBy: end
+           kind: local_variable_declaration
+  - kind: expression_statement
+    not:
+      has:
+        stopBy: end
+        kind: local_variable_declaration
+  - kind: field_declaration
+ has:
+  stopBy: end
+  any:
+  - pattern: new NullCipher($$$)
+  - pattern: new javax.crypto.NullCipher($$$)
+ not:
+  all:
+  - inside:
+     stopBy: end
+     kind: ERROR
+  - has:
+      stopBy: end
+      kind: ERROR 
+       
+      
diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml
@@ -0,0 +1,14 @@
+id: no-null-cipher-java
+snapshots:
+  ? |
+    Cipher doNothingCihper = new NullCipher();
+    new javax.crypto.NullCipher();
+  : labels:
+    - source: Cipher doNothingCihper = new NullCipher();
+      style: primary
+      start: 0
+      end: 42
+    - source: new NullCipher()
+      style: secondary
+      start: 25
+      end: 41
diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml
@@ -0,0 +1,117 @@
+id: use-of-aes-ecb-java
+snapshots:
+  ? |
+    Cipher.getInstance("AES/ECB")
+  : labels:
+    - source: Cipher.getInstance("AES/ECB")
+      style: primary
+      start: 0
+      end: 29
+    - source: getInstance
+      style: secondary
+      start: 7
+      end: 18
+    - source: AES/ECB
+      style: secondary
+      start: 20
+      end: 27
+    - source: '"AES/ECB"'
+      style: secondary
+      start: 19
+      end: 28
+    - source: ("AES/ECB")
+      style: secondary
+      start: 18
+      end: 29
+  ? |
+    Cipher.getInstance("AES/ECB/ISO10126Padding")
+  : labels:
+    - source: Cipher.getInstance("AES/ECB/ISO10126Padding")
+      style: primary
+      start: 0
+      end: 45
+    - source: getInstance
+      style: secondary
+      start: 7
+      end: 18
+    - source: AES/ECB/ISO10126Padding
+      style: secondary
+      start: 20
+      end: 43
+    - source: '"AES/ECB/ISO10126Padding"'
+      style: secondary
+      start: 19
+      end: 44
+    - source: ("AES/ECB/ISO10126Padding")
+      style: secondary
+      start: 18
+      end: 45
+  ? |
+    Cipher.getInstance("AES/ECB/NoPadding")
+  : labels:
+    - source: Cipher.getInstance("AES/ECB/NoPadding")
+      style: primary
+      start: 0
+      end: 39
+    - source: getInstance
+      style: secondary
+      start: 7
+      end: 18
+    - source: AES/ECB/NoPadding
+      style: secondary
+      start: 20
+      end: 37
+    - source: '"AES/ECB/NoPadding"'
+      style: secondary
+      start: 19
+      end: 38
+    - source: ("AES/ECB/NoPadding")
+      style: secondary
+      start: 18
+      end: 39
+  ? |
+    Cipher.getInstance("AES/ECB/PKCS5Padding")
+  : labels:
+    - source: Cipher.getInstance("AES/ECB/PKCS5Padding")
+      style: primary
+      start: 0
+      end: 42
+    - source: getInstance
+      style: secondary
+      start: 7
+      end: 18
+    - source: AES/ECB/PKCS5Padding
+      style: secondary
+      start: 20
+      end: 40
+    - source: '"AES/ECB/PKCS5Padding"'
+      style: secondary
+      start: 19
+      end: 41
+    - source: ("AES/ECB/PKCS5Padding")
+      style: secondary
+      start: 18
+      end: 42
+  ? |
+    Cipher.getInstance("AES/ECB/PKCS7Padding")
+  : labels:
+    - source: Cipher.getInstance("AES/ECB/PKCS7Padding")
+      style: primary
+      start: 0
+      end: 42
+    - source: getInstance
+      style: secondary
+      start: 7
+      end: 18
+    - source: AES/ECB/PKCS7Padding
+      style: secondary
+      start: 20
+      end: 40
+    - source: '"AES/ECB/PKCS7Padding"'
+      style: secondary
+      start: 19
+      end: 41
+    - source: ("AES/ECB/PKCS7Padding")
+      style: secondary
+      start: 18
+      end: 42
diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml
@@ -0,0 +1,8 @@
+id: no-null-cipher-java
+valid:
+  - |
+    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+invalid:
+  - |
+    Cipher doNothingCihper = new NullCipher();
+    new javax.crypto.NullCipher();
