use-of-rc4-java

Sakshis · Sakshis · commit 9d4c5fa72509 · 2024-12-16T07:24:37.000Z
diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml
@@ -0,0 +1,16 @@
+id: use-of-rc4-java
+language: java
+severity: warning
+message: >-
+  'Use of RC4 was detected. RC4 is vulnerable to several attacks,
+      including stream cipher attacks and bit flipping attacks. Instead, use a
+      strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+      for more information.'
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance("RC4")
diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: use-of-rc4-java
+snapshots:
+  ? |
+    Cipher.getInstance("RC4");
+  : labels:
+    - source: Cipher.getInstance("RC4")
+      style: primary
+      start: 0
+      end: 25
+  ? |
+    useCipher(Cipher.getInstance("RC4"));
+  : labels:
+    - source: Cipher.getInstance("RC4")
+      style: primary
+      start: 10
+      end: 35
diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml
@@ -0,0 +1,9 @@
+id: use-of-rc4-java
+valid:
+  - |
+    Cipher.getInstance("AES/CBC/PKCS7PADDING");
+invalid:
+  - |
+    Cipher.getInstance("RC4");
+  - |
+    useCipher(Cipher.getInstance("RC4"));
