insecure-cipher-algorithm-rc4-python (#21)

ESS-ENN · web-flow · commit cbe37c4575e2 · 2024-10-21T18:59:35.000+03:00
diff --git a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml
@@ -0,0 +1,75 @@
+id: insecure-cipher-algorithm-rc4-python
+severity: warning
+language: python
+message: >-
+  Detected ARC4 cipher algorithm which is considered insecure. This
+  algorithm is not cryptographically secure and can be reversed easily. Use
+  secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block
+  cipher such as AES with a block size of 128 bits. When using a block
+  cipher, use a modern mode of operation that also provides authentication,
+  such as GCM.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://cwe.mitre.org/data/definitions/326.html
+      - https://www.pycryptodome.org/src/cipher/cipher
+utils:
+  MATCH_PATTERN_arc4.new:
+    kind: call
+    all:
+      - has:
+          stopBy: end
+          kind: attribute
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $X
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^new$"
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: identifier
+      - inside:
+          stopBy: end
+          kind: expression_statement
+          follows:
+            stopBy: end
+            kind: import_from_statement
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: dotted_name
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        regex: "^Crypto$|^Cryptodome$"
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        regex: "^Cipher$"
+              - has:
+                  stopBy: neighbor
+                  kind: aliased_import
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: dotted_name
+                        has:
+                          stopBy: neighbor
+                          kind: identifier
+                          regex: "^ARC4$"
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        pattern: $X
+
+rule:
+  kind: call
+  matches: MATCH_PATTERN_arc4.new
diff --git a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml
@@ -0,0 +1,64 @@
+id: insecure-cipher-algorithm-rc4-python
+snapshots:
+  ? "from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4\nfrom Crypto.Cipher import ARC4 as pycrypto_arc4\nkey = b'Very long and confidential key'\nnonce = Random.new().read(16)\ntempkey = SHA.new(key+nonce).digest()\ncipher = pycrypto_arc4.new(tempkey)\nmsg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') \ncipher = pycryptodomex_arc4.new(tempkey)\nmsg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL')\n"
+  : labels:
+    - source: pycrypto_arc4.new(tempkey)
+      style: primary
+      start: 222
+      end: 248
+    - source: pycrypto_arc4
+      style: secondary
+      start: 222
+      end: 235
+    - source: new
+      style: secondary
+      start: 236
+      end: 239
+    - source: pycrypto_arc4.new
+      style: secondary
+      start: 222
+      end: 239
+    - source: tempkey
+      style: secondary
+      start: 240
+      end: 247
+    - source: (tempkey)
+      style: secondary
+      start: 239
+      end: 248
+    - source: Crypto
+      style: secondary
+      start: 62
+      end: 68
+    - source: Cipher
+      style: secondary
+      start: 69
+      end: 75
+    - source: Crypto.Cipher
+      style: secondary
+      start: 62
+      end: 75
+    - source: ARC4
+      style: secondary
+      start: 83
+      end: 87
+    - source: ARC4
+      style: secondary
+      start: 83
+      end: 87
+    - source: pycrypto_arc4
+      style: secondary
+      start: 91
+      end: 104
+    - source: ARC4 as pycrypto_arc4
+      style: secondary
+      start: 83
+      end: 104
+    - source: from Crypto.Cipher import ARC4 as pycrypto_arc4
+      style: secondary
+      start: 57
+      end: 104
+    - source: cipher = pycrypto_arc4.new(tempkey)
+      style: secondary
+      start: 213
+      end: 248
diff --git a/tests/python/insecure-cipher-algorithm-rc4-python-test.yml b/tests/python/insecure-cipher-algorithm-rc4-python-test.yml
@@ -0,0 +1,22 @@
+id: insecure-cipher-algorithm-rc4-python
+valid:
+  - |
+    cipher = AES.new(key, AES.MODE_EAX, nonce=nonce)
+    plaintext = cipher.decrypt(ciphertext)
+    try:
+    cipher.verify(tag)
+    print("The message is authentic:", plaintext)
+    except ValueError:
+    print("Key incorrect or message corrupted")
+
+invalid:
+  - |
+    from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
+    from Crypto.Cipher import ARC4 as pycrypto_arc4
+    key = b'Very long and confidential key'
+    nonce = Random.new().read(16)
+    tempkey = SHA.new(key+nonce).digest()
+    cipher = pycrypto_arc4.new(tempkey)
+    msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') 
+    cipher = pycryptodomex_arc4.new(tempkey)
+    msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL')
