coderabbitai · ganeshpatro321 · Jan 20, 2025 · Dec 16, 2024 · Jan 6, 2025 · Jan 8, 2025
diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml
@@ -0,0 +1,42 @@
+id: small-key-size-c
+language: c
+severity: warning
+message: >-
+    $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is
+    less than the recommended key size of 2048 bits.
+note: >-
+  [CWE-326]: Inadequate Encryption Strength
+  [OWASP A02:2021]: Cryptographic Failures
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [REFERENCES]
+       https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ast-grep-essentials: true
+
+rule:
+ kind: call_expression
+ all:
+ - has:
+    stopBy: end
+    kind: identifier
+    regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$
+ - not:
+    has:
+      stopBy: end
+      kind: field_identifier
+      regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$
+ - has:
+    stopBy: neighbor
+    kind: argument_list
+    has:
+      stopBy: neighbor
+      any:
+         - kind: number_literal
+         - kind: binary_expression
+         - kind: unary_expression
+      nthChild: 2
+      regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$
+ - not:
+      has:
+         stopBy: end
+         kind: ERROR
diff --git a/rules/cpp/small-key-size-cpp.yml b/rules/cpp/small-key-size-cpp.yml
@@ -0,0 +1,42 @@
+id: small-key-size-cpp
+language: cpp
+severity: warning
+message: >-
+    $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is
+    less than the recommended key size of 2048 bits.
+note: >-
+  [CWE-326]: Inadequate Encryption Strength
+  [OWASP A02:2021]: Cryptographic Failures
+  [OWASP A03:2017]: Sensitive Data Exposure
+  [REFERENCES]
+       https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
+       https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ast-grep-essentials: true
+
+rule:
+ kind: call_expression
+ all:
+ - has:
+    stopBy: end
+    kind: identifier
+    regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$
+ - not:
+    has:
+      stopBy: end
+      kind: field_identifier
+      regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$
+ - has:
+    stopBy: neighbor
+    kind: argument_list
+    has:
+      stopBy: neighbor
+      any:
+         - kind: number_literal
+         - kind: binary_expression
+         - kind: unary_expression
+      nthChild: 2
+      regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$
+ - not:
+      has:
+         stopBy: end
+         kind: ERROR
diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml
@@ -27,3 +27,12 @@ snapshots:
       style: primary
       start: 28
       end: 57
+  ? |
+    char *return_namespace_directly() {
+      return std::string("foo").c_str();
+    }
+  : labels:
+    - source: return std::string("foo").c_str();
+      style: primary
+      start: 38
+      end: 72
diff --git a/tests/__snapshots__/small-key-size-c-snapshot.yml b/tests/__snapshots__/small-key-size-c-snapshot.yml
@@ -0,0 +1,23 @@
+id: small-key-size-c
+snapshots:
+  ? |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 1024);
+    }
+  : labels:
+    - source: DH_generate_parameters_ex(NULL, 1024)
+      style: primary
+      start: 15
+      end: 52
+    - source: DH_generate_parameters_ex
+      style: secondary
+      start: 15
+      end: 40
+    - source: '1024'
+      style: secondary
+      start: 47
+      end: 51
+    - source: (NULL, 1024)
+      style: secondary
+      start: 40
+      end: 52
diff --git a/tests/__snapshots__/small-key-size-cpp-snapshot.yml b/tests/__snapshots__/small-key-size-cpp-snapshot.yml
@@ -0,0 +1,23 @@
+id: small-key-size-cpp
+snapshots:
+  ? |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 1024);
+    }
+  : labels:
+    - source: DH_generate_parameters_ex(NULL, 1024)
+      style: primary
+      start: 15
+      end: 52
+    - source: DH_generate_parameters_ex
+      style: secondary
+      start: 15
+      end: 40
+    - source: '1024'
+      style: secondary
+      start: 47
+      end: 51
+    - source: (NULL, 1024)
+      style: secondary
+      start: 40
+      end: 52
diff --git a/tests/c/small-key-size-c-test.yml b/tests/c/small-key-size-c-test.yml
@@ -0,0 +1,14 @@
+id: small-key-size-c
+valid:
+  - |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 2049);
+    }
+
+invalid:
+  - |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 1024);
+    }
+
+
diff --git a/tests/cpp/small-key-size-cpp-test.yml b/tests/cpp/small-key-size-cpp-test.yml
@@ -0,0 +1,14 @@
+id: small-key-size-cpp
+valid:
+  - |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 2049);
+    }
+
+invalid:
+  - |
+    void foo() {
+      DH_generate_parameters_ex(NULL, 1024);
+    }
+
+