diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml new file mode 100644 index 00000000..c826a55f --- /dev/null +++ b/rules/c/security/small-key-size-c.yml @@ -0,0 +1,42 @@ +id: small-key-size-c +language: c +severity: warning +message: >- + $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is + less than the recommended key size of 2048 bits. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A02:2021]: Cryptographic Failures + [OWASP A03:2017]: Sensitive Data Exposure + [REFERENCES] + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf + https://owasp.org/Top10/A02_2021-Cryptographic_Failures +ast-grep-essentials: true + +rule: + kind: call_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - not: + has: + stopBy: end + kind: field_identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: number_literal + - kind: binary_expression + - kind: unary_expression + nthChild: 2 + regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ + - not: + has: + stopBy: end + kind: ERROR diff --git a/rules/cpp/small-key-size-cpp.yml b/rules/cpp/small-key-size-cpp.yml new file mode 100644 index 00000000..f4a69291 --- /dev/null +++ b/rules/cpp/small-key-size-cpp.yml @@ -0,0 +1,42 @@ +id: small-key-size-cpp +language: cpp +severity: warning +message: >- + $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is + less than the recommended key size of 2048 bits. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A02:2021]: Cryptographic Failures + [OWASP A03:2017]: Sensitive Data Exposure + [REFERENCES] + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf + https://owasp.org/Top10/A02_2021-Cryptographic_Failures +ast-grep-essentials: true + +rule: + kind: call_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - not: + has: + stopBy: end + kind: field_identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: number_literal + - kind: binary_expression + - kind: unary_expression + nthChild: 2 + regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ + - not: + has: + stopBy: end + kind: ERROR diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml index 56d09ba6..e577adf6 100644 --- a/tests/__snapshots__/return-c-str-cpp-snapshot.yml +++ b/tests/__snapshots__/return-c-str-cpp-snapshot.yml @@ -27,3 +27,12 @@ snapshots: style: primary start: 28 end: 57 + ? | + char *return_namespace_directly() { + return std::string("foo").c_str(); + } + : labels: + - source: return std::string("foo").c_str(); + style: primary + start: 38 + end: 72 diff --git a/tests/__snapshots__/small-key-size-c-snapshot.yml b/tests/__snapshots__/small-key-size-c-snapshot.yml new file mode 100644 index 00000000..75ad82af --- /dev/null +++ b/tests/__snapshots__/small-key-size-c-snapshot.yml @@ -0,0 +1,23 @@ +id: small-key-size-c +snapshots: + ? | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + : labels: + - source: DH_generate_parameters_ex(NULL, 1024) + style: primary + start: 15 + end: 52 + - source: DH_generate_parameters_ex + style: secondary + start: 15 + end: 40 + - source: '1024' + style: secondary + start: 47 + end: 51 + - source: (NULL, 1024) + style: secondary + start: 40 + end: 52 diff --git a/tests/__snapshots__/small-key-size-cpp-snapshot.yml b/tests/__snapshots__/small-key-size-cpp-snapshot.yml new file mode 100644 index 00000000..b4051940 --- /dev/null +++ b/tests/__snapshots__/small-key-size-cpp-snapshot.yml @@ -0,0 +1,23 @@ +id: small-key-size-cpp +snapshots: + ? | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + : labels: + - source: DH_generate_parameters_ex(NULL, 1024) + style: primary + start: 15 + end: 52 + - source: DH_generate_parameters_ex + style: secondary + start: 15 + end: 40 + - source: '1024' + style: secondary + start: 47 + end: 51 + - source: (NULL, 1024) + style: secondary + start: 40 + end: 52 diff --git a/tests/c/small-key-size-c-test.yml b/tests/c/small-key-size-c-test.yml new file mode 100644 index 00000000..053e0974 --- /dev/null +++ b/tests/c/small-key-size-c-test.yml @@ -0,0 +1,14 @@ +id: small-key-size-c +valid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 2049); + } + +invalid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + + diff --git a/tests/cpp/small-key-size-cpp-test.yml b/tests/cpp/small-key-size-cpp-test.yml new file mode 100644 index 00000000..25513102 --- /dev/null +++ b/tests/cpp/small-key-size-cpp-test.yml @@ -0,0 +1,14 @@ +id: small-key-size-cpp +valid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 2049); + } + +invalid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + +