Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Weak Cryptographic Algorithm from .properties files #14040

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

egregius313
Copy link
Contributor

This adds a new query to detect uses of weak cryptographic algorithms, where the algorithm name comes from a .properties file.

@egregius313 egregius313 force-pushed the egregius313/weak-hashing-properties branch from ce6f97f to b3d02af Compare August 23, 2023 14:07
@egregius313 egregius313 changed the title Weak Cryptographic Algorithm from .properties files Java: Weak Cryptographic Algorithm from .properties files Aug 23, 2023
@github-actions
Copy link
Contributor

QHelp previews:

java/ql/src/Security/CWE/CWE-328/WeakHashingProperty.qhelp

Weak Hashing Property

Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.

Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.

Recommendation

Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.

Example

The following code shows an example of using a java Cipher to encrypt some data. When creating a Cipher instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.

// BAD: DES is a weak algorithm 
Cipher des = Cipher.getInstance("DES");
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);

byte[] encrypted = cipher.doFinal(input.getBytes("UTF-8"));

// ...

// GOOD: AES is a strong algorithm
Cipher aes = Cipher.getInstance("AES");

// ...

References

@egregius313 egregius313 force-pushed the egregius313/weak-hashing-properties branch from 719d495 to 8cc13b0 Compare August 23, 2023 17:41
@egregius313 egregius313 force-pushed the egregius313/weak-hashing-properties branch from 8cc13b0 to 46ccc58 Compare August 23, 2023 17:46
@@ -0,0 +1,16 @@
package com.example;

import java.utils.Properties;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your integration test is failing because of this import:

[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] > Task :compileJava FAILED
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] (...) ql/java/ql/integration-tests/all-platforms/java/properties-files/weak-hashing/src/main/java/com/example/WeakHashing.java:3: error: package java.utils does not exist
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] import java.utils.Properties;
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild]                  ^
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] 1 error
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] FAILURE: Build failed with an exception.

It should be java.util.Properties.

Suggested change
import java.utils.Properties;
import java.util.Properties;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants