New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Weak Cryptographic Algorithm from .properties files
#14040
base: main
Are you sure you want to change the base?
Java: Weak Cryptographic Algorithm from .properties files
#14040
Conversation
ce6f97f
to
b3d02af
Compare
.properties files.properties files
|
QHelp previews: java/ql/src/Security/CWE/CWE-328/WeakHashingProperty.qhelpWeak Hashing PropertyUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted. Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data. RecommendationEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks. ExampleThe following code shows an example of using a java // BAD: DES is a weak algorithm
Cipher des = Cipher.getInstance("DES");
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
byte[] encrypted = cipher.doFinal(input.getBytes("UTF-8"));
// ...
// GOOD: AES is a strong algorithm
Cipher aes = Cipher.getInstance("AES");
// ...References
|
719d495
to
8cc13b0
Compare
8cc13b0
to
46ccc58
Compare
| @@ -0,0 +1,16 @@ | |||
| package com.example; | |||
|
|
|||
| import java.utils.Properties; | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your integration test is failing because of this import:
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] > Task :compileJava FAILED
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] (...) ql/java/ql/integration-tests/all-platforms/java/properties-files/weak-hashing/src/main/java/com/example/WeakHashing.java:3: error: package java.utils does not exist
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] import java.utils.Properties;
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] ^
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] 1 error
[2023-08-23 18:21:09] [build-stdout] [2023-08-23 18:21:09] [autobuild] FAILURE: Build failed with an exception.
It should be java.util.Properties.
| import java.utils.Properties; | |
| import java.util.Properties; |
This adds a new query to detect uses of weak cryptographic algorithms, where the algorithm name comes from a
.propertiesfile.