feat: add Java RSA no padding rule (#95)

Co-authored-by: David Roe <[email protected]>
Bearer · Jun 12, 2023 · eed03bf · eed03bf
1 parent 378785e
commit eed03bf
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 0 deletions.
diff --git a/java/lang/rsa_no_padding.yml b/java/lang/rsa_no_padding.yml
@@ -0,0 +1,31 @@
+patterns:
+  - pattern: $<CIPHER>.getInstance($<RSA_NO_PADDING>)
+    filters:
+      - variable: CIPHER
+        regex: ^(javax.)?(crypto.)?Cipher
+      - variable: RSA_NO_PADDING
+        string_regex: \ARSA\/.*\/NoPadding\z
+languages:
+  - java
+metadata:
+  description: "RSA algorithm with no padding detected."
+  remediation_message: |
+    ## Description
+
+    The RSA encryption algorithm is weak when used without Optimal Asymmetric Encryption Padding (OAEP).
+
+    ## Remediations
+
+    ✅ Always use OAEP when using RSA encryption
+
+    ```java
+      Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")
+    ```
+
+    ## Resources
+    - [Java MessageDigest class](https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html)
+  cwe_id:
+    - 327
+    - 780
+  id: "java_lang_rsa_no_padding"
+  documentation_url: https://docs.bearer.com/reference/rules/java_lang_rsa_no_padding
diff --git a/java/lang/rsa_no_padding/.snapshots/bad_no_padding.yml b/java/lang/rsa_no_padding/.snapshots/bad_no_padding.yml
@@ -0,0 +1,46 @@
+low:
+    - rule:
+        cwe_ids:
+            - "327"
+            - "780"
+        id: java_lang_rsa_no_padding
+        title: RSA algorithm with no padding detected.
+        description: |
+            ## Description
+
+            The RSA encryption algorithm is weak when used without Optimal Asymmetric Encryption Padding (OAEP).
+
+            ## Remediations
+
+            ✅ Always use OAEP when using RSA encryption
+
+            ```java
+              Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")
+            ```
+
+            ## Resources
+            - [Java MessageDigest class](https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html)
+        documentation_url: https://docs.bearer.com/reference/rules/java_lang_rsa_no_padding
+      line_number: 2
+      full_filename: /tmp/scan/bad_no_padding.java
+      filename: .
+      source:
+        location:
+            start: 2
+            end: 2
+            column:
+                start: 19
+                end: 72
+      sink:
+        location:
+            start: 2
+            end: 2
+            column:
+                start: 19
+                end: 72
+        content: javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding")
+      parent_line_number: 2
+      snippet: javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding")
+      fingerprint: 9d916a5ca165038ee842b245601b5cf9_0
+      old_fingerprint: 980598f1e87dca4a42183254222ddf4f_0
+
diff --git a/java/lang/rsa_no_padding/.snapshots/ok.yml b/java/lang/rsa_no_padding/.snapshots/ok.yml
@@ -0,0 +1,2 @@
+{}
+
diff --git a/java/lang/rsa_no_padding/testdata/bad_no_padding.java b/java/lang/rsa_no_padding/testdata/bad_no_padding.java
@@ -0,0 +1,7 @@
+public Cipher getRSACipher() {
+  Cipher cipher = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");
+
+  // Some exception handling ...
+
+  return cipher;
+}
diff --git a/java/lang/rsa_no_padding/testdata/ok.java b/java/lang/rsa_no_padding/testdata/ok.java
@@ -0,0 +1,7 @@
+public Cipher getRSACipher() {
+  Cipher cipher = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
+
+  // Some exception handling ...
+
+  return cipher;
+}