Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Questionable Code Example

      Builtin functions

      function myEncrypt($cipher, $key, $data, $mode, $iv, $options, $padding, $infile, $outfile, $recipcerts, $headers, $nonce, $ad, $pub_key_ids, $env_keys)
      {
          mcrypt_ecb ($cipher, $key, $data, $mode); // Questionable
          mcrypt_cfb($cipher, $key, $data, $mode, $iv); // Questionable
          mcrypt_cbc($cipher, $key, $data, $mode, $iv); // Questionable
          mcrypt_encrypt($cipher, $key, $data, $mode); // Questionable
      
          openssl_encrypt($data, $cipher, $key, $options, $iv); // Questionable
          openssl_public_encrypt($data, $crypted, $key, $padding); // Questionable
          openssl_pkcs7_encrypt($infile, $outfile, $recipcerts, $headers); // Questionable
          openssl_seal($data, $sealed_data, $env_keys, $pub_key_ids); // Questionable
      
          sodium_crypto_aead_aes256gcm_encrypt ($data, $ad, $nonce, $key); // Questionable
          sodium_crypto_aead_chacha20poly1305_encrypt ($data, $ad, $nonce, $key); // Questionable
          sodium_crypto_aead_chacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Questionable
          sodium_crypto_aead_xchacha20poly1305_ietf_encrypt ($data, $ad, $nonce, $key); // Questionable
          sodium_crypto_box_seal ($data, $key); // Questionable
          sodium_crypto_box ($data, $nonce, $key); // Questionable
          sodium_crypto_secretbox ($data, $nonce, $key); // Questionable
          sodium_crypto_stream_xor ($data, $nonce, $key); // Questionable
      }
      

      CakePHP

      use Cake\Utility\Security;
      
      function myCakeEncrypt($key, $data, $engine)
      {
          Security::encrypt($data, $key); // Questionable
          
          // Do not use custom made engines and remember that Mcrypt is deprecated.
          Security::engine($engine); // Questionable. Setting the encryption engine.
      }
      

      CodeIgniter

      class EncryptionController extends CI_Controller
      {
          public function __construct()
          {
              parent::__construct();
              $this->load->library('encryption');
          }
      
          public function index()
          {
              $this->encryption->create_key(16); // Questionable. Review the key length.
              $this->encryption->initialize( // Questionable.
                  array(
                      'cipher' => 'aes-256',
                      'mode' => 'ctr',
                      'key' => 'the key',
                  )
              );
              $this->encryption->encrypt("mysecretdata"); // Questionable.
          }
      }
      

      CraftCMS version 3

      use Craft;
      
      // This is similar to Yii as it used by CraftCMS
      function craftEncrypt($data, $key, $password) {
          Craft::$app->security->encryptByKey($data, $key); // Questionable
          Craft::$app->getSecurity()->encryptByKey($data, $key); // Questionable
          Craft::$app->security->encryptByPassword($data, $password); // Questionable
          Craft::$app->getSecurity()->encryptByPassword($data, $password); // Questionable
      }
      

      Drupal 7 - Encrypt module

      function drupalEncrypt() {
          $encrypted_text = encrypt('some string to encrypt'); // Questionable
      }
      

      Joomla

      use Joomla\Crypt\CipherInterface;
      
      abstract class MyCipher implements CipherInterface // Questionable. Implementing custom cipher class
      {}
      
      function joomlaEncrypt() {
          new Joomla\Crypt\Cipher_Sodium(); // Questionable
          new Joomla\Crypt\Cipher_Simple(); // Questionable
          new Joomla\Crypt\Cipher_Rijndael256(); // Questionable
          new Joomla\Crypt\Cipher_Crypto(); // Questionable
          new Joomla\Crypt\Cipher_Blowfish(); // Questionable
          new Joomla\Crypt\Cipher_3DES(); // Questionable
      }
      }
      

      Laravel

      use Illuminate\Support\Facades\Crypt;
      
      function myLaravelEncrypt($data)
      {
          Crypt::encryptString($data); // Questionable
          Crypt::encrypt($data); // Questionable
          // encrypt using the Laravel "encrypt" helper
          encrypt($data); // Questionable
      }
      

      PHP-Encryption library

      use Defuse\Crypto\Crypto;
      use Defuse\Crypto\File;
      
      function mypPhpEncryption($data, $key, $password, $inputFilename, $outputFilename, $inputHandle, $outputHandle) {
          Crypto::encrypt($data, $key); // Questionable
          Crypto::encryptWithPassword($data, $password); // Questionable
          File::encryptFile($inputFilename, $outputFilename, $key); // Questionable
          File::encryptFileWithPassword($inputFilename, $outputFilename, $password); // Questionable
          File::encryptResource($inputHandle, $outputHandle, $key); // Questionable
          File::encryptResourceWithPassword($inputHandle, $outputHandle, $password); // Questionable
      }
      

      PhpSecLib

      function myphpseclib($mode) {
          new phpseclib\Crypt\RSA(); // Questionable. Note: RSA can also be used for signing data.
          new phpseclib\Crypt\AES(); // Questionable
          new phpseclib\Crypt\Rijndael(); // Questionable
          new phpseclib\Crypt\Twofish(); // Questionable
          new phpseclib\Crypt\Blowfish(); // Questionable
          new phpseclib\Crypt\RC4(); // Questionable
          new phpseclib\Crypt\RC2(); // Questionable
          new phpseclib\Crypt\TripleDES(); // Questionable
          new phpseclib\Crypt\DES(); // Questionable
      
          new phpseclib\Crypt\AES($mode); // Questionable
          new phpseclib\Crypt\Rijndael($mode); // Questionable
          new phpseclib\Crypt\TripleDES($mode); // Questionable
          new phpseclib\Crypt\DES($mode); // Questionable
      }
      

      Sodium Compat library

      function mySodiumCompatEncrypt($data, $ad, $nonce, $key) {
          ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Questionable
          ParagonIE_Sodium_Compat::crypto_aead_xchacha20poly1305_ietf_encrypt($data, $ad, $nonce, $key); // Questionable
          ParagonIE_Sodium_Compat::crypto_aead_chacha20poly1305_encrypt($data, $ad, $nonce, $key); // Questionable
          
          ParagonIE_Sodium_Compat::crypto_aead_aes256gcm_encrypt($data, $ad, $nonce, $key); // Questionable
      
          ParagonIE_Sodium_Compat::crypto_box($data, $nonce, $key); // Questionable
          ParagonIE_Sodium_Compat::crypto_secretbox($data, $nonce, $key); // Questionable
          ParagonIE_Sodium_Compat::crypto_box_seal($data, $key); // Questionable
          ParagonIE_Sodium_Compat::crypto_secretbox_xchacha20poly1305($data, $nonce, $key); // Questionable
      }
      

      Yii version 2

      use Yii;
      
      // Similar to CraftCMS as it uses Yii
      function YiiEncrypt($data, $key, $password) {
          Yii::$app->security->encryptByKey($data, $key); // Questionable
          Yii::$app->getSecurity()->encryptByKey($data, $key); // Questionable
          Yii::$app->security->encryptByPassword($data, $password); // Questionable
          Yii::$app->getSecurity()->encryptByPassword($data, $password); // Questionable
      }
      

      Zend

      use Zend\Crypt\FileCipher;
      use Zend\Crypt\PublicKey\DiffieHellman;
      use Zend\Crypt\PublicKey\Rsa;
      use Zend\Crypt\Hybrid;
      use Zend\Crypt\BlockCipher;
      
      function myZendEncrypt($key, $data, $prime, $options, $generator, $lib)
      {
          new FileCipher; // Questionable. This is used to encrypt files
      
          new DiffieHellman($prime, $generator, $key); // Questionable
      
          $rsa = Rsa::factory([ // Questionable
              'public_key'    => 'public_key.pub',
              'private_key'   => 'private_key.pem',
              'pass_phrase'   => 'mypassphrase',
              'binary_output' => false,
          ]);
          $rsa->encrypt($data); // No issue raised here. The configuration of the Rsa object is the line to review.
      
          $hybrid = new Hybrid(); // Questionable
      
          BlockCipher::factory($lib, $options); // Questionable
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: