Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-1210

S2278 should react to properties default value

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.5
    • Component/s: Rules
    • Labels:

      Description

      Default value used for property retrieval may cause an issue and should be handled.

      void myMethod(java.util.Properties props) {
        String algorithm = props.getProperty("cryptoAlg1", "DESede/ECB/PKCS5Padding"); // the algorithm is POTENTIALLY DESede, which is forbidden
        javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);
      }
      

      See: https://github.com/OWASP/Benchmark/tree/master/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00056.java

      IMPORTANT NOTE: The current implementation only look at string provided as first argument of javax.crypto.Cipher.getInstance(). The rule will be modified to handle string retrieved by properties, but it does not fix the real issue. Indeed, a complete solution would require to be able to evaluate the expression provided as argument in order to say if it corresponds to one of the forbidden algorithms. Such evaluation can only be achieved using CFG and by exploring all the possible evaluation path, which is still a work in progress.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael.gumowski Michael Gumowski
              Reporter:
              michael.gumowski Michael Gumowski
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: