[SONARJAVA-1210] S2278 should react to properties default value - SonarSource

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.5
Component/s: Rules
Labels:
- owasp-benchmark

Description

Default value used for property retrieval may cause an issue and should be handled.

void myMethod(java.util.Properties props) {
  String algorithm = props.getProperty("cryptoAlg1", "DESede/ECB/PKCS5Padding"); // the algorithm is POTENTIALLY DESede, which is forbidden
  javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);
}

See: https://github.com/OWASP/Benchmark/tree/master/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00056.java

IMPORTANT NOTE: The current implementation only look at string provided as first argument of javax.crypto.Cipher.getInstance(). The rule will be modified to handle string retrieved by properties, but it does not fix the real issue. Indeed, a complete solution would require to be able to evaluate the expression provided as argument in order to say if it corresponds to one of the forbidden algorithms. Such evaluation can only be achieved using CFG and by exploring all the possible evaluation path, which is still a work in progress.

Attachments

Issue Links

implements

RSPEC-2278 Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

Superseded

Activity

People

Assignee:: Michael Gumowski

Reporter:: Michael Gumowski

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 14/Aug/15

Created:: 06/Aug/15 3:52 PM

Updated:: 17/Aug/15 6:48 AM

Resolved:: 14/Aug/15 2:41 PM