-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Add RSA/ECB/OEAP ciphers to the list of secure algorithms #16482
base: main
Are you sure you want to change the base?
Conversation
31ccaab
to
5144f0a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @grakshith, thanks for your contribution.
I made a small comment below with a suggestion to keep things cohesive.
Your approach has a problem, though. I ran the updated query on the 1k most popular projects on GitHub and I saw that some unexpected algorithms would be discarded by your change, e.g.:
SHA1withRSA
(and its variants)ECIESwithSHA1
(and its variants)Blowfish/ECB/PKCS5Padding
(and its variants)
So, instead of using the secure algorithm regex to discard results in this query (which also overlaps a bit with java/potentially-weak-cryptographic-algorithm
), I think the safest thing here would be to add a specific exclusion for the RSA/ECB
string.
Something like:
not this.getValue().regexpMatch("RSA/ECB.*") and
What do you think?
@@ -15,6 +15,7 @@ private class ShortStringLiteral extends StringLiteral { | |||
class BrokenAlgoLiteral extends ShortStringLiteral { | |||
BrokenAlgoLiteral() { | |||
this.getValue().regexpMatch(getInsecureAlgorithmRegex()) and | |||
not this.getValue().regexpMatch(getASecureAlgorithmName()) and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ought to be fixed as follows to make sense with regexpMatch
(getASecureAlgorithmName
contains, perhaps a bit surprisingly, regexes):
not this.getValue().regexpMatch(getASecureAlgorithmName()) and | |
not this.getValue().regexpMatch(getSecureAlgorithmRegex()) and |
Nonetheless see my comment above for the full picture.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, thanks for the callout. Didn't realize there was getSecureAlgorithmRegex
Hey @atorralba, thanks a lot for the review and your comments. Thanks for also running integration tests on the most popular repos. Your comment makes sense and I'll push out the change. |
db3354c
to
af57702
Compare
Thanks @atorralba, I forgot to revert my previous changes 😅 |
9ef8551
to
ba4629a
Compare
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
ba4629a
to
798a736
Compare
This PR adds the ciphers
RSA/ECB/OAEPWithSHA-1AndMGF1Padding
andRSA/ECB/OAEPWithSHA-256AndMGF1Padding
to the list of secure algorithms.CodeQL flags the uses of these ciphers as risky/weak because it sees ECB in the cipher name and matches the regex from the
getInsecureAlgorithmRegex()
function.The ciphers listed above are part of the Java Cryptographic Architecture and Java Security Standard, and after a quick google search it appears that none of the security providers operate RSA in the block mode. So ECB in the context of RSA is a misnomer.
I did omit the other algorithm
RSA/ECB/PKCS1Padding
as I believe PKCS1 padding is weaker compared to OAEP.References
List of supported ciphers from the Java Security API
Java Security Spec
Stack overflow thread
Another thread
EDIT: Instead of adding these cipher to
getASecureAlgorithmName
we are now excluding ciphers matching the regexRSA/ECB/.*
from the query.