pkg/commands/process/settings/rules/ruby/lang/weak_encryption.yml

patterns:
  - pattern: |
      Digest::SHA1.hexidigest()
  - pattern: |
      Digest::MD5.hexdigest()
  - pattern: |
      $<VAR>.$<METHOD>($<_>)
    filters:
      - variable: VAR
        detection: rc4_init
      - variable: METHOD
        values:
          - encrypt
          - encrypt!
          - decrypt
  - pattern: |
      $<VAR>.$<METHOD>($<_>)
    filters:
      - variable: VAR
        detection: openssl_rsa_init
      - variable: METHOD
        values:
          - private_decrypt
          - private_encrypt
          - public_decrypt
          - public_encrypt
  - pattern: |
      $<VAR>.$<METHOD>($<_>)
    filters:
      - variable: VAR
        detection: openssl_rsa_init
      - variable: METHOD
        values:
          - export
          - to_pem
          - to_s
  - pattern: |
      $<VAR>.$<METHOD>($<_>)
    filters:
      - variable: VAR
        detection: openssl_dsa_init
      - variable: METHOD
        values:
          - export
          - to_pem
          - to_s
  - pattern: |
      $<VAR>.$<METHOD>()
    filters:
      - variable: VAR
        detection: blowfish_init
      - variable: METHOD
        values:
          - encrypt_pair
          - encrypt_string
          - decrypt_pair
          - decrypt_string
  - pattern: |
      $<VAR>.$<METHOD> do
        $<_>
      end
    filters:
      - variable: VAR
        detection: blowfish_init
      - variable: METHOD
        values:
          - encrypt_block
          - decrypt_block
  - pattern: |
      $<VAR>.$<METHOD> {
        $<_>
      }
    filters:
      - variable: VAR
        detection: blowfish_init
      - variable: METHOD
        values:
          - encrypt_block
          - decrypt_block
languages:
  - ruby
auxiliary:
  - id: rc4_init
    patterns:
      - |
        RC4.new()
  - id: openssl_rsa_init
    patterns:
      - |
        OpenSSL::PKey::RSA.new()
  - id: openssl_dsa_init
    patterns:
      - |
        OpenSSL::PKey::DSA.new()
  - id: blowfish_init
    patterns:
      - |
        Crypt::Blowfish.new()
trigger: presence
severity:
  default: low # FIXME: warning
metadata:
  description: "Avoid weak encryption libraries."
  remediation_message: |
    ## Description

    A weak encryption or hashing library can lead to data breaches and greater security risk. This rule checks for the use of weak encryption and hashing libraries or algorithms.

    ## Remediations
    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption): MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.

    ❌ Avoid libraries and algorithms with known weaknesses:

    ```ruby
    Digest::SHA1.hexdigest 'weak password encryption'
    Crypt::Blowfish.new("weak password encryption")
    RC4.new("weak password encryption")
    OpenSSL::PKey::RSA.new 1024
    OpenSSL::PKey::DSA.new 1024
    Digest::MD5.hexdigest 'unsecure string'
    ```

    ✅ Instead, we recommend using bcrypt:

    ```ruby
    BCrypt::Password.create('iLOVEdogs123')
    ```

    ## Resources
    - [BCrypt Explained](https://dev.to/sylviapap/bcrypt-explained-4k5c)
  dsr_id: DSR-7
  id: ruby_lang_weak_encryption