Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[apex] ApexBadCrypto test failing to detect inline code #4427

Closed
sfdcsteve opened this issue Mar 20, 2023 · 0 comments · Fixed by #4428
Closed

[apex] ApexBadCrypto test failing to detect inline code #4427

sfdcsteve opened this issue Mar 20, 2023 · 0 comments · Fixed by #4428
Labels
a:false-negative PMD doesn't flag a problematic piece of code
Milestone
7.0.0

Comments

@sfdcsteve
Copy link
Contributor

sfdcsteve commented Mar 20, 2023
edited by adangel
Loading

The ApexBadCrypto test has an issue where it will miss a hard coded IV or Key if it is inline in the code rather than being predeclared. So, for example, this will be caught by the test:

public without sharing class Foo {
    Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
    Blob hardCodedKey = Blob.valueOf('0000000000000000');
    Blob data = Blob.valueOf('Data to be encrypted');
    Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
}

But this will not:

public without sharing class Foo {
    Blob encrypted = Crypto.encrypt('AES128', Blob.valueOf('Hardcoded IV 123'), Blob.valueOf('0000000000000000'), 
    Blob.valueOf('Data to be encrypted'));
}
@sfdcsteve sfdcsteve mentioned this issue Mar 20, 2023
Merged
4 tasks
@adangel adangel changed the title ApexBadCrypto test failing to detect inline code [apex] ApexBadCrypto test failing to detect inline code Mar 21, 2023
@adangel adangel added the a:false-negative PMD doesn't flag a problematic piece of code label Mar 21, 2023
@adangel adangel added this to the 7.0.0 milestone Mar 23, 2023
adangel added a commit that referenced this issue Mar 23, 2023
@adangel
[doc] Update release notes (#4427, #4428)
638212a
adangel added a commit that referenced this issue Mar 23, 2023
@adangel
Merge pull request #4428 from sfdcsteve:master
545bc0a 
[apex] ApexBadCrypto bug fix for #4427 - inline detection of hard coded values #4428
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:false-negative PMD doesn't flag a problematic piece of code
Projects
None yet
Milestone
7.0.0
Development

Successfully merging a pull request may close this issue.

[apex] ApexBadCrypto bug fix for #4427 - inline detection of hard coded values sfdcsteve/pmd
2 participants
@adangel @sfdcsteve