Skip to content

Rust: new query rust/hardcoded-crytographic-value #18943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 39 commits into from
Jul 22, 2025
Merged

Rust: new query rust/hardcoded-crytographic-value #18943

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
9a35feb
Rust: Query framework and basic tests.
geoffw0 Mar 3, 2025
bd75f01
Rust: More test cases.
geoffw0 Mar 5, 2025
9fb00da
Rust: Implement the query (with one source, one sink model).
geoffw0 Mar 3, 2025
a6e106e
Rust: Model more sinks + flows.
geoffw0 Mar 4, 2025
aacbfc0
Rust: Improve alert messages.
geoffw0 Mar 5, 2025
055baf2
Rust: Improve results on arrays (less duplication).
geoffw0 Mar 6, 2025
ac94ac6
Rust: Model even more sinks + flows.
geoffw0 Mar 6, 2025
b4a6063
Rust: Add std::mem::zeroed as a source.
geoffw0 Mar 6, 2025
95be12e
Rust: Add qhelp and examples.
geoffw0 Mar 6, 2025
e564c41
Rust: Compute security-severity tag.
geoffw0 Mar 6, 2025
952e417
Rust: Tweak some wording.
geoffw0 Mar 6, 2025
9af2d02
Rust: Add the new sinks to stats.
geoffw0 Mar 6, 2025
42e7d1e
Rust: Fix typo.
geoffw0 Mar 6, 2025
b6c9be2
Merge branch 'main' into constcrypto
geoffw0 Mar 7, 2025
19416a9
Rust: Correct test results.
geoffw0 Mar 7, 2025
c63c1be
Rust: Accept integration test .expected changes.
geoffw0 Mar 7, 2025
3dc35f1
Rust: Accept more test changes.
geoffw0 Mar 7, 2025
fdb4362
Merge remote-tracking branch 'upstream/main' into constcrypto
geoffw0 Mar 7, 2025
b4e710f
Rust: Add missing models (for some platforms???).
geoffw0 Mar 7, 2025
e84a98b
Apply suggestions from code review
geoffw0 Mar 10, 2025
a34f9be
Rust: Add a test case for getrandom.
geoffw0 Mar 10, 2025
9e54d53
Rust: Add barrier.
geoffw0 Mar 10, 2025
1ca5c59
Rust: Replace imports of internal.DataFlowImpl where possible.
geoffw0 Mar 10, 2025
e3beacb
Rust: Print models (temporary, to see how this differs on CI).
geoffw0 Mar 10, 2025
a0f4fa2
Rust: hardcoded -> hard-coded.
geoffw0 Mar 11, 2025
704b385
Rust: Fix a mistake in the test.
geoffw0 Mar 17, 2025
81edb47
Merge branch 'main' into constcrypto
geoffw0 Mar 17, 2025
f5daec9
Rust: Fix after merge.
geoffw0 Mar 17, 2025
07011f7
Rust: Fix more after merge.
geoffw0 Mar 17, 2025
898c569
Rust: Change note.
geoffw0 Jun 24, 2025
c2ddf25
Merge branch 'main' into constcrypto
geoffw0 Jul 17, 2025
0ec10e5
Rust: Corrections after the merge.
geoffw0 Jul 17, 2025
fc8a662
Rust: Update the models.
geoffw0 Jul 17, 2025
796cb19
Rust: Accept test regressions with new format MaD.
geoffw0 Jul 21, 2025
ec3ad85
Rust: Add another test case for barriers (that still functions).
geoffw0 Jul 21, 2025
d53dada
Rust: Update barrier logic to use getCanonicalPath.
geoffw0 Jul 21, 2025
43ac82f
Rust: Update consistency check .expected files.
geoffw0 Jul 21, 2025
1945fb8
Rust: Accept changes to query suites.
geoffw0 Jul 21, 2025
f7d822b
Rust: Remove empty file.
geoffw0 Jul 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Rust: Fix typo.
  • Loading branch information
@geoffw0
geoffw0 committed Mar 6, 2025
commit 42e7d1e983465b4da3ced5805e21c51efec84aaa
2 changes: 1 addition & 1 deletion rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
* @problem.severity warning
* @security-severity 9.8
* @precision high
* @id rust/hardcoded-crytographic-value
* @id rust/hardcoded-cryptographic-value
* @tags security
* external/cwe/cwe-259
* external/cwe/cwe-321
Expand Down
36 changes: 18 additions & 18 deletions rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,39 +15,39 @@ fn test_stream_cipher_rabbit(
let mut rabbit_cipher1 = RabbitKeyOnly::new(rabbit::Key::from_slice(key));
rabbit_cipher1.apply_keystream(&mut data);

let const1: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-crytographic-value]
let const1: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher2 = RabbitKeyOnly::new(rabbit::Key::from_slice(const1)); // $ Sink
rabbit_cipher2.apply_keystream(&mut data);

let mut rabbit_cipher3 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(iv));
rabbit_cipher3.apply_keystream(&mut data);

let const4: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-crytographic-value]
let const4: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher4 = Rabbit::new(rabbit::Key::from_slice(const4), rabbit::Iv::from_slice(iv)); // $ Sink
rabbit_cipher4.apply_keystream(&mut data);

let const5: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-crytographic-value]
let const5: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher5 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(const5)); // $ Sink
rabbit_cipher5.apply_keystream(&mut data);

// various expressions of constant arrays

let const6: &[u8;16] = &[0u8;16]; // (unused, so good)

let const7: [u8;16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-crytographic-value]
let const7: [u8;16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher7 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const7)); // $ Sink
rabbit_cipher7.apply_keystream(&mut data);

let const8: &[u8;16] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-crytographic-value]
let const8: &[u8;16] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher8 = RabbitKeyOnly::new(rabbit::Key::from_slice(const8)); // $ Sink
rabbit_cipher8.apply_keystream(&mut data);

let const9: [u16;8] = [0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-crytographic-value]
let const9: [u16;8] = [0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
let const9_conv = unsafe { const9.align_to::<u8>().1 }; // convert [u16;8] -> [u8;8]
let mut rabbit_cipher9 = RabbitKeyOnly::new(rabbit::Key::from_slice(const9_conv)); // $ Sink
rabbit_cipher9.apply_keystream(&mut data);

let const10: [u8;16] = unsafe { std::mem::zeroed() }; // $ Alert[rust/hardcoded-crytographic-value]
let const10: [u8;16] = unsafe { std::mem::zeroed() }; // $ Alert[rust/hardcoded-cryptographic-value]
let mut rabbit_cipher10 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const10)); // $ Sink
rabbit_cipher10.apply_keystream(&mut data);
}
Expand All @@ -63,25 +63,25 @@ fn test_block_cipher_aes(
let aes_cipher1 = Aes256::new(key256.into());
aes_cipher1.encrypt_block(block128.into());

let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-crytographic-value]
let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
let aes_cipher2 = Aes256::new(const2.into()); // $ Sink
aes_cipher2.encrypt_block(block128.into());

let aes_cipher3 = Aes256::new_from_slice(key256).unwrap();
aes_cipher3.encrypt_block(block128.into());

let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-crytographic-value]
let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
let aes_cipher4 = Aes256::new_from_slice(const2).unwrap(); // $ Sink
aes_cipher4.encrypt_block(block128.into());

let aes_cipher5 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), iv.into());
_ = aes_cipher5.encrypt_b2b(input, output).unwrap();

let const6 = &[0u8;32]; // $ Alert[rust/hardcoded-crytographic-value]
let const6 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
let aes_cipher6 = cfb_mode::Encryptor::<aes::Aes256>::new(const6.into(), iv.into()); // $ Sink
_ = aes_cipher6.encrypt_b2b(input, output).unwrap();

let const7 = &[0u8; 16]; // $ Alert[rust/hardcoded-crytographic-value]
let const7 = &[0u8; 16]; // $ Alert[rust/hardcoded-cryptographic-value]
let aes_cipher7 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), const7.into()); // $ Sink
_ = aes_cipher7.encrypt_b2b(input, output).unwrap();

Expand All @@ -91,18 +91,18 @@ fn test_block_cipher_aes(
let aes_cipher8 = cfb_mode::Encryptor::<aes::Aes256>::new(key8.into(), iv.into());
_ = aes_cipher8.encrypt_b2b(input, output).unwrap();

let key9: &[u8] = "1234567890123456".as_bytes(); // $ MISSING: Alert[rust/hardcoded-crytographic-value]
let key9: &[u8] = "1234567890123456".as_bytes(); // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
let aes_cipher9 = cfb_mode::Encryptor::<aes::Aes256>::new(key9.into(), iv.into());
_ = aes_cipher9.encrypt_b2b(input, output).unwrap();

let key10: [u8; 32] = match base64::engine::general_purpose::STANDARD.decode(key_str) {
Ok(x) => x.try_into().unwrap(),
Err(_) => "1234567890123456".as_bytes().try_into().unwrap() // $ MISSING: Alert[rust/hardcoded-crytographic-value]
Err(_) => "1234567890123456".as_bytes().try_into().unwrap() // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
};
let aes_cipher10 = Aes256::new(&key10.into());
aes_cipher10.encrypt_block(block128.into());

if let Ok(const11) = base64::engine::general_purpose::STANDARD.decode("1234567890123456") { // $ MISSING: Alert[rust/hardcoded-crytographic-value]
if let Ok(const11) = base64::engine::general_purpose::STANDARD.decode("1234567890123456") { // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
let key11: [u8; 32] = const11.try_into().unwrap();
let aes_cipher11 = Aes256::new(&key11.into());
aes_cipher11.encrypt_block(block128.into());
Expand All @@ -121,14 +121,14 @@ fn test_aes_gcm(
let cipher1 = Aes256Gcm::new(&key1);
let _ = cipher1.encrypt(&nonce1, b"plaintext".as_ref()).unwrap();

let key2: [u8;32] = [0;32]; // $ Alert[rust/hardcoded-crytographic-value]
let nonce2 = [0;12]; // $ Alert[rust/hardcoded-crytographic-value]
let key2: [u8;32] = [0;32]; // $ Alert[rust/hardcoded-cryptographic-value]
let nonce2 = [0;12]; // $ Alert[rust/hardcoded-cryptographic-value]
let cipher2 = Aes256Gcm::new(&key2.into()); // $ Sink
let _ = cipher2.encrypt(&nonce2.into(), b"plaintext".as_ref()).unwrap(); // $ Sink

let key3_array: &[u8;32] = &[0xff;32]; // $ Alert[rust/hardcoded-crytographic-value]
let key3_array: &[u8;32] = &[0xff;32]; // $ Alert[rust/hardcoded-cryptographic-value]
let key3 = Key::<Aes256Gcm>::from_slice(key3_array);
let nonce3: [u8;12] = [0xff;12]; // $ Alert[rust/hardcoded-crytographic-value]
let nonce3: [u8;12] = [0xff;12]; // $ Alert[rust/hardcoded-cryptographic-value]
let cipher3 = Aes256Gcm::new(&key3); // $ Sink
let _ = cipher3.encrypt(&nonce3.into(), b"plaintext".as_ref()).unwrap(); // $ Sink
}
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy