Rust: hardcoded -> hard-coded.

github · geoffw0 · Jul 22, 2025 · Mar 3, 2025 · Mar 5, 2025 · Mar 3, 2025
commit a0f4fa28b2a50a077c380646bb2828da85b3426d
@@ -1,5 +1,5 @@
 /**
- * Provides classes and predicates for reasoning about hardcoded cryptographic value
+ * Provides classes and predicates for reasoning about hard-coded cryptographic value
  * vulnerabilities.
  */
 
@@ -32,17 +32,17 @@ class CryptographicValueKind extends string {
 }
 
 /**
- * Provides default sources, sinks and barriers for detecting hardcoded cryptographic
+ * Provides default sources, sinks and barriers for detecting hard-coded cryptographic
  * value vulnerabilities, as well as extension points for adding your own.
  */
 module HardcodedCryptographicValue {
   /**
-   * A data flow source for hardcoded cryptographic value vulnerabilities.
+   * A data flow source for hard-coded cryptographic value vulnerabilities.
    */
   abstract class Source extends DataFlow::Node { }
 
   /**
-   * A data flow sink for hardcoded cryptographic value vulnerabilities.
+   * A data flow sink for hard-coded cryptographic value vulnerabilities.
    */
   abstract class Sink extends DataFlow::Node {
     /**
@@ -52,7 +52,7 @@ module HardcodedCryptographicValue {
   }
 
   /**
-   * A barrier for hardcoded cryptographic value vulnerabilities.
+   * A barrier for hard-coded cryptographic value vulnerabilities.
    */
   abstract class Barrier extends DataFlow::Node { }
 
@@ -81,7 +81,7 @@ module HardcodedCryptographicValue {
   }
 
   /**
-   * An externally modeled sink for hardcoded cryptographic value vulnerabilities.
+   * An externally modeled sink for hard-coded cryptographic value vulnerabilities.
    */
   private class ModelsAsDataSinks extends Sink {
     CryptographicValueKind kind;

@@ -5,38 +5,38 @@
 
 <overview>
 <p>
-Hardcoded passwords, keys, initialization vectors, and salts should not be used for cryptographic operations.
+Hard-coded passwords, keys, initialization vectors, and salts should not be used for cryptographic operations.
 </p>
 <ul>
   <li>
-    Attackers can easily recover hardcoded values if they have access to the source code or compiled executable.
+    Attackers can easily recover hard-coded values if they have access to the source code or compiled executable.
   </li>
   <li>
-    Some hardcoded values are easily guessable.
+    Some hard-coded values are easily guessable.
   </li>
   <li>
-    Use of hardcoded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
+    Use of hard-coded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
   </li>
 </ul>
 
 </overview>
 <recommendation>
 
 <p>
-Use randomly generated key material, initialization vectors, and salts. Use strong passwords that are not hardcoded.
+Use randomly generated key material, initialization vectors, and salts. Use strong passwords that are not hard-coded.
 </p>
 
 </recommendation>
 <example>
 
 <p>
-The following example shows instantiating a cipher with hardcoded key material, making the encrypted data vulnerable to recovery.
+The following example shows instantiating a cipher with hard-coded key material, making the encrypted data vulnerable to recovery.
 </p>
 
 <sample src="HardcodedCryptographicValueBad.rs" />
 
 <p>
-In the fixed code below, the key material is randomly generated and not hardcoded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
+In the fixed code below, the key material is randomly generated and not hard-coded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
 </p>
 
 <sample src="HardcodedCryptographicValueGood.rs" />

@@ -1,12 +1,12 @@
 /**
  * @name Hard-coded cryptographic value
- * @description Using hardcoded keys, passwords, salts or initialization
+ * @description Using hard-coded keys, passwords, salts or initialization
  *              vectors is not secure.
  * @kind path-problem
  * @problem.severity warning
  * @security-severity 9.8
  * @precision high
- * @id rust/hardcoded-cryptographic-value
+ * @id rust/hard-coded-cryptographic-value
  * @tags security
  *       external/cwe/cwe-259
  *       external/cwe/cwe-321
@@ -21,7 +21,7 @@ import codeql.rust.dataflow.TaintTracking
 import codeql.rust.dataflow.internal.DataFlowImpl
 
 /**
- * A taint-tracking configuration for hardcoded cryptographic value vulnerabilities.
+ * A taint-tracking configuration for hard-coded cryptographic value vulnerabilities.
  */
 module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
   import HardcodedCryptographicValue

@@ -1,2 +1,2 @@
-let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption
+let key: [u8;32] = [0;32]; // BAD: Using hard-coded keys for encryption
 let cipher = Aes256Gcm::new(&key.into());
@@ -15,39 +15,39 @@ fn test_stream_cipher_rabbit(
     let mut rabbit_cipher1 = RabbitKeyOnly::new(rabbit::Key::from_slice(key));
     rabbit_cipher1.apply_keystream(&mut data);
 
-    let const1: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const1: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher2 = RabbitKeyOnly::new(rabbit::Key::from_slice(const1)); // $ Sink
     rabbit_cipher2.apply_keystream(&mut data);
 
     let mut rabbit_cipher3 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(iv));
     rabbit_cipher3.apply_keystream(&mut data);
 
-    let const4: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const4: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher4 = Rabbit::new(rabbit::Key::from_slice(const4), rabbit::Iv::from_slice(iv)); // $ Sink
     rabbit_cipher4.apply_keystream(&mut data);
 
-    let const5: &[u8;16] = &[0u8;16]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const5: &[u8;16] = &[0u8;16]; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher5 = Rabbit::new(rabbit::Key::from_slice(key), rabbit::Iv::from_slice(const5)); // $ Sink
     rabbit_cipher5.apply_keystream(&mut data);
 
     // various expressions of constant arrays
 
     let const6: &[u8;16] = &[0u8;16]; // (unused, so good)
 
-    let const7: [u8;16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const7: [u8;16] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher7 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const7)); // $ Sink
     rabbit_cipher7.apply_keystream(&mut data);
 
-    let const8: &[u8;16] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const8: &[u8;16] = &[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher8 = RabbitKeyOnly::new(rabbit::Key::from_slice(const8)); // $ Sink
     rabbit_cipher8.apply_keystream(&mut data);
 
-    let const9: [u16;8] = [0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const9: [u16;8] = [0, 0, 0, 0, 0, 0, 0, 0]; // $ Alert[rust/hard-coded-cryptographic-value]
     let const9_conv = unsafe { const9.align_to::<u8>().1 }; // convert [u16;8] -> [u8;8]
     let mut rabbit_cipher9 = RabbitKeyOnly::new(rabbit::Key::from_slice(const9_conv)); // $ Sink
     rabbit_cipher9.apply_keystream(&mut data);
 
-    let const10: [u8;16] = unsafe { std::mem::zeroed() }; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const10: [u8;16] = unsafe { std::mem::zeroed() }; // $ Alert[rust/hard-coded-cryptographic-value]
     let mut rabbit_cipher10 = RabbitKeyOnly::new(rabbit::Key::from_slice(&const10)); // $ Sink
     rabbit_cipher10.apply_keystream(&mut data);
 }
@@ -63,25 +63,25 @@ fn test_block_cipher_aes(
     let aes_cipher1 = Aes256::new(key256.into());
     aes_cipher1.encrypt_block(block128.into());
 
-    let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const2 = &[0u8;32]; // $ Alert[rust/hard-coded-cryptographic-value]
     let aes_cipher2 = Aes256::new(const2.into()); // $ Sink
     aes_cipher2.encrypt_block(block128.into());
 
     let aes_cipher3 = Aes256::new_from_slice(key256).unwrap();
     aes_cipher3.encrypt_block(block128.into());
 
-    let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const2 = &[0u8;32]; // $ Alert[rust/hard-coded-cryptographic-value]
     let aes_cipher4 = Aes256::new_from_slice(const2).unwrap(); // $ Sink
     aes_cipher4.encrypt_block(block128.into());
 
     let aes_cipher5 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), iv.into());
     _ = aes_cipher5.encrypt_b2b(input, output).unwrap();
 
-    let const6 = &[0u8;32]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const6 = &[0u8;32]; // $ Alert[rust/hard-coded-cryptographic-value]
     let aes_cipher6 = cfb_mode::Encryptor::<aes::Aes256>::new(const6.into(), iv.into()); // $ Sink
     _ = aes_cipher6.encrypt_b2b(input, output).unwrap();
 
-    let const7 = &[0u8; 16]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let const7 = &[0u8; 16]; // $ Alert[rust/hard-coded-cryptographic-value]
     let aes_cipher7 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), const7.into()); // $ Sink
     _ = aes_cipher7.encrypt_b2b(input, output).unwrap();
 
@@ -91,18 +91,18 @@ fn test_block_cipher_aes(
     let aes_cipher8 = cfb_mode::Encryptor::<aes::Aes256>::new(key8.into(), iv.into());
     _ = aes_cipher8.encrypt_b2b(input, output).unwrap();
 
-    let key9: &[u8] = "1234567890123456".as_bytes(); // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
+    let key9: &[u8] = "1234567890123456".as_bytes(); // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
     let aes_cipher9 = cfb_mode::Encryptor::<aes::Aes256>::new(key9.into(), iv.into());
     _ = aes_cipher9.encrypt_b2b(input, output).unwrap();
 
     let key10: [u8; 32] = match base64::engine::general_purpose::STANDARD.decode(key_str) {
         Ok(x) => x.try_into().unwrap(),
-        Err(_) => "1234567890123456".as_bytes().try_into().unwrap() // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
+        Err(_) => "1234567890123456".as_bytes().try_into().unwrap() // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
     };
     let aes_cipher10 = Aes256::new(&key10.into());
     aes_cipher10.encrypt_block(block128.into());
 
-    if let Ok(const11) = base64::engine::general_purpose::STANDARD.decode("1234567890123456") { // $ MISSING: Alert[rust/hardcoded-cryptographic-value]
+    if let Ok(const11) = base64::engine::general_purpose::STANDARD.decode("1234567890123456") { // $ MISSING: Alert[rust/hard-coded-cryptographic-value]
         let key11: [u8; 32] = const11.try_into().unwrap();
         let aes_cipher11 = Aes256::new(&key11.into());
         aes_cipher11.encrypt_block(block128.into());
@@ -121,14 +121,14 @@ fn test_aes_gcm(
     let cipher1 = Aes256Gcm::new(&key1);
     let _ = cipher1.encrypt(&nonce1, b"plaintext".as_ref()).unwrap();
 
-    let key2: [u8;32] = [0;32]; // $ Alert[rust/hardcoded-cryptographic-value]
-    let nonce2 = [0;12]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let key2: [u8;32] = [0;32]; // $ Alert[rust/hard-coded-cryptographic-value]
+    let nonce2 = [0;12]; // $ Alert[rust/hard-coded-cryptographic-value]
     let cipher2 = Aes256Gcm::new(&key2.into()); // $ Sink
     let _ = cipher2.encrypt(&nonce2.into(), b"plaintext".as_ref()).unwrap(); // $ Sink
 
-    let key3_array: &[u8;32] = &[0xff;32]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let key3_array: &[u8;32] = &[0xff;32]; // $ Alert[rust/hard-coded-cryptographic-value]
     let key3 = Key::<Aes256Gcm>::from_slice(key3_array);
-    let nonce3: [u8;12] = [0xff;12]; // $ Alert[rust/hardcoded-cryptographic-value]
+    let nonce3: [u8;12] = [0xff;12]; // $ Alert[rust/hard-coded-cryptographic-value]
     let cipher3 = Aes256Gcm::new(&key3); // $ Sink
     let _ = cipher3.encrypt(&nonce3.into(), b"plaintext".as_ref()).unwrap(); // $ Sink