-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create main.java #2
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prisma Cloud has found errors in this PR ⬇️
public void doFilter(ServletRequest request) throws IOException, | ||
ServletException { | ||
if (request instanceof HttpServletRequest) { | ||
javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding" ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Integrity of the data during transmission is not being verified
File: main.java | Checkov ID: CKV3_SAST_12
Description
CWE: CWE-353: Missing Support for Integrity Check
OWASP: A08:2021 - Software and Data Integrity Failures
This violation is indicating that the cipher being used for encryption does not provide an integrity check to validate that the encrypted data has not been tampered with. Specifically, it flags the use of AES and DES (or triple DES) in ECB (Electronic Codebook) mode and the use of CBC (Cipher Block Chaining) mode with PKCS5 padding, which do not inherently provide integrity checks.
When these ciphers are used without an additional mechanism to ensure the integrity of the data, it makes the encrypted data susceptible to alterations by an adversary without detection, presenting a security concern.
Example violating code:
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
public class Main {
public static void main(String[] args) throws Exception {
SecretKeySpec key = new SecretKeySpec("1234567812345678".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
}
}
In the example above, AES encryption with CBC mode and PKCS5Padding is being used, which doesn't provide an integrity check on the encrypted data.
class Connector4 { | ||
@javax.jws.WebMethod | ||
void connect(HttpServletRequest req){ | ||
javax.crypto.Cipher.getInstance("DES/CBC/NoPadding" ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsafe DES algorithm used
File: main.java | Checkov ID: CKV3_SAST_17
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy is warning against the use of the Data Encryption Standard (DES) encryption algorithm in Java applications. DES, including its variant Triple DES (3DES or DESede), has been found to be insecure against sufficiently equipped attackers due to its relatively small key size. NIST (the National Institute of Standards and Technology) recommends using the AES (Advanced Encryption Standard) block cipher instead.
Here's an example of violating code:
import javax.crypto.Cipher;
public class Encryption {
public byte[] encryptData(byte[] data, SecretKey key) throws Exception {
Cipher cipher = Cipher.getInstance("DES");
cipher.init(Cipher.ENCRYPT_MODE, key);
return cipher.doFinal(data);
}
}
In this code snippet, the Cipher.getInstance
method is called with "DES" as an argument, indicating that DES encryption is being used.
int currentHour = calendar.get(Calendar.HOUR_OF_DAY); | ||
return ACCESS_ABSTAIN; //Noncompliant | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Authorization is not robust
File: main.java | Checkov ID: CKV3_SAST_26
Description
CWE: CWE-285: Improper Authorization
OWASP: A01:2021 - Broken Access Control
This policy aims to ensure that the authorization process within an application is robust and not subject to vulnerabilities. Authorization decisions should be robust and depend on strong variables such as user authentication, roles, privileges, location, and time of access.
Example of violating code:
public class WeakVoter implements AccessDecisionVoter {
@Override
public int vote(SecurityContext context) {
// Weak decision
return ACCESS_ABSTAIN;
}
}
This code is problematic because it abstains from making a strong authorization decision, potentially allowing unauthorized access.
|
||
class MyBadImplementation extends java.security.MessageDigest { | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsafe custom MessageDigest is implemented
File: main.java | Checkov ID: CKV3_SAST_13
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
Flag any custom classes that extend the java.security.MessageDigest
class. MessageDigest
is a Java class used for calculating message digests, also known as checksums or cryptographic hash functions. By extending MessageDigest
, a developer could be creating a custom cryptographic hash function, which is generally considered error-prone and a bad practice.
Cryptography is a complex field and implementing a secure and reliable cryptographic hash function requires specific expertise. Improperly implemented hash functions can have vulnerabilities that can be exploited, leading to significant security risks.
Example of violating code:
import java.security.MessageDigest;
public class CustomDigest extends MessageDigest {
public CustomDigest() {
super("CustomDigest");
}
// ... custom implementation ...
}
In the example above, a custom MessageDigest
is being created, which would be flagged.
@javax.jws.WebMethod | ||
void connect(HttpServletRequest req){ | ||
Keygen keygen = javax.crypto.KeyGenerator.getInstance("Blowfish" ); | ||
keygen.init(100 ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Encryption keys with less than 128 bits
File: main.java | Checkov ID: CKV3_SAST_18
Description
CWE: CWE-326: Inadequate Encryption Strength
OWASP: A02:2021 - Cryptographic Failures
The policy is cautioning against the use of small key sizes for encryption, in particular with the Blowfish encryption algorithm. The key size should be at least 128 bits to ensure sufficient resistance against brute force attacks, where an attacker systematically checks all possible keys to decrypt the encrypted data.
An example of violating code could be:
import javax.crypto.KeyGenerator;
public class KeyGen {
public void generateKey() throws Exception {
KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
keyGen.init(64); // Violates the policy.
}
}
In this code snippet, the KeyGenerator.init
method is called with 64
, indicating a 64-bit key size is being used for Blowfish, which is smaller than the recommended 128 bits.
public void doFilter(ServletRequest request) throws IOException, | ||
ServletException { | ||
if (request instanceof HttpServletRequest) { | ||
javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding" ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use of a broken or risky cryptographic algorithm
File: main.java | Checkov ID: CKV3_SAST_148
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy detects the use of a broken or risky cryptographic algorithm in Java code. The use of these algorithms can introduce vulnerabilities that could be exploited by attackers to tamper with ciphertext and compromise the security of the system.
Vulnerable code example:
Cipher.getInstance("DES");
The above code example uses the "DES" cryptographic algorithm, which is considered weak and vulnerable to attack. It does not provide built-in message integrity, making it easier for an adversary to tamper with the ciphertext and potentially decrypt the data.
class Connector4 { | ||
@javax.jws.WebMethod | ||
void connect(HttpServletRequest req){ | ||
javax.crypto.Cipher.getInstance("DES/CBC/NoPadding" ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use of a broken or risky cryptographic algorithm
File: main.java | Checkov ID: CKV3_SAST_148
Description
CWE: CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP: A02:2021 - Cryptographic Failures
This policy detects the use of a broken or risky cryptographic algorithm in Java code. The use of these algorithms can introduce vulnerabilities that could be exploited by attackers to tamper with ciphertext and compromise the security of the system.
Vulnerable code example:
Cipher.getInstance("DES");
The above code example uses the "DES" cryptographic algorithm, which is considered weak and vulnerable to attack. It does not provide built-in message integrity, making it easier for an adversary to tamper with the ciphertext and potentially decrypt the data.
@javax.jws.WebMethod | ||
void connect(HttpServletRequest req){ | ||
Cookie cook = new Cookie("cookie" ); | ||
cook.setMaxAge(31536000 ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cookie stored for an extended period of time
File: main.java | Checkov ID: CKV3_SAST_20
Description
CWE: CWE-539: Information Exposure Through Persistent Cookies
OWASP: A04:2021 - Insecure Design
This policy refers to the practice of setting cookies to persist for an extended period of time. The value of 31536000
seconds corresponds to one year. If a cookie, especially one containing sensitive data, is set to persist for a year or more, it can increase the risk of data exposure or account compromise, especially if the user's system is compromised or the cookie is otherwise mishandled.
Here is an example of a violating code:
import javax.servlet.http.Cookie;
public class PersistentCookieCreator {
public void createCookie(javax.servlet.http.HttpServletResponse response) {
Cookie myCookie = new Cookie("user", "john");
myCookie.setMaxAge(31536000); // Cookie is set to persist for one year
response.addCookie(myCookie);
}
}
In the above code, a new cookie is being created and the maximum age of the cookie is being set to one year. This means the cookie will persist for that duration, even if the user closes the browser or restarts the system.
|
||
@Override | ||
protected void configure(HttpSecurity http) throws Exception { | ||
http.csrf().ignoringAntMatchers("/route/fre" ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CSRF is Disabled
File: main.java | Checkov ID: CKV3_SAST_25
Description
CWE: CWE-352: Cross-site forgery
OWASP: A01:2021 - Broken Access Control
This policy aims to prevent the disabling of Cross-Site Request Forgery (CSRF) protection in web applications. CSRF is an attack that tricks the victim into submitting a malicious request. Since web browsers automatically include cookies, the actions can be authenticated and sensitive if CSRF protection is disabled.
Example of violating code:
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
public class SecurityConfig {
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// OR
http.csrf().ignoringAntMatchers("/api/*");
}
}
This code is problematic because it disables CSRF protection entirely or for specific URL patterns, leaving the application vulnerable to CSRF attacks.
public class Decorator1 { | ||
|
||
public static void main(String[] args) { | ||
org.apache.commons.io.FilenameUtils.normalize(args[0]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pathname input not restricted
File: main.java | Checkov ID: CKV3_SAST_43
Description
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP: A01:2021 - Broken Access Control
This policy identifies potential risks in Java applications where file-related functions from the Apache Commons IO library might be used without properly filtering input parameters. Without filtering, there's a risk that an attacker could read files from arbitrary filesystem locations, leading to unauthorized data access or information disclosure. Such vulnerabilities are commonly referred to as path traversal or directory traversal attacks.
Specifically, this policy checks for the usage of methods like:
normalize()
getExtension()
isExtensions()
getName()
getBaseName()
and their fully qualified counterparts in theorg.apache.commons.io.FilenameUtils
class.
Example of violating code:
import static org.apache.commons.io.FilenameUtils;
String userFilePath = getUserInput();
String normalizedPath = normalize(userFilePath);
No description provided.