-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathHardcodedEncryptionKey.ql
More file actions
42 lines (37 loc) · 1.09 KB
/
HardcodedEncryptionKey.ql
File metadata and controls
42 lines (37 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
* @name Hard-coded encryption key
* @description The .Key property or rgbKey parameter of a SymmetricAlgorithm should never be a hard-coded value.
* @kind problem
* @id cs/hardcoded-key
* @problem.severity error
* @security-severity 8.1
* @tags security
* external/cwe/cwe-320
*/
/*
* consider: @precision high
*/
import csharp
import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlowQuery
/**
* The creation of a literal byte array.
*/
class ByteArrayLiteralSource extends KeySource {
ByteArrayLiteralSource() {
this.asExpr() =
any(ArrayCreation ac |
ac.getArrayType().getElementType() instanceof ByteType and
ac.hasInitializer()
)
}
}
/**
* Any string literal as a source
*/
class StringLiteralSource extends KeySource {
StringLiteralSource() { this.asExpr() instanceof StringLiteral }
}
from SymmetricKeyTaintTrackingConfiguration keyFlow, KeySource src, SymmetricEncryptionKeySink sink
where keyFlow.hasFlow(src, sink)
select sink, "Hard-coded $@ is used in symmetric algorithm in " + sink.getDescription(), src,
"symmetric key"