contrib.nodejsscan.crypto_node.node_aes_ecb

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_aes_ecb
    patterns:
      - pattern-either:
          - pattern: |
              $X.createCipheriv("=~/aes-([0-9]+)-ecb/", ...)
          - pattern: |
              $X.createDecipheriv("=~/aes-([0-9]+)-ecb/", ...)
    message: AES with ECB mode is deterministic in nature and not suitable for
      encrypting large amount of repetitive data.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A09:2017 - Using Components with Known Vulnerabilities
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

crypto_node.js

var key = new Buffer('8CBDEC62EB4DCA778F842B02503011B2', 'hex')
var src = new Buffer('0002123401010100000000000000c631', 'hex')
// ruleid:node_aes_ecb
cipher = crypto.createCipheriv("aes-128-ecb", key, '')
cipher.setAutoPadding(false)
result = cipher.update(src).toString('hex');
result += cipher.final().toString('hex');
"result   : " + result

// ruleid:node_sha1
require("crypto")
    .createHash("sha1")
    .update("Man oh man do I love node!")
    .digest("hex");

// ruleid:node_md5
require("crypto")
    .createHash("md5")
    .update("Man oh man do I love node!")
    .digest("hex");

function encrypt(text) {
    let iv = crypto.randomBytes(IV_LENGTH);
    // ruleid:node_aes_ecb
    let cipher = crypto.createCipheriv('aes-256-ecb', Buffer.from(ENCRYPTION_KEY), iv);
    // ruleid:node_aes_ecb
    let cipher = crypto.createCipheriv('aes-192-ecb', Buffer.from(ENCRYPTION_KEY), iv);
    // ruleid:node_aes_ecb
    let cipher = crypto.createCipheriv('aes-128-ecb', Buffer.from(ENCRYPTION_KEY), iv);
    let encrypted = cipher.update(text);

    encrypted = Buffer.concat([encrypted, cipher.final()]);

    return iv.toString('hex') + ':' + encrypted.toString('hex');
}

function decrypt(text) {
    let textParts = text.split(':');
    let iv = Buffer.from(textParts.shift(), 'hex');
    let encryptedText = Buffer.from(textParts.join(':'), 'hex');
    // ruleid:node_aes_ecb
    let decipher = crypto.createDecipheriv('aes-128-ecb', Buffer.from(ENCRYPTION_KEY), iv);
    let decrypted = decipher.update(encryptedText);
}

// ruleid:node_insecure_random_generator
crypto.pseudoRandomBytes(1); // <Buffer 45>
//Math based random insecure
// ruleid:node_insecure_random_generator
const val = Math.random();

// ruleid:node_weak_crypto
var des = crypto.createCipher('des', key);