java.lang.security.audit.crypto.no-null-cipher.no-null-cipher

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
121,021
Download Count*
LGPL Commons Clause
License

NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: no-null-cipher
    patterns:
      - pattern-either:
          - pattern: new NullCipher(...);
          - pattern: new javax.crypto.NullCipher(...);
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    message: 'NullCipher was detected. This will not encrypt anything; the cipher
      text will be the same as the plain text. Use a valid, secure cipher:
      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
      for more information.'
    severity: WARNING
    languages:
      - java

Examples

no-null-cipher.java

import java.lang.Runtime;

class Cls {

    public Cls() {
        System.out.println("Hello");
    }

    public byte[] test1(String plainText) {
        // ruleid: no-null-cipher
        javax.crypto.NullCipher nullCipher = new javax.crypto.NullCipher();
        // ruleid: no-null-cipher
        Cipher doNothingCihper = new NullCipher();
        //The ciphertext produced will be identical to the plaintext.
        byte[] cipherText = doNothingCihper.doFinal(plainText);
        return cipherText;
    }

    public void test2(String plainText) {
        // ok: no-null-cipher
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        byte[] cipherText = cipher.doFinal(plainText);
        return cipherText;
    }

    public void test3(String plainText) {
        // ruleid: no-null-cipher
        useCipher(new NullCipher());
    }

    private static void useCipher(Cipher cipher) throws Exception {
       // sast should complain about the hard-coded key
       SecretKey key = new SecretKeySpec("secret".getBytes("UTF-8"), "AES");
       cipher.init(Cipher.ENCRYPT_MODE, key);
       byte[] plainText  = "aeiou".getBytes("UTF-8");
       byte[] cipherText = cipher.doFinal(plainText);
       System.out.println(new String(cipherText));
    }
}