java.lang.security.audit.crypto.no-null-cipher.no-null-cipher

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,021
Download Count*

NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.

Run Locally

Run in CI

Defintion

rules:
  - id: no-null-cipher
    patterns:
      - pattern-inside: |
          $CI = new NullCipher(...);
          ...
      - pattern-either:
          - pattern: $CI.doFinal(...)
          - pattern: $CI.update(...)
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: 'NullCipher was detected. This will not encrypt anything; the cipher
      text will be the same as the plain text. Use a valid, secure cipher:
      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
      for more information.'
    severity: WARNING
    languages:
      - java

Examples

no-null-cipher.java

import java.lang.Runtime;

class Cls {

    public Cls() {
        System.out.println("Hello");
    }

    public byte[] test1(String plainText) {
        Cipher doNothingCihper = new NullCipher();
        //The ciphertext produced will be identical to the plaintext.
        // ruleid: no-null-cipher
        byte[] cipherText = doNothingCihper.doFinal(plainText);
        return cipherText;
    }

    public void test2(String plainText) {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        // ok: no-null-cipher
        byte[] cipherText = cipher.doFinal(plainText);
        return cipherText;
    }
}