java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding

Community Favorite
profile photo of semgrepsemgrep
Author
50,751
Download Count*
LGPL Commons Clause
License

Using RSA without OAEP mode weakens the encryption.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: rsa-no-padding
    metadata:
      functional-categories:
        - crypto::search::mode::javax.crypto
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING
      references:
        - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
        - kotlin
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    message: Using RSA without OAEP mode weakens the encryption.
    severity: WARNING
    languages:
      - java
      - kt
    pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/")

Examples

rsa-no-padding.java

class RSAPadding {
  public void rsaNoPadding() {
    // ruleid: rsa-no-padding
    Cipher.getInstance("RSA/NONE/NoPadding");
  }

  public void rsaNoPadding2() {
    // ruleid: rsa-no-padding
    useCipher(Cipher.getInstance("RSA/None/NoPadding"));
  }

  public void rsaPadding() {
    // ok: rsa-no-padding
    Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
  }
}