kotlin.lang.security.ecb-cipher.ecb-cipher

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ecb-cipher
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE
      category: security
      technology:
        - kotlin
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      vulnerability_class:
        - Cryptographic Issues
    message: Cipher in ECB mode is detected. ECB mode produces the same output for
      the same input each time which allows an attacker to intercept and replay
      the data. Further, ECB mode does not provide any integrity checking. See
      https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
    severity: WARNING
    languages:
      - kt
    patterns:
      - pattern-either:
          - pattern: |
              val $VAR : Cipher = $CIPHER.getInstance($MODE)
          - pattern: |
              var $VAR : Cipher = $CIPHER.getInstance($MODE)
          - pattern: |
              val $VAR = $CIPHER.getInstance($MODE)
          - pattern: |
              var $VAR = $CIPHER.getInstance($MODE)
      - metavariable-regex:
          metavariable: $MODE
          regex: .*ECB.*

Examples

ecb-cipher.kt

class ECBCipher {

  public fun ecbCipher(): Void {
    // ruleid: ecb-cipher
    val c: Cipher = Cipher.getInstance("AES/ECB/NoPadding")
    c.init(Cipher.ENCRYPT_MODE, k, iv)
    val cipherText = c.doFinal(plainText)
  }

  public fun ecbCipher2(): Void {
    // ruleid: ecb-cipher
    var c = Cipher.getInstance("AES/ECB/NoPadding")
    c.init(Cipher.ENCRYPT_MODE, k, iv)
    val cipherText = c.doFinal(plainText)
  }

  public fun noEcbCipher(): Void {
    // ok: ecb-cipher
    var c = Cipher.getInstance("AES/GCM/NoPadding")
    c.init(Cipher.ENCRYPT_MODE, k, iv)
    val cipherText = c.doFinal(plainText)
  }
}