kotlin.lang.security.no-null-cipher.no-null-cipher

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: no-null-cipher
    pattern: NullCipher(...)
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - kotlin
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      vulnerability_class:
        - Cryptographic Issues
    message: 'NullCipher was detected. This will not encrypt anything; the cipher
      text will be the same as the plain text. Use a valid, secure cipher:
      Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
      https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
      for more information.'
    severity: WARNING
    languages:
      - kt
      - scala

Examples

no-null-cipher.kt

import java.lang.Runtime

class Cls {
    public fun test1(plainText: String): Array<Byte> {
        // ruleid: no-null-cipher
        val doNothingCipher: Cipher = NullCipher()
        //The ciphertext produced will be identical to the plaintext.
        val cipherText: Cipher = doNothingCihper.doFinal(plainText)
        return cipherText
    }

    public fun test2(plainText: String): Void {
        // ok: no-null-cipher
        val cipher: Cipher = Cipher.getInstance("AES/CBC/PKCS5Padding")
        val cipherText: Array<Byte> = cipher.doFinal(plainText)
        return cipherText
    }
}