php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate
returntocorpAuthor
unknown
Download Count*
License
The function openssl_decrypt returns either a string of the decrypted data on success or false on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where openssl_decrypt returns false.
Run Locally
Run in CI
Defintion
rules:
- id: openssl-decrypt-validate
patterns:
- pattern: openssl_decrypt(...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
if($DECRYPTED_STRING === false){
...
}
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
if($DECRYPTED_STRING == false){
...
}
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
if(false === $DECRYPTED_STRING){
...
}
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
if(false == $DECRYPTED_STRING){
...
}
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
assertTrue(false !== $DECRYPTED_STRING,...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
assertTrue($DECRYPTED_STRING !== false,...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
$REFERENCE::assertTrue(false !== $DECRYPTED_STRING,...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
$REFERENCE::assertTrue($DECRYPTED_STRING !== false,...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
assert(false !== $DECRYPTED_STRING,...);
- pattern-not-inside: |
$DECRYPTED_STRING = openssl_decrypt(...);
...
assert($DECRYPTED_STRING !== false,...);
message: The function `openssl_decrypt` returns either a string of the decrypted
data on success or `false` on failure. If the failure case is not handled,
this could lead to undefined behavior in your application. Please handle
the case where `openssl_decrypt` returns `false`.
languages:
- php
severity: WARNING
metadata:
references:
- https://www.php.net/manual/en/function.openssl-decrypt.php
cwe:
- "CWE-252: Unchecked Return Value"
owasp:
- A02:2021 - Cryptographic Failures
technology:
- php
- openssl
category: security
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
openssl-decrypt-validate.php
<?php
class OpenSslTest{
public static function decrypt_test_1($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ruleid: openssl-decrypt-validate
$data = openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
return $data;
}
public static function decrypt_test_2($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ruleid: openssl-decrypt-validate
$data = openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
if($data == true){
return "";
}
return $data;
}
public static function decrypt_test_3($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ruleid: openssl-decrypt-validate
return openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
}
public static function decrypt_test_ok($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ok: openssl-decrypt-validate
$data = openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
if($data == false){
return "";
}
return $data;
}
public static function decrypt_test_ok_2($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ok: openssl-decrypt-validate
$data = openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
if(false === $data){
return "";
}
return $data;
}
public static function decrypt_test_ok_3($crypt, $ky) {
$key = html_entity_decode($ky);
$iv = "@@@@&&&&####$$$$";
// ok: openssl-decrypt-validate
$data = openssl_decrypt ( $crypt , "AES-128-CBC" , $key, 0, $iv );
assertTrue(false !== $data);
return $data;
}
}
Short Link: https://sg.run/kzn7