php.lang.security.mcrypt-use.mcrypt-use

profile photo of semgrepsemgrep
Author
4,191
Download Count*
LGPL Commons Clause
License

Mcrypt functionality has been deprecated and/or removed in recent PHP versions. Consider using Sodium or OpenSSL.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mcrypt-use
    patterns:
      - pattern: $FUNC(...);
      - metavariable-regex:
          metavariable: $FUNC
          regex: (mcrypt_|mdecrypt_).+
    message: Mcrypt functionality has been deprecated and/or removed in recent PHP
      versions. Consider using Sodium or OpenSSL.
    metadata:
      cwe:
        - "CWE-676: Use of Potentially Dangerous Function"
      references:
        - https://www.php.net/manual/en/intro.mcrypt.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php
      category: security
      technology:
        - php
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Dangerous Method or Function
    languages:
      - php
    severity: ERROR

Examples

mcrypt-use.php

<?php

// ruleid: mcrypt-use
mcrypt_ecb(MCRYPT_BLOWFISH, $key, base64_decode($input), MCRYPT_DECRYPT);

// ruleid: mcrypt-use
mcrypt_create_iv($iv_size, MCRYPT_RAND);

// ruleid: mcrypt-use
mdecrypt_generic($td, $c_t);

// ok: mcrypt-use
sodium_crypto_secretbox("Hello World!", $nonce, $key);

// ok: mcrypt-use
openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv, $tag);